Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SetupSuite_21.8_win64_86_sm.exe

Overview

General Information

Sample name:SetupSuite_21.8_win64_86_sm.exe
Analysis ID:1434176
MD5:ddda012671f0ca2ca213060073b063e2
SHA1:462783a60146a405f20bba176c4d5f95bf5f785c
SHA256:61b02846fae730a5b900745cf6fb113993254268609542a5a00404fe9ca985f2
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SetupSuite_21.8_win64_86_sm.exe (PID: 4444 cmdline: "C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe" MD5: DDDA012671F0CA2CA213060073B063E2)
    • cmd.exe (PID: 3092 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 1360 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
        • WerFault.exe (PID: 3504 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 460 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199658817715", "https://tufure.xyz"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
RazerInstaller.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\ejhooxmigiJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          Process Memory Space: cmd.exe PID: 3092JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Process Memory Space: explorer.exe PID: 1360JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.cmd.exe.33700c8.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                2.2.cmd.exe.33700c8.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

                  Sigma Signatures

                  Sigma detected: Proxy Execution Via Explorer.exe
                  Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3092, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 1360, ProcessName: explorer.exe

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: SetupSuite_21.8_win64_86_sm.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\ejhooxmigiAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                  Found malware configuration
                  Source: 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199658817715", "https://tufure.xyz"]}
                  Multi AV Scanner detection for submitted file
                  Source: SetupSuite_21.8_win64_86_sm.exeReversingLabs: Detection: 54%
                  Source: SetupSuite_21.8_win64_86_sm.exeVirustotal: Detection: 39%Perma Link
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\ejhooxmigiJoe Sandbox ML: detected
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll
                  Source: Binary string: C:\projects\msgpack-cli-x2p85\src\MsgPack\obj\Release\net35\MsgPack.pdbh source: RazerInstaller.exe
                  Source: Binary string: C:\projects\msgpack-cli-x2p85\src\MsgPack\obj\Release\net35\MsgPack.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll
                  Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll
                  Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\Kinesis\obj\AWSSDK.Kinesis.Net45\Release\net45\AWSSDK.Kinesis.pdb source: AWSSDK.Kinesis.dll
                  Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: api-ms-win-core-debug-l1-1-0.dll
                  Source: Binary string: concrt140.i386.pdbGCTL source: concrt140.dll
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\DetectManagerWrapper\bin\Razer.DetectManagerWrapper.pdb source: Razer.DetectManagerWrapper.dll
                  Source: Binary string: C:\jenkins\workspace\CommonTools\Natasha_Master\Updater\UpdateUtility\obj\x86\Release\UpdateUtility.pdbP\ source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll
                  Source: Binary string: C:\Users\shikang.neoh\Desktop\cpprestsdk-master\Binaries\Win32\Release\cpprest140_2_10.pdb source: cpprest140_2_10.dll
                  Source: Binary string: glu32.pdb source: cmd.exe, 00000002.00000002.2285116581.00000000033A3000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412634634.00000000003E8000.00000008.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr
                  Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll
                  Source: Binary string: wntdll.pdb source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2059867804.000000000520D000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2063756868.0000000005B20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2285453916.0000000004ED5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2290342600.0000000005320000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412874246.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2413064510.000000000C170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: Amsi.pdbGCTL source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003C11000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003CBF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerApp\obj\x86\Release\RazerInstaller.pdb| source: RazerInstaller.exe
                  Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\Kinesis\obj\AWSSDK.Kinesis.Net45\Release\net45\AWSSDK.Kinesis.pdbSHA256 source: AWSSDK.Kinesis.dll
                  Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll
                  Source: Binary string: C:\Kat\source_git\synapse3_tools\BLEConnect\Release\BLEConnectWrapper.pdb source: BLEConnectWrapper.dll
                  Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Core\obj\Release\Microsoft.WindowsAPICodePack.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll
                  Source: Binary string: C:\Kat\source_git\synapse3_tools\BLEConnect\BLEConnect\obj\Release\BLEConnect.pdb source: BLEConnect.dll
                  Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.UnityExtensions\obj\Release\Microsoft.Practices.Prism.UnityExtensions.pdb source: RazerInstaller.exe
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\SafeExtractor\Release\SafeExtractor.pdb source: SetupSuite_21.8_win64_86_sm.exe
                  Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\InstallerCleaner\obj\Release\RazerInstallerCleaner.pdb source: Razer.RazerInstallerCommon.dll
                  Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.Interactivity\obj\Release\Microsoft.Practices.Prism.Interactivity.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll
                  Source: Binary string: /_/src/NLog/obj/Release/net46/NLog.pdb source: NLog.dll
                  Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll
                  Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.Interactivity\obj\Release\Microsoft.Practices.Prism.Interactivity.pdbh<~< p<_CorDllMainmscoree.dll source: RazerInstaller.exe
                  Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\DetectManagerWrapper\bin\Razer.DetectManagerWrapper.pdb$$ source: Razer.DetectManagerWrapper.dll
                  Source: Binary string: C:\Dev\LightweightInstaller\3rd Party\DotNetZip\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: SetupSuite_21.8_win64_86_sm.exe, RazerInstaller.exe
                  Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll
                  Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.UnityExtensions\obj\Release\Microsoft.Practices.Prism.UnityExtensions.pdb|[ source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll
                  Source: Binary string: c:\tfs\EL\V5-SL\UnityTemp\Compile\Unity\Unity.Configuration\Src\obj\Release\Microsoft.Practices.Unity.Configuration.pdb source: RazerInstaller.exe
                  Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Shell\obj\Release\Microsoft.WindowsAPICodePack.Shell.pdbpZ source: RazerInstaller.exe
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerApp\obj\x86\Release\RazerInstaller.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerCommon\obj\x86\Release\Razer.RazerInstallerCommon.pdb source: Razer.RazerInstallerCommon.dll
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: RazerInstaller.exe
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerCommon\obj\x86\Release\Razer.RazerInstallerCommon.pdbl source: Razer.RazerInstallerCommon.dll
                  Source: Binary string: c:\Code\Codeplex\Bootstrapper\Core\Bootstrapper\obj\Release\Bootstrapper.pdb source: RazerInstaller.exe
                  Source: Binary string: c:\Code\Codeplex\Bootstrapper\Extensions\Bootstrapper.Unity\obj\Release\Bootstrapper.UnityExtension.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll
                  Source: Binary string: c:\Code\Codeplex\Bootstrapper\Core\Bootstrapper\obj\Release\Bootstrapper.pdbt source: RazerInstaller.exe
                  Source: Binary string: wntdll.pdbUGP source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2059867804.000000000520D000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2063756868.0000000005B20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2285453916.0000000004ED5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2290342600.0000000005320000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412874246.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2413064510.000000000C170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll
                  Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll
                  Source: Binary string: C:\jenkins\workspace\CommonTools\Natasha_Master\Updater\UpdateUtility\obj\x86\Release\UpdateUtility.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll
                  Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll
                  Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Core\obj\Release\Microsoft.WindowsAPICodePack.pdb, source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll
                  Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Shell\obj\Release\Microsoft.WindowsAPICodePack.Shell.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll
                  Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll
                  Source: Binary string: C:\Kat\source_git\synapse3_tools\BLEConnect\Release\BLEConnectWrapper.pdb%% source: BLEConnectWrapper.dll
                  Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll
                  Source: Binary string: c:\b\4741\2098\src\intermediate\System.Net.Http.2.0.csproj_f5d23ea6\Release\System.Net.Http.pdb source: RazerInstaller.exe
                  Source: Binary string: glu32.pdbGCTL source: cmd.exe, 00000002.00000002.2285116581.00000000033A3000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412634634.00000000003E8000.00000008.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr
                  Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll
                  Source: Binary string: Amsi.pdb source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003C11000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003CBF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net45\Release\net45\AWSSDK.Core.pdb source: AWSSDK.Core.dll
                  Source: Binary string: c:\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation.PortableClassLibrary\obj\Release\Microsoft.Practices.ServiceLocation.pdb source: RazerInstaller.exe
                  Source: Binary string: c:\tfs\EL\V5-SL\UnityTemp\Compile\Unity\Unity\Src\obj\Release\Microsoft.Practices.Unity.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll
                  Source: Binary string: concrt140.i386.pdb source: concrt140.dll
                  Source: Binary string: /_/src/NLog/obj/Release/net46/NLog.pdbSHA256OY source: NLog.dll
                  Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net45\Release\net45\AWSSDK.Core.pdbSHA256 source: AWSSDK.Core.dll
                  Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199658817715
                  Source: Malware configuration extractorURLs: https://tufure.xyz
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: RazerInstaller.exe, type: SAMPLE
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: https://www.facebook.com/razer equals www.facebook.com (Facebook)
                  Source: AWSSDK.Core.dllString found in binary or memory: http://169.254.169.254
                  Source: AWSSDK.Core.dllString found in binary or memory: http://169.254.170.2
                  Source: AWSSDK.Core.dllString found in binary or memory: http://169.254.170.2aUnable
                  Source: SetupSuite_21.8_win64_86_sm.exeString found in binary or memory: http://DotNetZip.codeplex.com/
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://assets.razerzone.com/eeimages/categories/14594/razer-gaming-softwares-category-comms-usp.png
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://assets.razerzone.com/eeimages/categories/14594/razer-gaming-softwares-category-gamebooster-us
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://assets.razerzone.com/eeimages/products/17531/940x573-01-02.png
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: AWSSDK.Core.dll, AWSSDK.Kinesis.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: RazerInstaller.exeString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                  Source: RazerInstaller.exeString found in binary or memory: http://compositewpf.codeplex.com/
                  Source: cpprest140_2_10.dllString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: AWSSDK.Core.dll, AWSSDK.Kinesis.dllString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                  Source: RazerInstaller.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: RazerInstaller.exeString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: AWSSDK.Core.dll, AWSSDK.Kinesis.dllString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                  Source: RazerInstaller.exeString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: AWSSDK.Core.dllString found in binary or memory: http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html
                  Source: RazerInstaller.exeString found in binary or memory: http://james.newtonking.com/projects/json
                  Source: RazerInstaller.exeString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                  Source: NLog.dllString found in binary or memory: http://nlog-project.org/dummynamespace/
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://ocsp.digicert.com0
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://ocsp.digicert.com0A
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://ocsp.digicert.com0C
                  Source: AWSSDK.Core.dll, AWSSDK.Kinesis.dllString found in binary or memory: http://ocsp.digicert.com0I
                  Source: RazerInstaller.exeString found in binary or memory: http://ocsp.digicert.com0K
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                  Source: RazerInstaller.exeString found in binary or memory: http://ocsp.digicert.com0N
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exeString found in binary or memory: http://ocsp.digicert.com0O
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://ocsp.digicert.com0X
                  Source: cpprest140_2_10.dllString found in binary or memory: http://ocsp.thawte.com0
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://razer.com/software
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dllString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dllString found in binary or memory: http://s2.symcb.com0
                  Source: RazerInstaller.exeString found in binary or memory: http://schemas.datacontract.org/2004/07/Razer.ActionService
                  Source: NLog.dllString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://scripts.sil.org/OFL
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://scripts.sil.org/OFLCopyright
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://scripts.sil.org/OFLRazerF5Light
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://scripts.sil.org/OFLRazerF5LightItalic
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://scripts.sil.org/OFLRazerF5SemiBold
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://scripts.sil.org/OFLRazerF5SemiBoldItalic
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://scripts.sil.org/OFLRazerF5Thin
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://scripts.sil.org/OFLRazerF5ThinItalic
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dllString found in binary or memory: http://sv.symcb.com/sv.crl0a
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dllString found in binary or memory: http://sv.symcb.com/sv.crt0
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dllString found in binary or memory: http://sv.symcd.com0&
                  Source: cpprest140_2_10.dllString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                  Source: cpprest140_2_10.dllString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                  Source: cpprest140_2_10.dllString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                  Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                  Source: SetupSuite_21.8_win64_86_sm.exeString found in binary or memory: http://www.2brightsparks.com/foc/foc-v-check.txt
                  Source: SetupSuite_21.8_win64_86_sm.exeString found in binary or memory: http://www.2brightsparks.com/onclick/help/
                  Source: SetupSuite_21.8_win64_86_sm.exeString found in binary or memory: http://www.2brightsparks.com/onclick/index.html
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Roboto
                  Source: RazerInstaller.exeString found in binary or memory: http://www.codeplex.com/CompositeWPF
                  Source: RazerInstaller.exeString found in binary or memory: http://www.codeplex.com/DotNetZip
                  Source: RazerInstaller.exeString found in binary or memory: http://www.codeplex.com/prism
                  Source: RazerInstaller.exeString found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
                  Source: RazerInstaller.exeString found in binary or memory: http://www.codeplex.com/prism:Microsoft.Practices.Prism.Interactivity.InteractionRequest
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://www.digicert.com/CPS0
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.0000000005418000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.0000000005237000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                  Source: cpprest140_2_10.dllString found in binary or memory: http://www.openssl.org/support/faq.html
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: http://www.razer.com/sw-eula
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://www.razerzone.com
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://www.razerzone.com/comms
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://www.razerzone.com/cortex
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://www.razerzone.com/surround
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: http://www.razerzone.com/synapse
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dllString found in binary or memory: http://www.symauth.com/cps0(
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dllString found in binary or memory: http://www.symauth.com/rpa00
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: https://albedozero-staging.razerapi.com/password
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: https://albedozero.razerapi.com/datapipelineQhttps://albedozero.razerapi.com/passwordihttps://albedo
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dllString found in binary or memory: https://d.symcb.com/cps0%
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dllString found in binary or memory: https://d.symcb.com/rpa0
                  Source: RazerInstaller.exeString found in binary or memory: https://discovery.razerapi.com:https://manifest.razerapi.com
                  Source: AWSSDK.Core.dllString found in binary or memory: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
                  Source: RazerInstaller.exeString found in binary or memory: https://ec.razer.com
                  Source: NLog.dllString found in binary or memory: https://github.com/NLog/NLog.git
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: https://insider.razer.com
                  Source: AWSSDK.Core.dllString found in binary or memory: https://ip-ranges.amazonaws.com/ip-ranges.json
                  Source: AWSSDK.Kinesis.dllString found in binary or memory: https://kinesis.us-gov-east-1.amazonaws.com
                  Source: AWSSDK.Kinesis.dllString found in binary or memory: https://kinesis.us-gov-west-1.amazonaws.com
                  Source: NLog.dllString found in binary or memory: https://nlog-project.org/
                  Source: cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199658817715
                  Source: cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199658817715fgshMozilla/5.0
                  Source: cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.drString found in binary or memory: https://t.me/sa9ok
                  Source: cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.drString found in binary or memory: https://t.me/sa9okfgshhttps://steamcommunity.com/profiles/76561199658817715sql.dllsqlm.dllMozilla/5.
                  Source: cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.drString found in binary or memory: https://tufure.xyz
                  Source: cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.drString found in binary or memory: https://tufure.xyzCristina
                  Source: Razer.RazerInstallerCommon.resources.dllString found in binary or memory: https://twitter.com/intent/follow?screen_name=Razer
                  Source: Razer.RazerInstallerCommon.dllString found in binary or memory: https://u05srooyhc.execute-api.us-east-1.amazonaws.com/sts
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exeString found in binary or memory: https://www.digicert.com/CPS0
                  Source: RazerInstaller.exeString found in binary or memory: https://www.newtonsoft.com/json
                  Source: RazerInstaller.exeString found in binary or memory: https://www.newtonsoft.com/jsonschema
                  Source: NLog.dllString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                  Source: RazerInstaller.exeString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeCode function: 0_2_005BFCEE NtQuerySystemInformation,0_2_005BFCEE
                  Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0C0A58905_2_0C0A5890
                  Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0C0914E05_2_0C0914E0
                  Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0C0A79005_2_0C0A7900
                  Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0C0A39E05_2_0C0A39E0
                  Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0C0A3DF05_2_0C0A3DF0
                  Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0C0BA6715_2_0C0BA671
                  Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0C08E6D05_2_0C08E6D0
                  Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0C0B13785_2_0C0B1378
                  Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0C08ABB05_2_0C08ABB0
                  Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0C0A97005_2_0C0A9700
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\ejhooxmigi 53E1DB0A09087822E1A40B253C83ACD921F0CDCDF47F12C822ABD649FA17F990
                  Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 460
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic PE information: invalid certificate
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (console) Intel 80386, for MS Windows
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic PE information: Number of sections : 11 > 10
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000000.1975517741.00000000016F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRazer Installer.exe@ vs SetupSuite_21.8_win64_86_sm.exe
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000000.1975517741.00000000016F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRzSDKClient.exeZ vs SetupSuite_21.8_win64_86_sm.exe
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2059867804.0000000005330000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SetupSuite_21.8_win64_86_sm.exe
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2063756868.0000000005C4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SetupSuite_21.8_win64_86_sm.exe
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezip.exe( vs SetupSuite_21.8_win64_86_sm.exe
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2043957617.0000000004F01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRazer Installer.exe@ vs SetupSuite_21.8_win64_86_sm.exe
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2043957617.0000000004F01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRzSDKClient.exeZ vs SetupSuite_21.8_win64_86_sm.exe
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: OriginalFilenameIonic.Zip.dllD vs SetupSuite_21.8_win64_86_sm.exe
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: OriginalFilenameIonic.Zip-2023Jul28-021849-577cc2fa-e620-4ba0-86f6-f94884a6f6a6.exe@ vs SetupSuite_21.8_win64_86_sm.exe
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: OriginalFilenameRazer Installer.exe@ vs SetupSuite_21.8_win64_86_sm.exe
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: OriginalFilenameRzSDKClient.exeZ vs SetupSuite_21.8_win64_86_sm.exe
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: RazerInstaller.exeBinary or memory string: c:\b\4741\2098\src\intermediate\System.Net.Http.2.0.csproj_f5d23ea6\Release\System.Net.Http.pdb
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@7/8@0/0
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1360
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeFile created: C:\Users\user\AppData\Local\Temp\ef788a7fJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: SetupSuite_21.8_win64_86_sm.exeReversingLabs: Detection: 54%
                  Source: SetupSuite_21.8_win64_86_sm.exeVirustotal: Detection: 39%
                  Source: explorer.exeString found in binary or memory: more-help
                  Source: explorer.exeString found in binary or memory: wild-stop-dirs
                  Source: SetupSuite_21.8_win64_86_sm.exeString found in binary or memory: <html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
                  Source: SetupSuite_21.8_win64_86_sm.exeString found in binary or memory: n<html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
                  Source: SetupSuite_21.8_win64_86_sm.exeString found in binary or memory: <!--StartFragment -->
                  Source: RazerInstaller.exeString found in binary or memory: /Adding UnityBootstrapperExtension to container.
                  Source: RazerInstaller.exeString found in binary or memory: M{72FC5BA4-24F9-4011-9F3F-ADD27AFAD818}
                  Source: RazerInstaller.exeString found in binary or memory: Setting [#] additivity to [/Adding appender named [
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeFile read: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe "C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe"
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                  Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 460
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: olepro32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic file information: File size 18984288 > 1048576
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x6d2c00
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xa5e800
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic PE information: More than 200 imports for user32.dll
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll
                  Source: Binary string: C:\projects\msgpack-cli-x2p85\src\MsgPack\obj\Release\net35\MsgPack.pdbh source: RazerInstaller.exe
                  Source: Binary string: C:\projects\msgpack-cli-x2p85\src\MsgPack\obj\Release\net35\MsgPack.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll
                  Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll
                  Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\Kinesis\obj\AWSSDK.Kinesis.Net45\Release\net45\AWSSDK.Kinesis.pdb source: AWSSDK.Kinesis.dll
                  Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: api-ms-win-core-debug-l1-1-0.dll
                  Source: Binary string: concrt140.i386.pdbGCTL source: concrt140.dll
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\DetectManagerWrapper\bin\Razer.DetectManagerWrapper.pdb source: Razer.DetectManagerWrapper.dll
                  Source: Binary string: C:\jenkins\workspace\CommonTools\Natasha_Master\Updater\UpdateUtility\obj\x86\Release\UpdateUtility.pdbP\ source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll
                  Source: Binary string: C:\Users\shikang.neoh\Desktop\cpprestsdk-master\Binaries\Win32\Release\cpprest140_2_10.pdb source: cpprest140_2_10.dll
                  Source: Binary string: glu32.pdb source: cmd.exe, 00000002.00000002.2285116581.00000000033A3000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412634634.00000000003E8000.00000008.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr
                  Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll
                  Source: Binary string: wntdll.pdb source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2059867804.000000000520D000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2063756868.0000000005B20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2285453916.0000000004ED5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2290342600.0000000005320000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412874246.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2413064510.000000000C170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: Amsi.pdbGCTL source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003C11000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003CBF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerApp\obj\x86\Release\RazerInstaller.pdb| source: RazerInstaller.exe
                  Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\Kinesis\obj\AWSSDK.Kinesis.Net45\Release\net45\AWSSDK.Kinesis.pdbSHA256 source: AWSSDK.Kinesis.dll
                  Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll
                  Source: Binary string: C:\Kat\source_git\synapse3_tools\BLEConnect\Release\BLEConnectWrapper.pdb source: BLEConnectWrapper.dll
                  Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Core\obj\Release\Microsoft.WindowsAPICodePack.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll
                  Source: Binary string: C:\Kat\source_git\synapse3_tools\BLEConnect\BLEConnect\obj\Release\BLEConnect.pdb source: BLEConnect.dll
                  Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.UnityExtensions\obj\Release\Microsoft.Practices.Prism.UnityExtensions.pdb source: RazerInstaller.exe
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\SafeExtractor\Release\SafeExtractor.pdb source: SetupSuite_21.8_win64_86_sm.exe
                  Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\InstallerCleaner\obj\Release\RazerInstallerCleaner.pdb source: Razer.RazerInstallerCommon.dll
                  Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.Interactivity\obj\Release\Microsoft.Practices.Prism.Interactivity.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll
                  Source: Binary string: /_/src/NLog/obj/Release/net46/NLog.pdb source: NLog.dll
                  Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll
                  Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.Interactivity\obj\Release\Microsoft.Practices.Prism.Interactivity.pdbh<~< p<_CorDllMainmscoree.dll source: RazerInstaller.exe
                  Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\DetectManagerWrapper\bin\Razer.DetectManagerWrapper.pdb$$ source: Razer.DetectManagerWrapper.dll
                  Source: Binary string: C:\Dev\LightweightInstaller\3rd Party\DotNetZip\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: SetupSuite_21.8_win64_86_sm.exe, RazerInstaller.exe
                  Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll
                  Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.UnityExtensions\obj\Release\Microsoft.Practices.Prism.UnityExtensions.pdb|[ source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll
                  Source: Binary string: c:\tfs\EL\V5-SL\UnityTemp\Compile\Unity\Unity.Configuration\Src\obj\Release\Microsoft.Practices.Unity.Configuration.pdb source: RazerInstaller.exe
                  Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Shell\obj\Release\Microsoft.WindowsAPICodePack.Shell.pdbpZ source: RazerInstaller.exe
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerApp\obj\x86\Release\RazerInstaller.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerCommon\obj\x86\Release\Razer.RazerInstallerCommon.pdb source: Razer.RazerInstallerCommon.dll
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: RazerInstaller.exe
                  Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerCommon\obj\x86\Release\Razer.RazerInstallerCommon.pdbl source: Razer.RazerInstallerCommon.dll
                  Source: Binary string: c:\Code\Codeplex\Bootstrapper\Core\Bootstrapper\obj\Release\Bootstrapper.pdb source: RazerInstaller.exe
                  Source: Binary string: c:\Code\Codeplex\Bootstrapper\Extensions\Bootstrapper.Unity\obj\Release\Bootstrapper.UnityExtension.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll
                  Source: Binary string: c:\Code\Codeplex\Bootstrapper\Core\Bootstrapper\obj\Release\Bootstrapper.pdbt source: RazerInstaller.exe
                  Source: Binary string: wntdll.pdbUGP source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2059867804.000000000520D000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2063756868.0000000005B20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2285453916.0000000004ED5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2290342600.0000000005320000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412874246.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2413064510.000000000C170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll
                  Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll
                  Source: Binary string: C:\jenkins\workspace\CommonTools\Natasha_Master\Updater\UpdateUtility\obj\x86\Release\UpdateUtility.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll
                  Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll
                  Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Core\obj\Release\Microsoft.WindowsAPICodePack.pdb, source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll
                  Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Shell\obj\Release\Microsoft.WindowsAPICodePack.Shell.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll
                  Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll
                  Source: Binary string: C:\Kat\source_git\synapse3_tools\BLEConnect\Release\BLEConnectWrapper.pdb%% source: BLEConnectWrapper.dll
                  Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll
                  Source: Binary string: c:\b\4741\2098\src\intermediate\System.Net.Http.2.0.csproj_f5d23ea6\Release\System.Net.Http.pdb source: RazerInstaller.exe
                  Source: Binary string: glu32.pdbGCTL source: cmd.exe, 00000002.00000002.2285116581.00000000033A3000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412634634.00000000003E8000.00000008.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr
                  Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll
                  Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll
                  Source: Binary string: Amsi.pdb source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003C11000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003CBF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net45\Release\net45\AWSSDK.Core.pdb source: AWSSDK.Core.dll
                  Source: Binary string: c:\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation.PortableClassLibrary\obj\Release\Microsoft.Practices.ServiceLocation.pdb source: RazerInstaller.exe
                  Source: Binary string: c:\tfs\EL\V5-SL\UnityTemp\Compile\Unity\Unity\Src\obj\Release\Microsoft.Practices.Unity.pdb source: RazerInstaller.exe
                  Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll
                  Source: Binary string: concrt140.i386.pdb source: concrt140.dll
                  Source: Binary string: /_/src/NLog/obj/Release/net46/NLog.pdbSHA256OY source: NLog.dll
                  Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net45\Release\net45\AWSSDK.Core.pdbSHA256 source: AWSSDK.Core.dll
                  Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll
                  Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll
                  Source: ejhooxmigi.2.drStatic PE information: real checksum: 0x409b9 should be: 0x351d8
                  Source: SetupSuite_21.8_win64_86_sm.exeStatic PE information: section name: .didata
                  Source: ejhooxmigi.2.drStatic PE information: section name: gbdqkb
                  Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0C0ACA00 push eax; ret 5_2_0C0ACA2E
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\ejhooxmigiJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\ejhooxmigiJump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Found hidden mapped module (file has been removed from disk)
                  Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\EJHOOXMIGI
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: AVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                  Source: ejhooxmigi.2.drBinary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                  Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ejhooxmigiJump to dropped file
                  Source: Amcache.hve.8.drBinary or memory string: VMware
                  Source: explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                  Source: explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                  Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000000.1974195403.00000000005A1000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: TatVirtualMachine|*
                  Source: explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                  Source: explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: VirtualMachines
                  Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: TatVirtualMachine|*~
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: TatVirtualMachine;
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: :TatVirtualMachine.:5
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: :TatVirtualMachine.:1
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: :TatVirtualMachine.:3
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: :TatVirtualMachine.:4
                  Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                  Source: explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: VirtualMachine
                  Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: FVirtualMachine
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                  Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: TatVirtualMachines
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: TatVirtualMachine|*~\
                  Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: FVirtualMachines
                  Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: TatVirtualMachine
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: TatVirtualMachines#
                  Source: SetupSuite_21.8_win64_86_sm.exeBinary or memory string: :TatVirtualMachine.:2
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeCode function: 0_2_005C03BE mov eax, dword ptr fs:[00000030h]0_2_005C03BE
                  Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0C0873E0 mov eax, dword ptr fs:[00000030h]5_2_0C0873E0

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeNtSetInformationThread: Direct from: 0x5C105FJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeNtQuerySystemInformation: Direct from: 0x76EE7B2EJump to behavior
                  Injects code into the Windows Explorer (explorer.exe)
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 1360 base: 3100000 value: 00Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 1360 base: 33DC2D8 value: 00Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 1360 base: 33DD1E8 value: 00Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 1360 base: CA79C0 value: 55Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 1360 base: 33DD008 value: 00Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 1360 base: 1A0000 value: 00Jump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: CA79C0Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 33DD008Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 1A0000Jump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                  Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ef788a7f VolumeInformationJump to behavior
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 2.2.cmd.exe.33700c8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.cmd.exe.33700c8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 3092, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1360, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ejhooxmigi, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 2.2.cmd.exe.33700c8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.cmd.exe.33700c8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 3092, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1360, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ejhooxmigi, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Command and Scripting Interpreter                  		11
                  DLL Side-Loading                  		311
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping121
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  Abuse Elevation Control Mechanism                  		1
                  Virtualization/Sandbox Evasion                  		LSASS Memory1
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable Media1
                  Application Layer Protocol                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
                  DLL Side-Loading                  		311
                  Process Injection                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Abuse Elevation Control Mechanism                  		NTDS11
                  System Information Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Obfuscated Files or Information                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  DLL Side-Loading                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SetupSuite_21.8_win64_86_sm.exe54%ReversingLabsWin32.Trojan.Rugmi
                  SetupSuite_21.8_win64_86_sm.exe40%VirustotalBrowse
                  SetupSuite_21.8_win64_86_sm.exe100%AviraTR/AVI.Agent.aiqbv

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\ejhooxmigi100%AviraTR/Crypt.XPACK.Gen
                  C:\Users\user\AppData\Local\Temp\ejhooxmigi100%Joe Sandbox ML

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://ocsp.thawte.com00%URL Reputationsafe
                  https://tufure.xyz0%Avira URL Cloudsafe
                  http://www.razer.com/sw-eula0%Avira URL Cloudsafe
                  http://169.254.170.2aUnable0%Avira URL Cloudsafe
                  http://razer.com/software0%Avira URL Cloudsafe
                  http://james.newtonking.com/projects/json0%URL Reputationsafe
                  http://169.254.170.20%Avira URL Cloudsafe
                  http://schemas.datacontract.org/2004/07/Razer.ActionService0%Avira URL Cloudsafe
                  https://discovery.razerapi.com:https://manifest.razerapi.com0%Avira URL Cloudsafe
                  https://albedozero-staging.razerapi.com/password0%Avira URL Cloudsafe
                  http://razer.com/software0%VirustotalBrowse
                  https://tufure.xyzCristina0%Avira URL Cloudsafe
                  https://tufure.xyz2%VirustotalBrowse
                  http://www.razer.com/sw-eula0%VirustotalBrowse
                  https://albedozero.razerapi.com/datapipelineQhttps://albedozero.razerapi.com/passwordihttps://albedo0%Avira URL Cloudsafe
                  https://insider.razer.com0%Avira URL Cloudsafe
                  http://schemas.datacontract.org/2004/07/Razer.ActionService0%VirustotalBrowse
                  http://169.254.169.2540%Avira URL Cloudsafe
                  https://ec.razer.com0%Avira URL Cloudsafe
                  http://169.254.170.20%VirustotalBrowse
                  http://169.254.169.2540%VirustotalBrowse
                  https://insider.razer.com0%VirustotalBrowse
                  https://albedozero-staging.razerapi.com/password0%VirustotalBrowse
                  https://albedozero.razerapi.com/datapipelineQhttps://albedozero.razerapi.com/passwordihttps://albedo0%VirustotalBrowse
                  https://ec.razer.com0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://tufure.xyztrue
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://steamcommunity.com/profiles/76561199658817715false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.codeplex.com/prism:Microsoft.Practices.Prism.Interactivity.InteractionRequestRazerInstaller.exefalse
                      		high
                      http://DotNetZip.codeplex.com/SetupSuite_21.8_win64_86_sm.exefalse
                        		high
                        http://www.vmware.com/0SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://169.254.170.2AWSSDK.Core.dllfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://scripts.sil.org/OFLRazerF5LightItalicRazer.RazerInstallerCommon.dllfalse
                            		high
                            http://scripts.sil.org/OFLRazerF5SemiBoldItalicRazer.RazerInstallerCommon.dllfalse
                              		high
                              https://t.me/sa9okfgshhttps://steamcommunity.com/profiles/76561199658817715sql.dllsqlm.dllMozilla/5.cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.drfalse
                                		high
                                http://schemas.xmlsoap.org/soap/envelope/NLog.dllfalse
                                  		high
                                  http://www.razer.com/sw-eulaRazer.RazerInstallerCommon.resources.dllfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://logging.apache.org/log4net/release/faq.html#trouble-EventLogRazerInstaller.exefalse
                                    		high
                                    http://www.razerzone.com/synapseRazer.RazerInstallerCommon.dllfalse
                                      		high
                                      https://nlog-project.org/NLog.dllfalse
                                        		high
                                        https://www.newtonsoft.com/jsonRazerInstaller.exefalse
                                          		high
                                          https://kinesis.us-gov-west-1.amazonaws.comAWSSDK.Kinesis.dllfalse
                                            		high
                                            https://twitter.com/intent/follow?screen_name=RazerRazer.RazerInstallerCommon.resources.dllfalse
                                              		high
                                              http://169.254.170.2aUnableAWSSDK.Core.dllfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://scripts.sil.org/OFLRazerF5ThinItalicRazer.RazerInstallerCommon.dllfalse
                                                		high
                                                http://razer.com/softwareRazer.RazerInstallerCommon.resources.dllfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.openssl.org/support/faq.htmlcpprest140_2_10.dllfalse
                                                  		high
                                                  http://www.codeplex.com/prismRazerInstaller.exefalse
                                                    		high
                                                    http://www.codeplex.com/CompositeWPFRazerInstaller.exefalse
                                                      		high
                                                      http://crl.thawte.com/ThawteTimestampingCA.crl0cpprest140_2_10.dllfalse
                                                        		high
                                                        http://compositewpf.codeplex.com/RazerInstaller.exefalse
                                                          		high
                                                          http://nlog-project.org/dummynamespace/NLog.dllfalse
                                                            		high
                                                            http://www.2brightsparks.com/foc/foc-v-check.txtSetupSuite_21.8_win64_86_sm.exefalse
                                                              		high
                                                              http://www.2brightsparks.com/onclick/index.htmlSetupSuite_21.8_win64_86_sm.exefalse
                                                                		high
                                                                http://scripts.sil.org/OFLCopyrightRazer.RazerInstallerCommon.dllfalse
                                                                  		high
                                                                  https://ip-ranges.amazonaws.com/ip-ranges.jsonAWSSDK.Core.dllfalse
                                                                    		high
                                                                    http://scripts.sil.org/OFLRazerF5ThinRazer.RazerInstallerCommon.dllfalse
                                                                      		high
                                                                      https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-jsonAWSSDK.Core.dllfalse
                                                                        		high
                                                                        http://scripts.sil.org/OFLRazerF5SemiBoldRazer.RazerInstallerCommon.dllfalse
                                                                          		high
                                                                          http://assets.razerzone.com/eeimages/categories/14594/razer-gaming-softwares-category-gamebooster-usRazer.RazerInstallerCommon.dllfalse
                                                                            		high
                                                                            http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModelRazerInstaller.exefalse
                                                                              		high
                                                                              http://www.apache.org/licenses/LICENSE-2.0Razer.RazerInstallerCommon.dllfalse
                                                                                		high
                                                                                http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.htmlAWSSDK.Core.dllfalse
                                                                                  		high
                                                                                  https://github.com/NLog/NLog.gitNLog.dllfalse
                                                                                    		high
                                                                                    http://schemas.datacontract.org/2004/07/Razer.ActionServiceRazerInstaller.exefalse
                                                                                    • 0%, Virustotal, Browse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://kinesis.us-gov-east-1.amazonaws.comAWSSDK.Kinesis.dllfalse
                                                                                      		high
                                                                                      http://ocsp.thawte.com0cpprest140_2_10.dllfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://discovery.razerapi.com:https://manifest.razerapi.comRazerInstaller.exefalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		low
                                                                                      http://assets.razerzone.com/eeimages/categories/14594/razer-gaming-softwares-category-comms-usp.pngRazer.RazerInstallerCommon.dllfalse
                                                                                        		high
                                                                                        https://albedozero-staging.razerapi.com/passwordRazer.RazerInstallerCommon.dllfalse
                                                                                        • 0%, Virustotal, Browse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.vmware.com/0/SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.razerzone.com/surroundRazer.RazerInstallerCommon.dllfalse
                                                                                            		high
                                                                                            https://steamcommunity.com/profiles/76561199658817715fgshMozilla/5.0cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.drfalse
                                                                                              		high
                                                                                              http://upx.sf.netAmcache.hve.8.drfalse
                                                                                                		high
                                                                                                http://www.symauth.com/cps0(SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dllfalse
                                                                                                  		high
                                                                                                  https://www.nuget.org/packages/NLog.Web.AspNetCoreNLog.dllfalse
                                                                                                    		high
                                                                                                    https://tufure.xyzCristinacmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://james.newtonking.com/projects/jsonRazerInstaller.exefalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://www.razerzone.comRazer.RazerInstallerCommon.dllfalse
                                                                                                      		high
                                                                                                      https://albedozero.razerapi.com/datapipelineQhttps://albedozero.razerapi.com/passwordihttps://albedoRazer.RazerInstallerCommon.dllfalse
                                                                                                      • 0%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://t.me/sa9okcmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.drfalse
                                                                                                        		high
                                                                                                        http://scripts.sil.org/OFLRazerF5LightRazer.RazerInstallerCommon.dllfalse
                                                                                                          		high
                                                                                                          http://www.2brightsparks.com/onclick/help/SetupSuite_21.8_win64_86_sm.exefalse
                                                                                                            		high
                                                                                                            http://www.razerzone.com/commsRazer.RazerInstallerCommon.dllfalse
                                                                                                              		high
                                                                                                              http://www.symauth.com/rpa00SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dllfalse
                                                                                                                		high
                                                                                                                https://www.newtonsoft.com/jsonschemaRazerInstaller.exefalse
                                                                                                                  		high
                                                                                                                  http://www.apache.org/licenses/LICENSE-2.0RobotoRazer.RazerInstallerCommon.dllfalse
                                                                                                                    		high
                                                                                                                    https://insider.razer.comRazer.RazerInstallerCommon.resources.dllfalse
                                                                                                                    • 0%, Virustotal, Browse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.info-zip.org/SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.0000000005418000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.0000000005237000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.codeplex.com/DotNetZipRazerInstaller.exefalse
                                                                                                                        		high
                                                                                                                        https://u05srooyhc.execute-api.us-east-1.amazonaws.com/stsRazer.RazerInstallerCommon.dllfalse
                                                                                                                          		high
                                                                                                                          https://www.nuget.org/packages/Newtonsoft.Json.BsonRazerInstaller.exefalse
                                                                                                                            		high
                                                                                                                            http://www.razerzone.com/cortexRazer.RazerInstallerCommon.dllfalse
                                                                                                                              		high
                                                                                                                              http://scripts.sil.org/OFLRazer.RazerInstallerCommon.dllfalse
                                                                                                                                		high
                                                                                                                                http://assets.razerzone.com/eeimages/products/17531/940x573-01-02.pngRazer.RazerInstallerCommon.dllfalse
                                                                                                                                  		high
                                                                                                                                  http://169.254.169.254AWSSDK.Core.dllfalse
                                                                                                                                  • 0%, Virustotal, Browse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://ec.razer.comRazerInstaller.exefalse
                                                                                                                                  • 0%, Virustotal, Browse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown

                                                                                                                                  World Map of Contacted IPs

                                                                                                                                  No contacted IP infos

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                  Analysis ID:1434176
                                                                                                                                  Start date and time:2024-04-30 16:44:06 +02:00
                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 6m 36s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:full
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                  Number of analysed new started processes analysed:12
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Sample name:SetupSuite_21.8_win64_86_sm.exe
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal100.troj.evad.winEXE@7/8@0/0
                                                                                                                                  EGA Information:
                                                                                                                                  • Successful, ratio: 50%
                                                                                                                                  HCA Information:
                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                  • Number of executed functions: 7
                                                                                                                                  • Number of non-executed functions: 12
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                  Warnings

                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                  • Execution Graph export aborted for target explorer.exe, PID 1360 because there are no executed function
                                                                                                                                  • Not all processes where analyzed, report is missing behavior information

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  TimeTypeDescription
                                                                                                                                  16:45:20API Interceptor1x Sleep call for process: cmd.exe modified
                                                                                                                                  16:45:33API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  No context

                                                                                                                                  Domains

                                                                                                                                  No context

                                                                                                                                  ASNs

                                                                                                                                  No context

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  No context

                                                                                                                                  Dropped Files

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  C:\Users\user\AppData\Local\Temp\ejhooxmigihttps://fahrerdokument.com/zip3/Get hashmaliciousVidarBrowse
                                                                                                                                    https://codeload.github.com/softofdaddy/Setup7/zip/refs/heads/mainGet hashmaliciousVidarBrowse

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_a1268644ceb8eaff376c614320123715bd5a50e2_8e15b34f_277283f0-3521-4c94-95e7-18f9e405a0ea\Report.wer

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):65536
                                                                                                                                      Entropy (8bit):0.759957133239478
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:6GFw58uccgIKW3sAZQCoI7JfdQXIDcQvc6QcEVcw3cE/OUeU3+HbHgS8BRTf3o8E:lQcsz3S0BU/wjmjzuiFSZ24IO8c
                                                                                                                                      MD5:1598F63DF53AF9DB3D84BE6AA172F1FA
                                                                                                                                      SHA1:8A91A4A230CA57FAB7CFC701C5E98BCE500B94E7
                                                                                                                                      SHA-256:91FA280152AD9B10A2D3EBBBC58E4EE8BF6941348A80622CBD4DBF12C06192F1
                                                                                                                                      SHA-512:F47C8C03DFD5502196A369F0B2750BFC24C036058C415A745B73EFA04B9E62B2FBCCF1A3ED8AF64E2124333C087131527AAA7F1F41CAB149B3AD996BF5434B43
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.9.6.1.9.2.0.7.4.1.0.6.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.9.6.1.9.2.1.3.6.6.0.6.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.7.2.8.3.f.0.-.3.5.2.1.-.4.c.9.4.-.9.5.e.7.-.1.8.f.9.e.4.0.5.a.0.e.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.1.c.0.3.0.6.-.f.4.9.4.-.4.2.3.5.-.a.8.d.4.-.0.f.2.d.c.d.3.5.5.e.4.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.e.x.p.l.o.r.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.5.0.-.0.0.0.1.-.0.0.1.4.-.2.7.9.0.-.f.2.0.0.0.d.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.e.8.4.1.4.7.e.2.e.6.2.c.a.9.5.6.e.7.4.0.7.0.e.f.6.c.e.f.d.6.1.6.1.9.1.e.

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5825.tmp.dmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Tue Apr 30 14:45:21 2024, 0x1205a4 type
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):39912
                                                                                                                                      Entropy (8bit):1.9647422571328395
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:5p8SE3cZsIzTamvQOm1svqo2NDtrleawsi79f8WI0iFe6YZ6RwRDlXK7DfxQgkVq:U6As5weabONumZFRuyXdTfGj1H
                                                                                                                                      MD5:9CD3033C12BB22CA4BA578B7353C80BD
                                                                                                                                      SHA1:A206F37A78786548F3E918AE293956C4EC7F53AB
                                                                                                                                      SHA-256:C70A619AD278B74B5CEECAEF1AFF71946F5D9776C3C674164897BCC32CA3D2C1
                                                                                                                                      SHA-512:9A3713B8A4F6853D6D7AE7726B6800641538EFE568A9582BFFBA8311D9BB65D5E3E933851DBC21CF52C50388586EF16DADF920A3CFEF0D39F91A56EBB02B5CBE
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:MDMP..a..... .........1f........................h................#..........T.......8...........T........... ..........................................................................................................eJ..............GenuineIntel............T.......P.....1f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER599D.tmp.WERInternalMetadata.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):8340
                                                                                                                                      Entropy (8bit):3.693417330926189
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:R6l7wVeJGp6z+5d+e6YjB6AxxgmfqbCprB89b25sf2ym:R6lXJ46z+dX6Yl6Angmfqb52Sfq
                                                                                                                                      MD5:E666E7F6184EC8252D1E63A3F4221B84
                                                                                                                                      SHA1:5F64924FB7B551571E652F5D802D90D7F1B6846D
                                                                                                                                      SHA-256:DDA7422E552DBE70CF5EFF11C2B1E7DCF24389104389B56FD6F4271DAF0B3A34
                                                                                                                                      SHA-512:34EE3569208FEA39F90708E549DE78AE50DB41646D33CEE50443F08306E119732FCACD570BD578FB1E9DE149A2CD47E0D8C4F6B8DA7A3FA260F9088A7EE46C27
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.6.0.<./.P.i.

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER59BE.tmp.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4693
                                                                                                                                      Entropy (8bit):4.490234156187545
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:cvIwWl8zseJg77aI9HsWpW8VYbEYm8M4JygF5+q8EJfTld:uIjfUI7dF7VEJ3/fTld
                                                                                                                                      MD5:B5438EB69DCAE50F159EACDB44F1C58B
                                                                                                                                      SHA1:954EEA26F7011FCFA367ACEFDB429D33EAD6DE0E
                                                                                                                                      SHA-256:A73B2C75C0B22F8D37CBDD7E7ACFB6F5700970CBECE032E3E1350D87F62091E2
                                                                                                                                      SHA-512:D02ED6A45EAF34D7E4876574F78DDD02B9F003D60C678CB85A20DE773E388747AC4D59E91CA2D64B7371FE2E121219012339F30B302A7D3182E40F25FC8FDEE8
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="302748" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                      C:\Users\user\AppData\Local\Temp\ef788a7f

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe
                                                                                                                                      File Type:PNG image data, 2128 x 867, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1002425
                                                                                                                                      Entropy (8bit):7.99082126674057
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:24576:Qh4aMFvjPAkyr8zVtrQzoRKk7GSuWKtXDqw0KUlMcHK4r:Q2ai9yAzooIgXpKtzqw0JMqr
                                                                                                                                      MD5:6BA5D9155494F82BC56726C2E73CD37D
                                                                                                                                      SHA1:CFB016F19E57641284938FF4A98A08E2BF4E7A3F
                                                                                                                                      SHA-256:5AA5A88D04C7156F93ADE10893185887FEB5472D2DBCAE39D2EC229CF070B781
                                                                                                                                      SHA-512:48D5AB6977919BD23F492D7D5AA86B5E07B6B0BBACB444880BAB869D8BC433C3BAAF5A9DEC443D0149B7E1A263E3950A8F8292372CD9F2E4474113D710125C5C
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:.PNG........IHDR...P...c........!.. .IDATx..K......+..V.9...zZ.[..$.....k.\....(oMHkA.5....&.......4....fU.W.b..fT...yo.Uu.*..O=P.7.........o! .R.7........v./ .v.1..Zk..2...v........?h..|....kr)...i........9....z.#.1...5..!..{.G8.....K)..h...\....*rw)%^..]J.w/..y....w7..Z..K)..."."..5!wWJ.e....\p.R.1.$..F...J2.K]...+_W5YF..nv}..2...G...!.....;.0..L...C.|.....Z.o..|..9.H....|B5..|..G...N.=$.........`H..w..c.G.u..ZW.p.e7+yF..i..gt....._."....C.a ...1.a..?s}.Pv.``.|.....K.....?..=.......Y>..3.l2..@.......Y.6r.#.o/........-......6w._..)....\.@5..cL*.......2z.....$.. `.._.....'.,p...._....:....|....hj...k..G..x)...!...?..0.p;[7.A...q....>....]$.L-4.....$_..|.'...#..+...1<$..}w..c..,l.....y..AB..w.;.x._..+...z...p..._.......P..........-.o..1...6.......R^.... ......,..........K%..X.T..d"....W.O.J.A.g....q..]b%|v........0..K.7=...k.....p!.^.qLu...O.....=..$...[...!.v.?i+_J...C..RH....p......f.#..P..y.!.g.R.n.#..;.8bD....B........6.{......fo....

                                                                                                                                      C:\Users\user\AppData\Local\Temp\eff80ba8

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):938549
                                                                                                                                      Entropy (8bit):7.471604962065227
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:FrII/Qc66PzcQkvD2+VYk7HFODf9QQc0v9BoGq5vOjXlKedzB6mXMiKL:JHoc64zc8t8Fk2Qc0v9+rOjXkeFwniKL
                                                                                                                                      MD5:771A143F82A7AF391192AC1930EC34C7
                                                                                                                                      SHA1:6B86D3CED78013C12529435668DA86AB98CCE089
                                                                                                                                      SHA-256:7A9CE1BC4EDBF31894BF13AE963656A4280A5B083A4EFF090CFA9301070C98BE
                                                                                                                                      SHA-512:41A5B2A4BAC2EDDB2DC910AD3D9D68FEFE940D572CAE1FAB9AD90245174FF3B1AF8C9CA8DAC221A49C5B7789B052176EE35DDFFA93E815AEABAE2B07D4F67E86
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:............................................................................................................................................................................................................................................................................................................................................................................................................................B...F..._...}...f...|...a...s..._...N...u...a...s...b...................................[...{...h.....................................................................Q...f...a...q..................................................................[...@..{...a...<...N.......`....................................................<..."..................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\ejhooxmigi

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):215040
                                                                                                                                      Entropy (8bit):6.31138663388361
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:Rv/o4s3raz5clrcWA7JwbxOi6m+T6T0zmujWYQRwUdFUNwt/mGrtItNVLhL:NUG54rmmdv6mjgWY3xKBmGxKNVLhL
                                                                                                                                      MD5:4F912C11F30282BFFFD973DACA2BAE93
                                                                                                                                      SHA1:EFC78575C3EE0D7B629ED4B2AEF206D9A346225B
                                                                                                                                      SHA-256:53E1DB0A09087822E1A40B253C83ACD921F0CDCDF47F12C822ABD649FA17F990
                                                                                                                                      SHA-512:F03E06E97A98B2BCEAA723F9EE8C75957CEE9F91063049F96197795120903465F728409D40CE8B0B5CC751C873FAA30413B9FD5C85F4E05460BDECE0D192774C
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\Users\user\AppData\Local\Temp\ejhooxmigi, Author: Joe Security
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: , Detection: malicious, Browse
                                                                                                                                      • Filename: , Detection: malicious, Browse
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D%.V%K}V%K}V%K}9S.}X%K}9S.}.%K}_].}S%K}_].}Z%K}.\J|U%K}V%J}'%K}9S.}}%K}9S.}W%K}RichV%K}........................PE..L......W..........".........................0....@...........................$...........@...S.X.....S.X.............................$...................... $.P/...................................................0..X............................text............................... ..`.rdata..2....0......................@..@.data.....!.........................@....rsrc.........$.....................@..@.reloc..@Q... $..R..................@..Bgbdqkb... ....$......0..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1835008
                                                                                                                                      Entropy (8bit):4.422222645300101
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:sSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNf0uhiTw:XvloTyW+EZMM6DFy503w
                                                                                                                                      MD5:4C87E57C1D6939DCE74BAEEEBF67D8CD
                                                                                                                                      SHA1:4F2928D572E59C9C5DBA261EAC9F1C59603173E9
                                                                                                                                      SHA-256:DF8646F17EB296FD6ABE443B2110CBA1E9CA5B599C6EDF56AB2EF21FA54A4450
                                                                                                                                      SHA-512:5BE142B30C71E8B9D2D8050CD65AB4306C599AB693E2680CEA88408709F6FCAE1F1BCD1D75AEE5575095FF80D04654233760DEE5166966FCC122A8727EE90F0C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.q.................................................................................................................................................................................................................................................................................................................................................a.g2........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Entropy (8bit):7.538850993530861
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.51%
                                                                                                                                      • InstallShield setup (43055/19) 0.43%
                                                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                      File name:SetupSuite_21.8_win64_86_sm.exe
                                                                                                                                      File size:18'984'288 bytes
                                                                                                                                      MD5:ddda012671f0ca2ca213060073b063e2
                                                                                                                                      SHA1:462783a60146a405f20bba176c4d5f95bf5f785c
                                                                                                                                      SHA256:61b02846fae730a5b900745cf6fb113993254268609542a5a00404fe9ca985f2
                                                                                                                                      SHA512:8d511c809089792ec3d788e04258fe1d3ea91bf128ab4b3688876e62b626b7d11ee305035b480612933c09944b27a842b12cffeb109121c6583794024ab3c867
                                                                                                                                      SSDEEP:393216:mzJGidgsS3yMvyB4JfQO/DEkf8xzw734BtnSCmlmD:8Ay6xQOgmwnMmD
                                                                                                                                      TLSH:A317D003B2B1AC3BC467C6354877965458FBBA20F61D8D9B67F4085C1E37A802D2A79F
                                                                                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:7b637b752b5ef409

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0xada1f4
                                                                                                                                      Entrypoint Section:.itext
                                                                                                                                      Digitally signed:true
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                      Time Stamp:0x65F14DE3 [Wed Mar 13 06:55:31 2024 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:6
                                                                                                                                      OS Version Minor:0
                                                                                                                                      File Version Major:6
                                                                                                                                      File Version Minor:0
                                                                                                                                      Subsystem Version Major:6
                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                      Import Hash:c16f0c9ac850a0a49a4206f6236aff99

                                                                                                                                      Authenticode Signature

                                                                                                                                      Signature Valid:false
                                                                                                                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                      Error Number:-2146869232
                                                                                                                                      Not Before, Not After
                                                                                                                                      • 28/01/2022 01:00:00 27/02/2025 00:59:59
                                                                                                                                      Subject Chain
                                                                                                                                      • CN=Razer USA Ltd., O=Razer USA Ltd., L=Irvine, S=California, C=US
                                                                                                                                      Version:3
                                                                                                                                      Thumbprint MD5:B741657ECF1E500B057E194DA25032DE
                                                                                                                                      Thumbprint SHA-1:39B818FD58E5287EAB2F9371F7E6A6B8B1A0E8D8
                                                                                                                                      Thumbprint SHA-256:6765B33CA1432A0213D0F4C034F90727164027D66ADE158FF9CE54CF2D204D72
                                                                                                                                      Serial:0E3DC5B96BDFEEEFE8699E06161DE3BC

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      push ebp
                                                                                                                                      mov ebp, esp
                                                                                                                                      add esp, FFFFFFF0h
                                                                                                                                      push ebx
                                                                                                                                      mov eax, 00ABE19Ch
                                                                                                                                      call 00007F8754EB1FD0h
                                                                                                                                      mov ebx, dword ptr [00B2AE68h]
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      call 00007F875511FE27h
                                                                                                                                      mov cl, 01h
                                                                                                                                      mov edx, 00ADA2D0h
                                                                                                                                      mov eax, dword ptr [006250B8h]
                                                                                                                                      call 00007F87550DE8A2h
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      mov edx, 00ADA30Ch
                                                                                                                                      call 00007F875511F842h
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      add eax, 64h
                                                                                                                                      mov edx, 00ADA330h
                                                                                                                                      call 00007F8754EAA3C3h
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      mov byte ptr [eax+6Fh], 00000000h
                                                                                                                                      mov ecx, dword ptr [00B2AA0Ch]
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      mov edx, dword ptr [00A57F14h]
                                                                                                                                      call 00007F875511FDFAh
                                                                                                                                      mov ecx, dword ptr [00B2ADD8h]
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      mov edx, dword ptr [007CC59Ch]
                                                                                                                                      call 00007F875511FDE7h
                                                                                                                                      mov ecx, dword ptr [00B2AA00h]
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      mov edx, dword ptr [007CBAE8h]
                                                                                                                                      call 00007F875511FDD4h
                                                                                                                                      mov ecx, dword ptr [00B2A3CCh]
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      mov edx, dword ptr [00A4A3C4h]
                                                                                                                                      call 00007F875511FDC1h
                                                                                                                                      mov ecx, dword ptr [00B2A1F4h]
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      mov edx, dword ptr [007CB430h]
                                                                                                                                      call 00007F875511FDAEh
                                                                                                                                      mov ecx, dword ptr [00B2A3BCh]
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      mov edx, dword ptr [007C631Ch]
                                                                                                                                      call 00007F875511FD9Bh
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      call 00007F875611FEF4h

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x7500000x74.edata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x7480000x5b18.idata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7da0000xa5e601.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x12185b00x27b0.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7530000x86544
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x7520000x18.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x748ee40xd54.idata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x74e0000x13b4.didata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x10000x6d2a640x6d2c003244d6e653375ca90fab9aab7d285e05unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                      .itext0x6d40000x635c0x6400ae481781764350753d51686ec24e8412False0.4136328125data5.957853337623397IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                      .data0x6db0000x5069c0x50800a1bf6900798039207d8a75b2484963fbFalse0.23554262907608695data5.700442632020433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .bss0x72c0000x1ba500x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .idata0x7480000x5b180x5c00c10409bc564195e9935eded21055c4aeFalse0.30549422554347827data5.199083497017295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .didata0x74e0000x13b40x1400ef288092880d92365fdad1c13a8486dcFalse0.3396484375data4.406790372437478IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .edata0x7500000x740x200fd327e5564070a3cea17903fc48066baFalse0.185546875data1.2990439372390314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .tls0x7510000x540x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .rdata0x7520000x5d0x20003932be85d674c28179956cd28c6d35eFalse0.189453125data1.3795024805431133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0x7530000x8652c0x86600a3c30792cb57bc9238c6223a79826968False0.5416551598837209data6.708978847755439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rsrc0x7da0000xa5e6010xa5e800239702a52dd1311a17f2d3abd883f341unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                      UFR0x7dffd80xf4bb9PNG image data, 2128 x 867, 8-bit/color RGB, non-interlacedEnglishUnited States0.9937890615257999
                                                                                                                                      VCLSTYLE0x8d4b940x1ec5ddataEnglishUnited States0.8907771034154469
                                                                                                                                      RT_CURSOR0x8f37f40x134dataEnglishUnited States0.43506493506493504
                                                                                                                                      RT_CURSOR0x8f39280x134dataEnglishUnited States0.4642857142857143
                                                                                                                                      RT_CURSOR0x8f3a5c0x134dataEnglishUnited States0.4805194805194805
                                                                                                                                      RT_CURSOR0x8f3b900x134dataEnglishUnited States0.38311688311688313
                                                                                                                                      RT_CURSOR0x8f3cc40x134dataEnglishUnited States0.36038961038961037
                                                                                                                                      RT_CURSOR0x8f3df80x134dataEnglishUnited States0.4090909090909091
                                                                                                                                      RT_CURSOR0x8f3f2c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                                      RT_CURSOR0x8f40600x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.19385026737967914
                                                                                                                                      RT_CURSOR0x8f434c0x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.18716577540106952
                                                                                                                                      RT_CURSOR0x8f46380x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.2179144385026738
                                                                                                                                      RT_CURSOR0x8f49240x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.21122994652406418
                                                                                                                                      RT_CURSOR0x8f4c100x134AmigaOS bitmap font "(", fc_YSize 4294967064, 3584 elements, 2nd "\377\270w\377\377\370\177\377\377\370\177\377\377\370\177\377\377\370\177\377\377\370\177\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdGermanGermany0.32792207792207795
                                                                                                                                      RT_CURSOR0x8f4d440x134Targa image data 64 x 65536 x 1 +32 "\001"0.3538961038961039
                                                                                                                                      RT_CURSOR0x8f4e780x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"0.3344155844155844
                                                                                                                                      RT_CURSOR0x8f4fac0x134Targa image data 64 x 65536 x 1 +32 "\001"GermanGermany0.5292207792207793
                                                                                                                                      RT_CURSOR0x8f50e00x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.18983957219251338
                                                                                                                                      RT_CURSOR0x8f53cc0x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.19117647058823528
                                                                                                                                      RT_CURSOR0x8f56b80x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.19786096256684493
                                                                                                                                      RT_CURSOR0x8f59a40x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.18983957219251338
                                                                                                                                      RT_CURSOR0x8f5c900x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.19518716577540107
                                                                                                                                      RT_CURSOR0x8f5f7c0x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.19518716577540107
                                                                                                                                      RT_CURSOR0x8f62680x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                                      RT_BITMAP0x8f639c0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5208333333333334
                                                                                                                                      RT_BITMAP0x8f645c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42857142857142855
                                                                                                                                      RT_BITMAP0x8f653c0x54Device independent bitmap graphic, 9 x 9 x 1, image size 36, 2 important colors0.42857142857142855
                                                                                                                                      RT_BITMAP0x8f65900x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.3877551020408163
                                                                                                                                      RT_BITMAP0x8f67180xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.4955357142857143
                                                                                                                                      RT_BITMAP0x8f67f80x50Device independent bitmap graphic, 8 x 8 x 1, image size 32, 2 important colors0.475
                                                                                                                                      RT_BITMAP0x8f68480x50Device independent bitmap graphic, 8 x 8 x 1, image size 32, 2 important colors0.5625
                                                                                                                                      RT_BITMAP0x8f68980x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.2729591836734694
                                                                                                                                      RT_BITMAP0x8f6a200xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.38392857142857145
                                                                                                                                      RT_BITMAP0x8f6b000x54Device independent bitmap graphic, 9 x 9 x 1, image size 360.4523809523809524
                                                                                                                                      RT_BITMAP0x8f6b540xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4947916666666667
                                                                                                                                      RT_BITMAP0x8f6c140xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.484375
                                                                                                                                      RT_BITMAP0x8f6cd40xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42410714285714285
                                                                                                                                      RT_BITMAP0x8f6db40xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5104166666666666
                                                                                                                                      RT_BITMAP0x8f6e740xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.5
                                                                                                                                      RT_BITMAP0x8f6f540xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                                                                      RT_BITMAP0x8f703c0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4895833333333333
                                                                                                                                      RT_BITMAP0x8f70fc0x528Device independent bitmap graphic, 16 x 16 x 8, image size 256DutchBelgium0.4090909090909091
                                                                                                                                      RT_BITMAP0x8f76240x328Device independent bitmap graphic, 16 x 16 x 24, image size 768DutchBelgium0.6918316831683168
                                                                                                                                      RT_BITMAP0x8f794c0x328Device independent bitmap graphic, 16 x 16 x 24, image size 768DutchBelgium0.6089108910891089
                                                                                                                                      RT_BITMAP0x8f7c740xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128DutchBelgium0.4051724137931034
                                                                                                                                      RT_BITMAP0x8f7d5c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128DutchBelgium0.46120689655172414
                                                                                                                                      RT_BITMAP0x8f7e440xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128DutchBelgium0.5775862068965517
                                                                                                                                      RT_BITMAP0x8f7f2c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128DutchBelgium0.5043103448275862
                                                                                                                                      RT_BITMAP0x8f80140x328Device independent bitmap graphic, 16 x 16 x 24, image size 768DutchBelgium0.8254950495049505
                                                                                                                                      RT_BITMAP0x8f833c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128DutchBelgium0.5775862068965517
                                                                                                                                      RT_BITMAP0x8f84240xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128DutchBelgium0.49137931034482757
                                                                                                                                      RT_BITMAP0x8f850c0x328Device independent bitmap graphic, 16 x 16 x 24, image size 768DutchBelgium0.6695544554455446
                                                                                                                                      RT_BITMAP0x8f88340x328Device independent bitmap graphic, 16 x 16 x 24, image size 768DutchBelgium0.676980198019802
                                                                                                                                      RT_BITMAP0x8f8b5c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128DutchBelgium0.5689655172413793
                                                                                                                                      RT_BITMAP0x8f8c440x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.4413265306122449
                                                                                                                                      RT_BITMAP0x8f8dcc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.45918367346938777
                                                                                                                                      RT_BITMAP0x8f8f540x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.45153061224489793
                                                                                                                                      RT_BITMAP0x8f90dc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.40561224489795916
                                                                                                                                      RT_BITMAP0x8f92640x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.46683673469387754
                                                                                                                                      RT_BITMAP0x8f93ec0x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.4387755102040816
                                                                                                                                      RT_BITMAP0x8f95740x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.45153061224489793
                                                                                                                                      RT_BITMAP0x8f96fc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.27040816326530615
                                                                                                                                      RT_BITMAP0x8f98840x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.32142857142857145
                                                                                                                                      RT_BITMAP0x8f9a0c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.28061224489795916
                                                                                                                                      RT_BITMAP0x8f9b940x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.2857142857142857
                                                                                                                                      RT_BITMAP0x8f9d1c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.35714285714285715
                                                                                                                                      RT_BITMAP0x8f9ea40x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3469387755102041
                                                                                                                                      RT_BITMAP0x8fa02c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, resolution 3780 x 3780 px/m0.37755102040816324
                                                                                                                                      RT_BITMAP0x8fa1b40x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3673469387755102
                                                                                                                                      RT_BITMAP0x8fa33c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.45918367346938777
                                                                                                                                      RT_BITMAP0x8fa4c40x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.31887755102040816
                                                                                                                                      RT_BITMAP0x8fa64c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, resolution 3780 x 3780 px/m0.5306122448979592
                                                                                                                                      RT_BITMAP0x8fa7d40x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.3877551020408163
                                                                                                                                      RT_BITMAP0x8fa95c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3392857142857143
                                                                                                                                      RT_BITMAP0x8faae40x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.33418367346938777
                                                                                                                                      RT_BITMAP0x8fac6c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.4005102040816326
                                                                                                                                      RT_BITMAP0x8fadf40x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.34438775510204084
                                                                                                                                      RT_BITMAP0x8faf7c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3903061224489796
                                                                                                                                      RT_BITMAP0x8fb1040x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.35459183673469385
                                                                                                                                      RT_BITMAP0x8fb28c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.39540816326530615
                                                                                                                                      RT_BITMAP0x8fb4140x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.3647959183673469
                                                                                                                                      RT_BITMAP0x8fb59c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.4107142857142857
                                                                                                                                      RT_BITMAP0x8fb7240x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.33163265306122447
                                                                                                                                      RT_BITMAP0x8fb8ac0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.46683673469387754
                                                                                                                                      RT_BITMAP0x8fba340x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.43112244897959184
                                                                                                                                      RT_BITMAP0x8fbbbc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.25510204081632654
                                                                                                                                      RT_BITMAP0x8fbd440x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.2653061224489796
                                                                                                                                      RT_BITMAP0x8fbecc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.33418367346938777
                                                                                                                                      RT_BITMAP0x8fc0540x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.37244897959183676
                                                                                                                                      RT_BITMAP0x8fc1dc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.44387755102040816
                                                                                                                                      RT_BITMAP0x8fc3640x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3239795918367347
                                                                                                                                      RT_BITMAP0x8fc4ec0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.29336734693877553
                                                                                                                                      RT_BITMAP0x8fc6740x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3877551020408163
                                                                                                                                      RT_BITMAP0x8fc7fc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.35714285714285715
                                                                                                                                      RT_BITMAP0x8fc9840x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.37755102040816324
                                                                                                                                      RT_BITMAP0x8fcb0c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.31887755102040816
                                                                                                                                      RT_BITMAP0x8fcc940x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3137755102040816
                                                                                                                                      RT_BITMAP0x8fce1c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.6377551020408163
                                                                                                                                      RT_BITMAP0x8fcfa40x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.22704081632653061
                                                                                                                                      RT_BITMAP0x8fd12c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.2755102040816326
                                                                                                                                      RT_BITMAP0x8fd2b40x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3852040816326531
                                                                                                                                      RT_BITMAP0x8fd43c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.28316326530612246
                                                                                                                                      RT_BITMAP0x8fd5c40x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.4005102040816326
                                                                                                                                      RT_BITMAP0x8fd74c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.44387755102040816
                                                                                                                                      RT_BITMAP0x8fd8d40x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.25255102040816324
                                                                                                                                      RT_BITMAP0x8fda5c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3112244897959184
                                                                                                                                      RT_BITMAP0x8fdbe40x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.38010204081632654
                                                                                                                                      RT_BITMAP0x8fdd6c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.4744897959183674
                                                                                                                                      RT_BITMAP0x8fdef40x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.22193877551020408
                                                                                                                                      RT_BITMAP0x8fe07c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3520408163265306
                                                                                                                                      RT_BITMAP0x8fe2040x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.45663265306122447
                                                                                                                                      RT_BITMAP0x8fe38c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.44642857142857145
                                                                                                                                      RT_BITMAP0x8fe5140x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.23469387755102042
                                                                                                                                      RT_BITMAP0x8fe69c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3137755102040816
                                                                                                                                      RT_BITMAP0x8fe8240x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.29591836734693877
                                                                                                                                      RT_BITMAP0x8fe9ac0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.4489795918367347
                                                                                                                                      RT_BITMAP0x8feb340x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.29336734693877553
                                                                                                                                      RT_BITMAP0x8fecbc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.4387755102040816
                                                                                                                                      RT_BITMAP0x8fee440x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.44387755102040816
                                                                                                                                      RT_BITMAP0x8fefcc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.2780612244897959
                                                                                                                                      RT_BITMAP0x8ff1540x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.34183673469387754
                                                                                                                                      RT_BITMAP0x8ff2dc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.35714285714285715
                                                                                                                                      RT_BITMAP0x8ff4640x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.375
                                                                                                                                      RT_BITMAP0x8ff5ec0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.42857142857142855
                                                                                                                                      RT_BITMAP0x8ff7740x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.44642857142857145
                                                                                                                                      RT_BITMAP0x8ff8fc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.40561224489795916
                                                                                                                                      RT_BITMAP0x8ffa840x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.39285714285714285
                                                                                                                                      RT_BITMAP0x8ffc0c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.25255102040816324
                                                                                                                                      RT_BITMAP0x8ffd940x668Device independent bitmap graphic, 24 x 24 x 8, image size 5760.3926829268292683
                                                                                                                                      RT_BITMAP0x9003fc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.3520408163265306
                                                                                                                                      RT_BITMAP0x9005840x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.3163265306122449
                                                                                                                                      RT_BITMAP0x90070c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.32653061224489793
                                                                                                                                      RT_BITMAP0x9008940x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.3112244897959184
                                                                                                                                      RT_BITMAP0x900a1c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.34438775510204084
                                                                                                                                      RT_BITMAP0x900ba40x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3903061224489796
                                                                                                                                      RT_BITMAP0x900d2c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.28061224489795916
                                                                                                                                      RT_BITMAP0x900eb40x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors0.3239795918367347
                                                                                                                                      RT_BITMAP0x90103c0x668Device independent bitmap graphic, 24 x 24 x 8, image size 5760.38597560975609757
                                                                                                                                      RT_BITMAP0x9016a40x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.2729591836734694
                                                                                                                                      RT_BITMAP0x90182c0x188Device independent bitmap graphic, 24 x 24 x 4, image size 2880.3086734693877551
                                                                                                                                      RT_BITMAP0x9019b40x668Device independent bitmap graphic, 24 x 24 x 8, image size 5760.39878048780487807
                                                                                                                                      RT_BITMAP0x90201c0x668Device independent bitmap graphic, 24 x 24 x 8, image size 5760.3524390243902439
                                                                                                                                      RT_BITMAP0x9026840xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.3794642857142857
                                                                                                                                      RT_BITMAP0x9027640x50Device independent bitmap graphic, 8 x 8 x 1, image size 32, 2 important colors0.5375
                                                                                                                                      RT_BITMAP0x9027b40x268Device independent bitmap graphic, 32 x 32 x 4, image size 5120.22077922077922077
                                                                                                                                      RT_BITMAP0x902a1c0x268Device independent bitmap graphic, 32 x 32 x 4, image size 5120.17857142857142858
                                                                                                                                      RT_BITMAP0x902c840x268Device independent bitmap graphic, 32 x 32 x 4, image size 5120.1737012987012987
                                                                                                                                      RT_BITMAP0x902eec0x124Device independent bitmap graphic, 9 x 9 x 24, image size 252, resolution 2834 x 2834 px/m0.5924657534246576
                                                                                                                                      RT_BITMAP0x9030100x124Device independent bitmap graphic, 9 x 9 x 24, image size 252, resolution 2834 x 2834 px/m0.5993150684931506
                                                                                                                                      RT_ICON0x9031340x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7473404255319149
                                                                                                                                      RT_ICON0x90359c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6142120075046904
                                                                                                                                      RT_ICON0x9046440x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4853734439834025
                                                                                                                                      RT_ICON0x906bec0xb0Device independent bitmap graphic, 16 x 32 x 1, image size 1280.4318181818181818
                                                                                                                                      RT_ICON0x906c9c0xb0Device independent bitmap graphic, 16 x 32 x 1, image size 1280.39204545454545453
                                                                                                                                      RT_ICON0x906d4c0xb0Device independent bitmap graphic, 16 x 32 x 1, image size 1280.3352272727272727
                                                                                                                                      RT_ICON0x906dfc0xb0Device independent bitmap graphic, 16 x 32 x 1, image size 1280.4318181818181818
                                                                                                                                      RT_ICON0x906eac0xb0Device independent bitmap graphic, 16 x 32 x 1, image size 1280.39204545454545453
                                                                                                                                      RT_ICON0x906f5c0xb0Device independent bitmap graphic, 16 x 32 x 1, image size 1280.3352272727272727
                                                                                                                                      RT_DIALOG0x90700c0x52data0.7682926829268293
                                                                                                                                      RT_DIALOG0x9070600x52data0.7560975609756098
                                                                                                                                      RT_STRING0x9070b40x38cdata0.42731277533039647
                                                                                                                                      RT_STRING0x9074400x32cdata0.43349753694581283
                                                                                                                                      RT_STRING0x90776c0x3b8data0.38130252100840334
                                                                                                                                      RT_STRING0x907b240x508data0.34860248447204967
                                                                                                                                      RT_STRING0x90802c0xae4data0.2654232424677188
                                                                                                                                      RT_STRING0x908b100x874data0.300369685767098
                                                                                                                                      RT_STRING0x9093840x3e0data0.42943548387096775
                                                                                                                                      RT_STRING0x9097640x2a4data0.4349112426035503
                                                                                                                                      RT_STRING0x909a080x404data0.3638132295719844
                                                                                                                                      RT_STRING0x909e0c0x564data0.26304347826086955
                                                                                                                                      RT_STRING0x90a3700x24cAmigaOS bitmap font "P", fc_YSize 26112, 18944 elements, 2nd "e", 3rd "o"0.46258503401360546
                                                                                                                                      RT_STRING0x90a5bc0x874data0.3183918669131238
                                                                                                                                      RT_STRING0x90ae300x380data0.38950892857142855
                                                                                                                                      RT_STRING0x90b1b00x480data0.4105902777777778
                                                                                                                                      RT_STRING0x90b6300x400data0.3955078125
                                                                                                                                      RT_STRING0x90ba300x408data0.36627906976744184
                                                                                                                                      RT_STRING0x90be380xf70data0.30035425101214575
                                                                                                                                      RT_STRING0x90cda80x680data0.3425480769230769
                                                                                                                                      RT_STRING0x90d4280x530data0.37801204819277107
                                                                                                                                      RT_STRING0x90d9580x548data0.36020710059171596
                                                                                                                                      RT_STRING0x90dea00x3ecdata0.3695219123505976
                                                                                                                                      RT_STRING0x90e28c0x438data0.34074074074074073
                                                                                                                                      RT_STRING0x90e6c40x358data0.3983644859813084
                                                                                                                                      RT_STRING0x90ea1c0x220data0.5367647058823529
                                                                                                                                      RT_STRING0x90ec3c0x448data0.4114963503649635
                                                                                                                                      RT_STRING0x90f0840x160data0.5823863636363636
                                                                                                                                      RT_STRING0x90f1e40xccdata0.6666666666666666
                                                                                                                                      RT_STRING0x90f2b00x284data0.4409937888198758
                                                                                                                                      RT_STRING0x90f5340x144data0.595679012345679
                                                                                                                                      RT_STRING0x90f6780x45cdata0.39157706093189965
                                                                                                                                      RT_STRING0x90fad40x3f0data0.3819444444444444
                                                                                                                                      RT_STRING0x90fec40x3b4data0.3860759493670886
                                                                                                                                      RT_STRING0x9102780x588data0.3149717514124294
                                                                                                                                      RT_STRING0x9108000x218data0.2294776119402985
                                                                                                                                      RT_STRING0x910a180x43cdata0.42066420664206644
                                                                                                                                      RT_STRING0x910e540x430data0.36847014925373134
                                                                                                                                      RT_STRING0x9112840x694data0.33966745843230406
                                                                                                                                      RT_STRING0x9119180x48cdata0.3230240549828179
                                                                                                                                      RT_STRING0x911da40x300data0.40625
                                                                                                                                      RT_STRING0x9120a40x348data0.3607142857142857
                                                                                                                                      RT_STRING0x9123ec0x3e8data0.388
                                                                                                                                      RT_STRING0x9127d40x358data0.3808411214953271
                                                                                                                                      RT_STRING0x912b2c0xd4data0.5283018867924528
                                                                                                                                      RT_STRING0x912c000xa4data0.6524390243902439
                                                                                                                                      RT_STRING0x912ca40x2dcdata0.46311475409836067
                                                                                                                                      RT_STRING0x912f800x458data0.29856115107913667
                                                                                                                                      RT_STRING0x9133d80x31cdata0.42462311557788945
                                                                                                                                      RT_STRING0x9136f40x2e8data0.3736559139784946
                                                                                                                                      RT_STRING0x9139dc0x334data0.3146341463414634
                                                                                                                                      RT_RCDATA0x913d100xe4PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedDutchBelgium0.9868421052631579
                                                                                                                                      RT_RCDATA0x913df40x181PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedDutchBelgium1.0207792207792208
                                                                                                                                      RT_RCDATA0x913f780x3f3SVG Scalable Vector Graphics imageDutchBelgium0.4540059347181009
                                                                                                                                      RT_RCDATA0x91436c0xc5PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedDutchBelgium1.0050761421319796
                                                                                                                                      RT_RCDATA0x9144340x104PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedDutchBelgium0.9846153846153847
                                                                                                                                      RT_RCDATA0x9145380x1b0PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedDutchBelgium0.8796296296296297
                                                                                                                                      RT_RCDATA0x9146e80x114PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedDutchBelgium1.0
                                                                                                                                      RT_RCDATA0x9147fc0x359SVG Scalable Vector Graphics imageDutchBelgium0.5005834305717619
                                                                                                                                      RT_RCDATA0x914b580xa7PNG image data, 7 x 7, 8-bit/color RGBA, non-interlacedDutchBelgium0.9820359281437125
                                                                                                                                      RT_RCDATA0x914c000xbaPNG image data, 7 x 7, 8-bit/color RGBA, non-interlacedDutchBelgium0.989247311827957
                                                                                                                                      RT_RCDATA0x914cbc0xcbPNG image data, 11 x 9, 8-bit/color RGBA, non-interlacedDutchBelgium0.9901477832512315
                                                                                                                                      RT_RCDATA0x914d880xb7PNG image data, 11 x 9, 8-bit/color RGBA, non-interlacedDutchBelgium0.9890710382513661
                                                                                                                                      RT_RCDATA0x914e400x359SVG Scalable Vector Graphics imageDutchBelgium0.5005834305717619
                                                                                                                                      RT_RCDATA0x91519c0xa8PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedDutchBelgium0.9821428571428571
                                                                                                                                      RT_RCDATA0x9152440x112PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedDutchBelgium1.0
                                                                                                                                      RT_RCDATA0x9153580x36cSVG Scalable Vector Graphics imageDutchBelgium0.5136986301369864
                                                                                                                                      RT_RCDATA0x9156c40x1baPNG image data, 14 x 14, 8-bit/color RGBA, non-interlacedDutchBelgium1.0158371040723981
                                                                                                                                      RT_RCDATA0x9158800x18dPNG image data, 14 x 14, 8-bit/color RGBA, non-interlacedDutchBelgium1.0151133501259446
                                                                                                                                      RT_RCDATA0x915a100x337PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedDutchBelgium1.0133657351154313
                                                                                                                                      RT_RCDATA0x915d480x384PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedDutchBelgium1.0122222222222221
                                                                                                                                      RT_RCDATA0x9160cc0xb1PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedDutchBelgium0.9943502824858758
                                                                                                                                      RT_RCDATA0x9161800xd9PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedDutchBelgium1.0
                                                                                                                                      RT_RCDATA0x91625c0x385SVG Scalable Vector Graphics imageDutchBelgium0.5094339622641509
                                                                                                                                      RT_RCDATA0x9165e40xa4PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedDutchBelgium0.9878048780487805
                                                                                                                                      RT_RCDATA0x9166880x102PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedDutchBelgium0.9961240310077519
                                                                                                                                      RT_RCDATA0x91678c0x192PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedDutchBelgium0.8980099502487562
                                                                                                                                      RT_RCDATA0x9169200x116PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedDutchBelgium0.9892086330935251
                                                                                                                                      RT_RCDATA0x916a380x380SVG Scalable Vector Graphics imageDutchBelgium0.5301339285714286
                                                                                                                                      RT_RCDATA0x916db80xd5dPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032154340836013
                                                                                                                                      RT_RCDATA0x917b180xd57PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003221083455344
                                                                                                                                      RT_RCDATA0x9188700xcfcPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003309265944645
                                                                                                                                      RT_RCDATA0x91956c0xcd9PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033444816053512
                                                                                                                                      RT_RCDATA0x91a2480xd5dPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032154340836013
                                                                                                                                      RT_RCDATA0x91afa80xd57PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003221083455344
                                                                                                                                      RT_RCDATA0x91bd000xc4ePNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034920634920634
                                                                                                                                      RT_RCDATA0x91c9500xc4ePNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034920634920634
                                                                                                                                      RT_RCDATA0x91d5a00xcb5PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033814940055334
                                                                                                                                      RT_RCDATA0x91e2580xcb0PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033866995073892
                                                                                                                                      RT_RCDATA0x91ef080xd56PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032220269478618
                                                                                                                                      RT_RCDATA0x91fc600xd47PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032362459546926
                                                                                                                                      RT_RCDATA0x9209a80xdc2PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031232254400908
                                                                                                                                      RT_RCDATA0x92176c0xdc5PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031205673758865
                                                                                                                                      RT_RCDATA0x9225340xcf3PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003318250377074
                                                                                                                                      RT_RCDATA0x9232280xcedPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033242671501965
                                                                                                                                      RT_RCDATA0x923f180xda9PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031455533314269
                                                                                                                                      RT_RCDATA0x924cc40xda6PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031482541499714
                                                                                                                                      RT_RCDATA0x925a6c0xcf3PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003318250377074
                                                                                                                                      RT_RCDATA0x9267600xcedPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033242671501965
                                                                                                                                      RT_RCDATA0x9274500xb23PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0038582953349702
                                                                                                                                      RT_RCDATA0x927f740xb7bPNG image data, 26 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0037427696495407
                                                                                                                                      RT_RCDATA0x928af00xb3bPNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0038260869565216
                                                                                                                                      RT_RCDATA0x92962c0xba1PNG image data, 26 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036949949613705
                                                                                                                                      RT_RCDATA0x92a1d00xb75PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0037504261847938
                                                                                                                                      RT_RCDATA0x92ad480xbdbPNG image data, 26 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036243822075783
                                                                                                                                      RT_RCDATA0x92b9240xb8fPNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003717472118959
                                                                                                                                      RT_RCDATA0x92c4b40xc3cPNG image data, 26 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0035121328224776
                                                                                                                                      RT_RCDATA0x92d0f00xb38PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0038300835654597
                                                                                                                                      RT_RCDATA0x92dc280xb7dPNG image data, 26 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0037402244134648
                                                                                                                                      RT_RCDATA0x92e7a80xbfePNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0035830618892507
                                                                                                                                      RT_RCDATA0x92f3a80xd04PNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033013205282113
                                                                                                                                      RT_RCDATA0x9300ac0xc0ePNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0035644847699288
                                                                                                                                      RT_RCDATA0x930cbc0xc1bPNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0035495321071313
                                                                                                                                      RT_RCDATA0x9318d80xd36PNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032525133057362
                                                                                                                                      RT_RCDATA0x9326100xd0fPNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003290457672749
                                                                                                                                      RT_RCDATA0x9333200xb07PNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003896563939072
                                                                                                                                      RT_RCDATA0x933e280xb29PNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0038501925096255
                                                                                                                                      RT_RCDATA0x9349540xb7bPNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0037427696495407
                                                                                                                                      RT_RCDATA0x9354d00xbd4PNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036327608982827
                                                                                                                                      RT_RCDATA0x9360a40xb8dPNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0037199864727764
                                                                                                                                      RT_RCDATA0x936c340xc13PNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishUnited States1.00355871886121
                                                                                                                                      RT_RCDATA0x9378480xb1dPNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003866432337434
                                                                                                                                      RT_RCDATA0x9383680xb45PNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0038128249566725
                                                                                                                                      RT_RCDATA0x938eb00xb86PNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003728813559322
                                                                                                                                      RT_RCDATA0x939a380xc00PNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0035807291666667
                                                                                                                                      RT_RCDATA0x93a6380xb7aPNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0037440435670524
                                                                                                                                      RT_RCDATA0x93b1b40xbf6PNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003592423252776
                                                                                                                                      RT_RCDATA0x93bdac0xbebPNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036053752867913
                                                                                                                                      RT_RCDATA0x93c9980xc85PNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034321372854915
                                                                                                                                      RT_RCDATA0x93d6200xb83PNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003732609433322
                                                                                                                                      RT_RCDATA0x93e1a40xc03PNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0035772357723578
                                                                                                                                      RT_RCDATA0x93eda80xc2cPNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0035301668806162
                                                                                                                                      RT_RCDATA0x93f9d40xd45PNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032381513099793
                                                                                                                                      RT_RCDATA0x94071c0x10data1.5
                                                                                                                                      RT_RCDATA0x94072c0x148bPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0020916524054002
                                                                                                                                      RT_RCDATA0x941bb80x111ePNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0025102692834322
                                                                                                                                      RT_RCDATA0x942cd80xd8cPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031718569780854
                                                                                                                                      RT_RCDATA0x943a640x895f08PE32 executable (console) Intel 80386, for MS Windows0.5360336303710938
                                                                                                                                      RT_RCDATA0x11d996c0x1418data0.4801710730948678
                                                                                                                                      RT_RCDATA0x11dad840x3a61Delphi compiled form 'TfFileKindProperties'0.9066577450652392
                                                                                                                                      RT_RCDATA0x11de7e80x7693Delphi compiled form 'TfFileKinds'0.9033437654422665
                                                                                                                                      RT_RCDATA0x11e5e7c0x9e6Delphi compiled form 'TfmDatasetFieldsEditor'0.388318863456985
                                                                                                                                      RT_RCDATA0x11e68640x374Delphi compiled form 'TfmDFEAddFields'0.579185520361991
                                                                                                                                      RT_RCDATA0x11e6bd80x8f2Delphi compiled form 'TfmDFENewField'0.4017467248908297
                                                                                                                                      RT_RCDATA0x11e74cc0xd39Delphi compiled form 'TfmImageListEditor'0.3867060561299852
                                                                                                                                      RT_RCDATA0x11e82080x311Delphi compiled form 'TfmSelectLanguage'0.6089171974522293
                                                                                                                                      RT_RCDATA0x11e851c0x2c0Delphi compiled form 'TfmSelectUnit'0.5994318181818182
                                                                                                                                      RT_RCDATA0x11e87dc0x386Delphi compiled form 'TfmWatchProperties'0.5687361419068736
                                                                                                                                      RT_RCDATA0x11e8b640x11064Delphi compiled form 'TfrmAbout'0.8759679917398038
                                                                                                                                      RT_RCDATA0x11f9bc80x377Delphi compiled form 'TfrmAlign'0.5682074408117249
                                                                                                                                      RT_RCDATA0x11f9f400x2ebfDelphi compiled form 'TfrmAlignmentPalette'0.1338681373777889
                                                                                                                                      RT_RCDATA0x11fce000xa3dDelphi compiled form 'TfrmCollectionEditor'0.3925982449446776
                                                                                                                                      RT_RCDATA0x11fd8400x38c4Delphi compiled form 'TfrmColumns'0.924373795761079
                                                                                                                                      RT_RCDATA0x12011040x305Delphi compiled form 'TfrmDesignerAddControls'0.5847347994825356
                                                                                                                                      RT_RCDATA0x120140c0x53dDelphi compiled form 'TfrmDesignerControlsEditor'0.4325130499627144
                                                                                                                                      RT_RCDATA0x120194c0xe01Delphi compiled form 'TfrmDesignerOptions'0.304323570432357
                                                                                                                                      RT_RCDATA0x12027500x182b8Delphi compiled form 'TfrmDrive'0.5576868686868687
                                                                                                                                      RT_RCDATA0x121aa080x387cDelphi compiled form 'TfrmHotKey'0.9262793914246197
                                                                                                                                      RT_RCDATA0x121e2840xab0Delphi compiled form 'TfrmListViewEditor'0.39144736842105265
                                                                                                                                      RT_RCDATA0x121ed340x1017cDelphi compiled form 'TfrmMain'0.6957187936161174
                                                                                                                                      RT_RCDATA0x122eeb00xb53Delphi compiled form 'TfrmMenuEditor'0.39185926181441877
                                                                                                                                      RT_RCDATA0x122fa040x5b3Delphi compiled form 'TfrmMenuIDEEditor'0.47978067169294036
                                                                                                                                      RT_RCDATA0x122ffb80x6c6Delphi compiled form 'TfrmPicture'0.44521337946943484
                                                                                                                                      RT_RCDATA0x12306800x6ebDelphi compiled form 'TfrmSize'0.3512140033879164
                                                                                                                                      RT_RCDATA0x1230d6c0x325Delphi compiled form 'TfrmStrings'0.5863354037267081
                                                                                                                                      RT_RCDATA0x12310940x61cDelphi compiled form 'TfrmTabOrder'0.44884910485933505
                                                                                                                                      RT_RCDATA0x12316b00xa83Delphi compiled form 'TfrmTreeEditor'0.3927907840951319
                                                                                                                                      RT_RCDATA0x12321340x3c8dDelphi compiled form 'TfSavedSearchSettings'0.8898780723824269
                                                                                                                                      RT_RCDATA0x1235dc40x488Delphi compiled form 'TLoginDialog'0.4879310344827586
                                                                                                                                      RT_RCDATA0x123624c0x3c4Delphi compiled form 'TPasswordDialog'0.4678423236514523
                                                                                                                                      RT_RCDATA0x12366100xc8aDelphi compiled form 'TScrFindDlgForm'0.3660436137071651
                                                                                                                                      RT_RCDATA0x123729c0xc47Delphi compiled form 'TScrReplaceDlgForm'0.3706649697741012
                                                                                                                                      RT_GROUP_CURSOR0x1237ee40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                      RT_GROUP_CURSOR0x1237ef80x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                      RT_GROUP_CURSOR0x1237f0c0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                      RT_GROUP_CURSOR0x1237f200x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                      RT_GROUP_CURSOR0x1237f340x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                      RT_GROUP_CURSOR0x1237f480x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                      RT_GROUP_CURSOR0x1237f5c0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                      RT_GROUP_CURSOR0x1237f700x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                      RT_GROUP_CURSOR0x1237f840x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                      RT_GROUP_CURSOR0x1237f980x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                      RT_GROUP_CURSOR0x1237fac0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                      RT_GROUP_CURSOR0x1237fc00x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                      RT_GROUP_CURSOR0x1237fd40x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                      RT_GROUP_CURSOR0x1237fe80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                      RT_GROUP_CURSOR0x1237ffc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                      RT_GROUP_CURSOR0x12380100x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                      RT_GROUP_CURSOR0x12380240x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                      RT_GROUP_CURSOR0x12380380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                      RT_GROUP_CURSOR0x123804c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                      RT_GROUP_CURSOR0x12380600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                      RT_GROUP_ICON0x12380740x30dataEnglishUnited States0.8541666666666666
                                                                                                                                      RT_GROUP_ICON0x12380a40x14data1.15
                                                                                                                                      RT_GROUP_ICON0x12380b80x14data1.15
                                                                                                                                      RT_GROUP_ICON0x12380cc0x14data1.15
                                                                                                                                      RT_GROUP_ICON0x12380e00x14data1.15
                                                                                                                                      RT_GROUP_ICON0x12380f40x14data1.15
                                                                                                                                      RT_GROUP_ICON0x12381080x14data1.15
                                                                                                                                      RT_VERSION0x123811c0x368data0.4518348623853211
                                                                                                                                      RT_MANIFEST0x12384840x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      winmm.dlltimeGetTime
                                                                                                                                      oleacc.dllLresultFromObject
                                                                                                                                      SHLWAPI.DLLPathMatchSpecW
                                                                                                                                      wininet.dllInternetCloseHandle, InternetReadFile, InternetOpenW, InternetOpenUrlW, HttpQueryInfoW
                                                                                                                                      winspool.drvDocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
                                                                                                                                      comdlg32.dllFindTextW, ReplaceTextW, ChooseFontW, ChooseColorW, GetSaveFileNameW, GetOpenFileNameW, PrintDlgW
                                                                                                                                      comctl32.dllImageList_GetImageInfo, FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
                                                                                                                                      shell32.dllSHBrowseForFolderW, DragQueryFileW, SHGetSpecialFolderLocation, Shell_NotifyIconW, DragAcceptFiles, SHGetPathFromIDListW, SHGetFileInfoW, SHGetFolderPathW, SHGetMalloc, SHGetDesktopFolder, IsUserAnAdmin, SHAppBarMessage, ShellExecuteW
                                                                                                                                      user32.dllCopyImage, MoveWindow, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, SetCaretPos, GetCaretPos, ScrollWindowEx, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, ClipCursor, SendMessageA, IsClipboardFormatAvailable, EnumWindows, ShowOwnedPopups, GetClassInfoExW, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, CreatePopupMenu, ShowCaret, GetMenuItemID, DestroyCaret, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, SendDlgItemMessageW, IntersectRect, IsIconic, CallNextHookEx, ShowWindow, SetForegroundWindow, GetWindowTextW, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, mouse_event, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, LockWindowUpdate, RemovePropW, GetSubMenu, EqualRect, DestroyIcon, IsWindowVisible, PtInRect, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, GetMessageTime, NotifyWinEvent, GetComboBoxInfo, CreateMenu, LoadStringW, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, EnumClipboardFormats, ScrollDC, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, IsRectEmpty, ValidateRect, IsCharAlphaW, GetCursor, KillTimer, BeginDeferWindowPos, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, GetClipboardFormatNameW, CreateIconIndirect, GetMenuItemRect, CreateWindowExW, ChildWindowFromPoint, GetDCEx, InsertMenuItemA, PeekMessageW, MonitorFromWindow, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, OffsetRect, IsWindowUnicode, DispatchMessageW, TrackPopupMenuEx, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, InflateRect, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, GetCursorInfo, GetSystemMetrics, CharUpperBuffW, ClientToScreen, SetClipboardData, GetClipboardData, SetWindowPlacement, SetCaretBlinkTime, GetCaretBlinkTime, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, ToAscii, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, TrackMouseEvent, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, CreateCaret, MonitorFromRect, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, DestroyMenu, SetWindowsHookExW, GetDoubleClickTime, EmptyClipboard, GetDlgItem, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, SetKeyboardState, GetKeyboardState, ScreenToClient, DrawFrameControl, IsCharAlphaNumericW, BringWindowToTop, SetCursor, CreateIcon, RemoveMenu, SubtractRect, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CountClipboardFormats, CloseClipboard, DestroyCursor, CopyIcon, PostQuitMessage, ShowScrollBar, EnableMenuItem, DeferWindowPos, HideCaret, EndDeferWindowPos, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, IsWindowEnabled, IsDialogMessageA, FindWindowW, DeleteMenu, GetKeyboardLayout
                                                                                                                                      version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                                                                                      oleaut32.dllSafeArrayPutElement, SetErrorInfo, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SafeArrayAccessData, SysReAllocStringLen, SafeArrayCreate, CreateErrorInfo, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayUnaccessData, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopyInd, VariantChangeType
                                                                                                                                      WTSAPI32.DLLWTSUnRegisterSessionNotification, WTSRegisterSessionNotification
                                                                                                                                      advapi32.dllRegSetValueExW, RegConnectRegistryW, RegEnumKeyExW, RegLoadKeyW, RegDeleteKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, RegDeleteValueW, RegReplaceKeyW, RegFlushKey, RegQueryValueExW, RegEnumValueW, RegCloseKey, RegCreateKeyExW, RegRestoreKeyW
                                                                                                                                      msvcrt.dllmemcpy, memset
                                                                                                                                      kernel32.dllGetFileType, QueryDosDeviceW, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, lstrcmpiW, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, GlobalSize, GetLongPathNameW, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, ReadFile, GetUserDefaultLCID, LCMapStringA, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, GetFileSizeEx, MapViewOfFile, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, GlobalAddAtomW, FormatMessageW, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, GetFileAttributesExW, LoadLibraryExW, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, GlobalFindAtomW, VirtualQuery, GlobalFree, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, GetStringTypeExA, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetTempFileNameW, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, SetCurrentDirectoryW, GetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, GlobalLock, SetThreadPriority, VirtualAlloc, GetTempPathW, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, GetVersionExW, GetModuleHandleA, VerifyVersionInfoW, HeapCreate, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, GetConsoleOutputCP, UnmapViewOfFile, GetConsoleCP, GlobalHandle, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, CreateMutexA, LoadLibraryW, SetEvent, GetLocaleInfoW, CreateFileW, EnumResourceNamesW, DeleteFileW, IsDBCSLeadByteEx, GetLocalTime, WaitForSingleObject, WriteFile, FindFirstFileExW, CreateFileMappingW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
                                                                                                                                      SHFolder.dllSHGetFolderPathW
                                                                                                                                      gdiplus.dllGdipFillEllipseI, GdipFillPolygonI, GdipGetHatchForegroundColor, GdipGetPointCount, GdipDrawBezier, GdipCreateMatrix3I, GdipLoadImageFromStream, GdipCreateFont, GdipSetClipPath, GdipCreateLineBrushFromRectI, GdipIsMatrixIdentity, GdipSetSmoothingMode, GdipGetSmoothingMode, GdipResetClip, GdipFillRectangle, GdipFillPath, GdipCreateLineBrushFromRect, GdipAddPathRectangle, GdipDrawString, GdipGetImageGraphicsContext, GdipGetTextureImage, GdipGetMatrixElements, GdipCreateTexture2I, GdipCreateTextureIA, GdipCloneImageAttributes, GdipSetMatrixElements, GdipGetTextureWrapMode, GdipSetImageAttributesThreshold, GdipAddPathPolygon, GdipCombineRegionPath, GdipDeleteFontFamily, GdipSetStringFormatLineAlign, GdipGetStringFormatLineAlign, GdipResetPath, GdipGetFontSize, GdipResetImageAttributes, GdipAddPathEllipse, GdipGraphicsClear, GdipAddPathPie, GdipSetWorldTransform, GdipDrawEllipseI, GdipAddPathCurve2I, GdipDeleteRegion, GdipGetGenericFontFamilySerif, GdipLoadImageFromFileICM, GdipSetImageAttributesRemapTable, GdipCreateTexture, GdipDrawLine, GdipCreatePath2, GdipGetPathWorldBounds, GdipCreateHatchBrush, GdipSetLineGammaCorrection, GdipSetPenDashStyle, GdipGetPenDashStyle, GdipGetFamily, GdipDrawPath, GdipLoadImageFromFile, GdipGetPenFillType, GdipDrawRectangle, GdipTranslateTextureTransform, GdipScaleMatrix, GdipSetImageAttributesNoOp, GdipSaveImageToFile, GdipTranslateMatrix, GdipSetTextRenderingHint, GdipGetTextRenderingHint, GdipAddPathLine, GdipDeleteStringFormat, GdipSetImageAttributesToIdentity, GdipSetPenEndCap, GdipGetGenericFontFamilyMonospace, GdipGetImageThumbnail, GdipGetCompositingQuality, GdipSetCompositingQuality, GdipAddPathString, GdipGetImageWidth, GdipTransformMatrixPoints, GdipCreateFromHDC, GdipSetImageAttributesColorKeys, GdipSaveAddImage, GdipCreateSolidFill, GdipGetGenericFontFamilySansSerif, GdipSetImageAttributesOutputChannelColorProfile, GdipSetStringFormatAlign, GdipGetStringFormatAlign, GdipInvertMatrix, GdipGetHatchBackgroundColor, GdipDeletePath, GdipSetImageAttributesGamma, GdipScaleWorldTransform, GdipShearMatrix, GdipCreateFontFamilyFromName, GdipDisposeImageAttributes, GdipIsMatrixInvertible, GdipCreateMatrix2, GdipCreateMatrix3, GdipRotateWorldTransform, GdipCreateRegionRect, GdipSetStringFormatTrimming, GdipGetImageRawFormat, GdipCreateMatrix, GdiplusShutdown, GdipSetLinePresetBlend, GdipScaleTextureTransform, GdipLoadImageFromStreamICM, GdipSetImageAttributesColorMatrix, GdipAddPathRectangleI, GdipGetHatchStyle, GdipGetFamilyName, GdipCreateStringFormat, GdipCloneMatrix, GdipDrawArc, GdipResetWorldTransform, GdipAlloc, GdipDeleteMatrix, GdipDrawBeziers, GdipRotateTextureTransform, GdipSetClipRegion, GdipMultiplyWorldTransform, GdipClosePathFigure, GdipDrawImageI, GdipAddPathCurve, GdipDrawEllipse, GdipGetPathPoints, GdipAddPathArc, GdipGetStringFormatTrimming, GdipCreateLineBrushFromRectWithAngle, GdipAddPathCurveI, GdipCreatePath, GdipGetPathTypes, GdipAddPathLine2I, GdipCreatePen1, GdipCreatePen2, GdipSetStringFormatHotkeyPrefix, GdipVectorTransformMatrixPoints, GdipGetFontStyle, GdipCloneStringFormat, GdipGetImageAttributesAdjustedPalette, GdipDeletePen, GdipRotateMatrix, GdipDeleteGraphics, GdipDeleteFont, GdipCreateLineBrushFromRectWithAngleI, GdipFree, GdipCreateTexture2, GdipSetImageAttributesOutputChannel, GdipResetTextureTransform, GdipCreateTextureIAI, GdipReleaseDC, GdipAddPathPolygonI, GdipSetStringFormatFlags, GdipGetStringFormatFlags, GdipGetPenBrushFill, GdipSetPenBrushFill, GdipGetImagePixelFormat, GdipGetStringFormatHotkeyPrefix, GdipTranslateWorldTransform, GdipGetImageHeight, GdipGetDC, GdipSetTextureWrapMode, GdipCreateRegionPath, GdipCreateImageAttributes, GdiplusStartup, GdipDeleteBrush, GdipCombineRegionRegion, GdipCreateLineBrushI, GdipCreateLineBrush, GdipTransformMatrixPointsI, GdipFillPolygon, GdipDrawImageRect, GdipDrawImageRectRect, GdipImageRotateFlip, GdipFillEllipse, GdipAddPathBezier, GdipSaveImageToStream, GdipVectorTransformMatrixPointsI, GdipMultiplyMatrix, GdipMeasureString, GdipDisposeImage, GdipSetImageAttributesWrapMode, GdipFlush, GdipSetClipRect
                                                                                                                                      ole32.dllCreateDataAdviseHolder, OleRegEnumVerbs, CoCreateInstance, OleGetClipboard, OleSetClipboard, IsEqualGUID, OleFlushClipboard, CreateStreamOnHGlobal, CLSIDFromProgID, CoGetClassObject, CoInitialize, OleDraw, CoTaskMemAlloc, DoDragDrop, StringFromCLSID, RevokeDragDrop, IsAccelerator, CoUninitialize, ReleaseStgMedium, RegisterDragDrop, OleInitialize, ProgIDFromCLSID, OleUninitialize, CoDisconnectObject, CoTaskMemFree, OleSetMenuDescriptor
                                                                                                                                      gdi32.dllPie, SetBkMode, GetRandomRgn, CreateCompatibleBitmap, BeginPath, GetEnhMetaFileHeader, CloseEnhMetaFile, RectVisible, AngleArc, CloseFigure, ResizePalette, SetAbortProc, SetTextColor, GetTextColor, StretchBlt, RoundRect, SelectClipRgn, RestoreDC, SetRectRgn, FillPath, GetTextMetricsW, GetWindowOrgEx, CreatePalette, CreateDCW, CreateICW, PolyBezierTo, GetStockObject, CreateSolidBrush, GetBkMode, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, CreatePenIndirect, GetEnhMetaFilePaletteEntries, SetMapMode, GetMapMode, CreateFontIndirectW, PolyBezier, ExtCreatePen, LPtoDP, GetNearestColor, EndDoc, GetObjectW, GetCurrentObject, GetWinMetaFileBits, SetROP2, GetTextExtentExPointW, GetEnhMetaFileDescriptionW, ArcTo, CreateEnhMetaFileW, Arc, CreateRectRgnIndirect, SelectPalette, SetGraphicsMode, ExcludeClipRect, SetWindowOrgEx, MaskBlt, EndPage, EndPath, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, GetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, StrokePath, SetEnhMetaFileBits, Rectangle, DeleteDC, SaveDC, BitBlt, SetWorldTransform, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, AbortPath, GetClipBox, Polyline, IntersectClipRect, CreateBitmap, CombineRgn, SetWinMetaFileBits, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, SetStretchBltMode, GetDIBits, ExtCreateRegion, LineTo, GetRgnBox, EnumFontsW, SetWindowExtEx, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, OffsetRgn, SetBkColor, GetBkColor, CreateCompatibleDC, GetObjectA, GetBrushOrgEx, GetCurrentPositionEx, SetDCPenColor, GetNearestPaletteIndex, SetTextAlign, CreateRoundRectRgn, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetViewportExtEx, SetPixel, PolyPolyline, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries

                                                                                                                                      Exports

                                                                                                                                      NameOrdinalAddress
                                                                                                                                      __dbk_fcall_wrapper20x414024
                                                                                                                                      dbkFCallWrapperAddr10xb2f644

                                                                                                                                      Possible Origin

                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                      EnglishUnited States
                                                                                                                                      GermanGermany
                                                                                                                                      DutchBelgium

                                                                                                                                      Network Behavior

                                                                                                                                      No network behavior found

                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:16:44:49
                                                                                                                                      Start date:30/04/2024
                                                                                                                                      Path:C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe"
                                                                                                                                      Imagebase:0x5a0000
                                                                                                                                      File size:18'984'288 bytes
                                                                                                                                      MD5 hash:DDDA012671F0CA2CA213060073B063E2
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:2
                                                                                                                                      Start time:16:44:51
                                                                                                                                      Start date:30/04/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      Imagebase:0x790000
                                                                                                                                      File size:236'544 bytes
                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:3
                                                                                                                                      Start time:16:44:51
                                                                                                                                      Start date:30/04/2024
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                      File size:862'208 bytes
                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:5
                                                                                                                                      Start time:16:45:11
                                                                                                                                      Start date:30/04/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      Imagebase:0xbc0000
                                                                                                                                      File size:4'514'184 bytes
                                                                                                                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Reputation:moderate
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:8
                                                                                                                                      Start time:16:45:20
                                                                                                                                      Start date:30/04/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 460
                                                                                                                                      Imagebase:0xb20000
                                                                                                                                      File size:483'680 bytes
                                                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      Disassembly

                                                                                                                                      Reset < >

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:31.1%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:5.4%
                                                                                                                                        Total number of Nodes:149
                                                                                                                                        Total number of Limit Nodes:7
                                                                                                                                        execution_graph 1421 5be64a 1422 5be688 1421->1422 1423 5be68f 1421->1423 1423->1422 1424 5bfc8e GlobalAlloc 1423->1424 1424->1423 1277 5c106e 1280 5c040e 1277->1280 1281 5c0477 1280->1281 1339 5bf3be 1281->1339 1283 5c04ac 1284 5bf3be GetPEB 1283->1284 1285 5c04c3 1284->1285 1286 5c04e0 GlobalAlloc 1285->1286 1287 5c0518 1286->1287 1342 5bfc8e 1287->1342 1289 5c073b 1345 5beede 1289->1345 1291 5c0758 1348 5bf1fe 1291->1348 1293 5c0775 1294 5bfc8e GlobalAlloc 1293->1294 1295 5c087d 1294->1295 1352 5bee6e 1295->1352 1297 5c089a 1298 5bf1fe 2 API calls 1297->1298 1299 5c08ad 1298->1299 1355 5bfcee 1299->1355 1301 5c0925 1362 5bef5e 1301->1362 1303 5c0a01 1365 5bf5ce CreateFileW 1303->1365 1305 5c0a23 1371 5bfeee 1305->1371 1307 5c0a63 1308 5c0b1d 1307->1308 1309 5c0b71 1307->1309 1375 5c009e 1308->1375 1311 5c0ba9 1309->1311 1312 5c0b79 1309->1312 1315 5bfc8e GlobalAlloc 1311->1315 1381 5bf06e 1312->1381 1313 5c0b69 1318 5c0e39 1313->1318 1319 5c0e88 1313->1319 1404 5be85e 1313->1404 1317 5c0bb6 1315->1317 1320 5bfc8e GlobalAlloc 1317->1320 1319->1318 1322 5bfc8e GlobalAlloc 1319->1322 1321 5c0c34 1320->1321 1385 5befae 1321->1385 1324 5c0f35 1322->1324 1326 5bf1fe 2 API calls 1324->1326 1325 5c0c86 1328 5bfc8e GlobalAlloc 1325->1328 1332 5c0d9e 1325->1332 1327 5c0f6c 1326->1327 1330 5bfc8e GlobalAlloc 1327->1330 1337 5c0ce1 1328->1337 1331 5c0fa9 1330->1331 1333 5c0fc6 VirtualProtect 1331->1333 1332->1313 1400 5be65e 1332->1400 1379 5bf57e 1333->1379 1337->1332 1390 5be9ae 1337->1390 1393 5c01ce 1337->1393 1407 5c03be GetPEB 1339->1407 1341 5bf3de 1341->1283 1343 5bfcaa GlobalAlloc 1342->1343 1344 5bfc9e 1342->1344 1343->1289 1344->1343 1346 5bfc8e GlobalAlloc 1345->1346 1347 5beeed 1346->1347 1347->1291 1349 5bfc8e GlobalAlloc 1348->1349 1350 5bf20f 1349->1350 1351 5bf222 LoadLibraryW 1350->1351 1351->1293 1353 5bfc8e GlobalAlloc 1352->1353 1354 5bee7d 1353->1354 1354->1297 1358 5bfd03 1355->1358 1356 5bfd29 1356->1301 1357 5bfc8e GlobalAlloc 1357->1358 1358->1356 1358->1357 1359 5bfd3b NtQuerySystemInformation 1358->1359 1359->1358 1360 5bfd67 1359->1360 1361 5bfc8e GlobalAlloc 1360->1361 1361->1356 1363 5bfc8e GlobalAlloc 1362->1363 1364 5bef6c 1363->1364 1364->1303 1366 5bf602 1365->1366 1370 5bf5fb 1365->1370 1367 5bfc8e GlobalAlloc 1366->1367 1366->1370 1368 5bf63e ReadFile 1367->1368 1369 5bf679 FindCloseChangeNotification 1368->1369 1368->1370 1369->1370 1370->1305 1372 5bfeff 1371->1372 1373 5bf1fe 2 API calls 1372->1373 1374 5bffd4 1373->1374 1374->1307 1376 5c00c1 1375->1376 1377 5c0156 1376->1377 1378 5c01ce 4 API calls 1376->1378 1377->1313 1378->1376 1380 5bf58a VirtualProtect 1379->1380 1380->1318 1383 5bf091 1381->1383 1382 5bf0df 1382->1313 1383->1382 1384 5be65e GlobalAlloc 1383->1384 1384->1383 1386 5bfc8e GlobalAlloc 1385->1386 1387 5befbf 1386->1387 1388 5bfc8e GlobalAlloc 1387->1388 1389 5befe1 1388->1389 1389->1325 1408 5bebfe 1390->1408 1392 5be9f3 1392->1337 1394 5befae GlobalAlloc 1393->1394 1395 5c01dd 1394->1395 1414 5bfbbe CreateFileW 1395->1414 1398 5c0202 1398->1337 1401 5be688 1400->1401 1402 5be68f 1400->1402 1401->1313 1402->1401 1403 5bfc8e GlobalAlloc 1402->1403 1403->1402 1405 5bfc8e GlobalAlloc 1404->1405 1406 5be871 1405->1406 1406->1319 1407->1341 1409 5bec0d 1408->1409 1410 5bec19 1409->1410 1411 5bfc8e GlobalAlloc 1409->1411 1410->1392 1412 5bed04 1411->1412 1413 5bfc8e GlobalAlloc 1412->1413 1413->1410 1415 5bfbef WriteFile 1414->1415 1416 5bfbeb 1414->1416 1415->1416 1416->1398 1417 5c121e 1416->1417 1418 5c122f 1417->1418 1419 5c126e 1418->1419 1420 5c12c2 malloc 1418->1420 1419->1398 1420->1419 1425 5bf11e 1430 5be96e 1425->1430 1427 5bf136 1428 5bf5ce 4 API calls 1427->1428 1429 5bf15e 1428->1429 1431 5bfc8e GlobalAlloc 1430->1431 1432 5be97c 1431->1432 1432->1427 1433 5c0da4 1441 5c0cf4 1433->1441 1434 5c0d9e 1436 5c0e2f 1434->1436 1437 5be65e GlobalAlloc 1434->1437 1435 5be9ae GlobalAlloc 1435->1441 1438 5be85e GlobalAlloc 1436->1438 1439 5c0e39 1436->1439 1440 5c0e88 1436->1440 1437->1436 1438->1440 1440->1439 1443 5bfc8e GlobalAlloc 1440->1443 1441->1434 1441->1435 1442 5c01ce 4 API calls 1441->1442 1442->1441 1444 5c0f35 1443->1444 1445 5bf1fe 2 API calls 1444->1445 1446 5c0f6c 1445->1446 1447 5bfc8e GlobalAlloc 1446->1447 1448 5c0fa9 1447->1448 1449 5c0fc6 VirtualProtect 1448->1449 1450 5bf57e 1449->1450 1451 5c1003 VirtualProtect 1450->1451 1451->1439

                                                                                                                                        Executed Functions

                                                                                                                                        Function 005BFCEE Relevance: 1.6, APIs: 1, Instructions: 123nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 216 5bfcee-5bfcfc 217 5bfd03-5bfd0a 216->217 218 5bfd10-5bfd27 call 5bfc8e 217->218 219 5bfe55-5bfe59 217->219 222 5bfd29 218->222 223 5bfd2e-5bfd5b call 5bf6fe NtQuerySystemInformation 218->223 222->219 226 5bfd5d-5bfd65 223->226 227 5bfd67-5bfd84 call 5bfc8e 223->227 226->217 230 5bfd87-5bfd8d 227->230 231 5bfe4e 230->231 232 5bfd93-5bfd9a 230->232 231->219 233 5bfe3e-5bfe49 232->233 234 5bfda0-5bfdc0 call 5bf6fe 232->234 233->230 237 5bfdcb-5bfdd1 234->237 238 5bfdd3-5bfddf 237->238 239 5bfdf7-5bfe23 call 5bfabe call 5bf33e 237->239 238->239 240 5bfde1-5bfdf5 238->240 246 5bfe2d-5bfe36 239->246 247 5bfe25-5bfe2b 239->247 240->237 246->233 248 5bfe38-5bfe3b 246->248 247->233 248->233
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005BFC8E: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 005BFCBE
                                                                                                                                        • NtQuerySystemInformation.NTDLL(00000005,00000000,00040000,00040000), ref: 005BFD52
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2041348700.00000000005BE000.00000020.00000001.01000000.00000003.sdmp, Offset: 005BE000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_5be000_SetupSuite_21.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocGlobalInformationQuerySystem
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3737350999-0
                                                                                                                                        • Opcode ID: af0b5cb85ebff21ad004f17c148dcb155806cd6198d72419ed993a28eb2c6b99
                                                                                                                                        • Instruction ID: cae65404e87c148590cd0d30115433d4b0021f1fc08d817f91c2d6ed5cf651ee
                                                                                                                                        • Opcode Fuzzy Hash: af0b5cb85ebff21ad004f17c148dcb155806cd6198d72419ed993a28eb2c6b99
                                                                                                                                        • Instruction Fuzzy Hash: DB51FA75D0020AEFCB14CF98C884AFEBBB5BF48304F208569E915A7351D735AE81CBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 005C040E Relevance: 5.5, APIs: 3, Instructions: 995memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 0 5c040e-5c092e call 5bfe5e call 5bf3be * 2 call 5bf27e GlobalAlloc call 5bf27e * 17 call 5bfc8e call 5beede call 5bf1fe call 5bf27e * 8 call 5bfc8e call 5bee6e call 5bf1fe call 5bf27e * 3 call 5bfcee 79 5c095e-5c0aa4 call 5bf27e * 3 call 5bef5e call 5bf5ce call 5bf27e call 5bfeee 0->79 80 5c0930-5c0937 0->80 101 5c0aac-5c0ab7 79->101 102 5c0aa6-5c0aaa 79->102 81 5c0942-5c0946 80->81 81->79 82 5c0948-5c095c call 5bfa4e 81->82 82->81 103 5c0abd-5c0b1b 101->103 104 5c0ab9 101->104 102->103 105 5c0b1d-5c0b64 call 5c009e 103->105 106 5c0b71-5c0b77 103->106 104->103 110 5c0b69-5c0b6c 105->110 108 5c0ba9-5c0be4 call 5bfc8e call 5bf57e 106->108 109 5c0b79-5c0ba4 call 5bf06e 106->109 123 5c0bee-5c0bf4 108->123 113 5c0e3e-5c0e52 109->113 110->113 117 5c0e99-5c0ea5 113->117 118 5c0e54-5c0e90 call 5be85e 113->118 119 5c0ea8-5c0ecb call 5bf51e 117->119 128 5c0e97 118->128 129 5c0e92 118->129 130 5c0edc-5c1058 call 5bf16e call 5bfc8e call 5bf77e call 5bfb6e call 5bf1fe call 5c03de call 5bfc8e call 5bf57e VirtualProtect call 5bf57e VirtualProtect 119->130 131 5c0ecd-5c0ed6 119->131 126 5c0bf6-5c0c21 123->126 127 5c0c23-5c0c3a call 5bfc8e 123->127 126->123 136 5c0c41-5c0c4c 127->136 128->119 133 5c1062-5c1065 129->133 185 5c105f 130->185 131->130 138 5c0c6d-5c0cd0 call 5befae call 5bf33e call 5bed6e 136->138 139 5c0c4e-5c0c6b 136->139 153 5c0e0e-5c0e14 138->153 154 5c0cd6-5c0cea call 5bfc8e 138->154 139->136 153->113 157 5c0e16-5c0e37 call 5be65e 153->157 164 5c0cf4-5c0cfb 154->164 157->113 166 5c0e39 157->166 167 5c0de8-5c0e0b call 5bed7e 164->167 168 5c0d01-5c0d28 call 5bed8e 164->168 166->133 167->153 175 5c0d4a-5c0d6f call 5be9ae 168->175 176 5c0d2a-5c0d48 call 5bfa4e 168->176 183 5c0d71 175->183 184 5c0d73-5c0d7e 175->184 176->164 183->164 186 5c0d80-5c0d9c call 5bf23e 184->186 187 5c0de3 184->187 185->133 190 5c0d9e-5c0da2 186->190 191 5c0da6-5c0ddf call 5c01ce 186->191 187->164 190->167 191->187 194 5c0de1 191->194 194->167
                                                                                                                                        APIs
                                                                                                                                        • GlobalAlloc.KERNELBASE(?,00000A46), ref: 005C04F2
                                                                                                                                          • Part of subcall function 005BFC8E: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 005BFCBE
                                                                                                                                          • Part of subcall function 005BF1FE: LoadLibraryW.KERNELBASE(?), ref: 005BF22F
                                                                                                                                        • VirtualProtect.KERNELBASE(?,00000000,?,00000000), ref: 005C0FE3
                                                                                                                                        • VirtualProtect.KERNELBASE(?,00000000,00000000,00000000), ref: 005C1016
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2041348700.00000000005BE000.00000020.00000001.01000000.00000003.sdmp, Offset: 005BE000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_5be000_SetupSuite_21.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocGlobalProtectVirtual$LibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1966084984-0
                                                                                                                                        • Opcode ID: 240aa55989c54137efdc20a0ee1ae1ca480df6d3202c4e1da627c4bf8a4fd026
                                                                                                                                        • Instruction ID: 94480251e990d435c2c6ef527dbbbf922914e28bc9106b1cf81d592e72d0ca13
                                                                                                                                        • Opcode Fuzzy Hash: 240aa55989c54137efdc20a0ee1ae1ca480df6d3202c4e1da627c4bf8a4fd026
                                                                                                                                        • Instruction Fuzzy Hash: 0C92B6B5E00219EFCB14DBD8C995EEEBBB5BF88300F1481A9E509A7341D631AE45CF61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 005BF5CE Relevance: 4.6, APIs: 3, Instructions: 79fileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 195 5bf5ce-5bf5f9 CreateFileW 196 5bf5fb-5bf5fd 195->196 197 5bf602-5bf61f 195->197 198 5bf68f-5bf692 196->198 200 5bf631-5bf667 call 5bfc8e ReadFile 197->200 201 5bf621-5bf62f 197->201 205 5bf679-5bf68d FindCloseChangeNotification 200->205 206 5bf669-5bf677 200->206 201->198 205->198 206->198
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,?), ref: 005BF5F0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2041348700.00000000005BE000.00000020.00000001.01000000.00000003.sdmp, Offset: 005BE000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_5be000_SetupSuite_21.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                        • Opcode ID: f2ed564a57136dcdfd9afc14d4280a279a6561515fd8f8e06747ede3fd6620df
                                                                                                                                        • Instruction ID: ce4169f42bde0f7950b4c735761a0d342fc6c50fca320abee4f8976118a65ac2
                                                                                                                                        • Opcode Fuzzy Hash: f2ed564a57136dcdfd9afc14d4280a279a6561515fd8f8e06747ede3fd6620df
                                                                                                                                        • Instruction Fuzzy Hash: 6631AC75A00108FFCB04DF98DC91FAEB7B9BF48310F208599E9199B391D671AE41DB50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 005BFBBE Relevance: 3.0, APIs: 2, Instructions: 50fileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 208 5bfbbe-5bfbe9 CreateFileW 209 5bfbeb-5bfbed 208->209 210 5bfbef-5bfc12 WriteFile 208->210 211 5bfc32-5bfc35 209->211 212 5bfc24-5bfc30 210->212 213 5bfc14-5bfc22 210->213 212->211 213->211
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 005BFBE0
                                                                                                                                        • WriteFile.KERNELBASE(000000FF,00000000,?,00000000,00000000), ref: 005BFC0E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2041348700.00000000005BE000.00000020.00000001.01000000.00000003.sdmp, Offset: 005BE000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_5be000_SetupSuite_21.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CreateWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2263783195-0
                                                                                                                                        • Opcode ID: 25e051ee84f5a1836dda3222278f4334694447e0a98cf775cf13d888adafe703
                                                                                                                                        • Instruction ID: 1c352748812d7490f1dcb5e2cd8db9558c7f8eeb7170e183b11e897cb752fff4
                                                                                                                                        • Opcode Fuzzy Hash: 25e051ee84f5a1836dda3222278f4334694447e0a98cf775cf13d888adafe703
                                                                                                                                        • Instruction Fuzzy Hash: 1E01ED75644208BBDB10DE58CD41FDAB7B9BF88314F208154FE189B291D631FE42DB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 005BF1FE Relevance: 1.5, APIs: 1, Instructions: 25libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 249 5bf1fe-5bf23a call 5bfc8e call 5bf7ce LoadLibraryW
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 005BFC8E: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 005BFCBE
                                                                                                                                        • LoadLibraryW.KERNELBASE(?), ref: 005BF22F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2041348700.00000000005BE000.00000020.00000001.01000000.00000003.sdmp, Offset: 005BE000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_5be000_SetupSuite_21.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocGlobalLibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3361179946-0
                                                                                                                                        • Opcode ID: f0635a325a859858965f79386bc2292b2c6fb1dc49c835a5e9fb86d575d4b663
                                                                                                                                        • Instruction ID: 0a13a9ecdd5bd6857e008782af692760b99a3691f965f4cec77cbc12339aa2ed
                                                                                                                                        • Opcode Fuzzy Hash: f0635a325a859858965f79386bc2292b2c6fb1dc49c835a5e9fb86d575d4b663
                                                                                                                                        • Instruction Fuzzy Hash: 25E0ED75E01208BBCB00EFA8DD8299D7FB8AF88201F1081A4FD0897340E631AE518B91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 005C121E Relevance: 1.5, APIs: 1, Instructions: 204COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 254 5c121e-5c126c call 5bf6fe 259 5c126e-5c1270 254->259 260 5c1275-5c12ad 254->260 261 5c1451-5c1454 259->261 264 5c12af-5c12bd 260->264 265 5c12c2-5c12ee malloc 260->265 264->261 266 5c12f9-5c12ff 265->266 268 5c137f-5c1383 266->268 269 5c1301-5c1308 266->269 270 5c1385-5c13a2 268->270 271 5c13a7-5c13be call 5c02ee 268->271 272 5c1313-5c1319 269->272 270->261 279 5c13df-5c140b 271->279 280 5c13c0-5c13dd 271->280 273 5c137a 272->273 274 5c131b-5c1335 272->274 273->266 281 5c133a-5c1378 call 5c108e 274->281 283 5c1416-5c141e 279->283 280->261 281->272 287 5c1420-5c1441 283->287 288 5c1443-5c144a 283->288 287->283 292 5c144f 288->292 292->261
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2041348700.00000000005BE000.00000020.00000001.01000000.00000003.sdmp, Offset: 005BE000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_5be000_SetupSuite_21.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: dbb50fb56afd143785edb8b3f824610f8feaaf99d530fe6b5dcc6f423fa21a8f
                                                                                                                                        • Instruction ID: 8e8cd5bae110f2efa5fd05ab8ac5dca5688cd137723965680292912b5e0d62dc
                                                                                                                                        • Opcode Fuzzy Hash: dbb50fb56afd143785edb8b3f824610f8feaaf99d530fe6b5dcc6f423fa21a8f
                                                                                                                                        • Instruction Fuzzy Hash: 6191C575904209EFCF08CFD9D884EEEBBB5BF89300F108558E919AB351D734AA41CBA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 005BFC8E Relevance: 1.3, APIs: 1, Instructions: 23memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 316 5bfc8e-5bfc9c 317 5bfcaa-5bfcc3 GlobalAlloc 316->317 318 5bfc9e-5bfca7 316->318 318->317
                                                                                                                                        APIs
                                                                                                                                        • GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 005BFCBE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2041348700.00000000005BE000.00000020.00000001.01000000.00000003.sdmp, Offset: 005BE000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_5be000_SetupSuite_21.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocGlobal
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3761449716-0
                                                                                                                                        • Opcode ID: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
                                                                                                                                        • Instruction ID: 2729ae01d0acb0ca77a5554860c7cb8572524bf370cc06bdf44b7db1210ae423
                                                                                                                                        • Opcode Fuzzy Hash: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
                                                                                                                                        • Instruction Fuzzy Hash: 39F02278614208EFCB44DF58D594999BBA5FB88360F10C299EC198B345D631EE81DB94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 005C03BE Relevance: .0, Instructions: 9COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.2041348700.00000000005BE000.00000020.00000001.01000000.00000003.sdmp, Offset: 005BE000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_5be000_SetupSuite_21.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                                                                                                                                        • Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
                                                                                                                                        • Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                                                                                                                                        • Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 0C0A3DF0 Relevance: 11.5, Strings: 8, Instructions: 1523COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmp, Offset: 0C085000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_c085000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 4F$ 4F$ 4F$ 4F$ 4F$ 4F$ 4F$ 4F
                                                                                                                                        • API String ID: 0-3703517576
                                                                                                                                        • Opcode ID: 0d87d9ce57303822d36bd737f92b79bd09f4438160395695a0c75a84f95793b6
                                                                                                                                        • Instruction ID: 6fc82c468a911013560c399e72f2c45a12e6003a8ddab5c5d606491e9f37f9ca
                                                                                                                                        • Opcode Fuzzy Hash: 0d87d9ce57303822d36bd737f92b79bd09f4438160395695a0c75a84f95793b6
                                                                                                                                        • Instruction Fuzzy Hash: ADB27A79B043006FE724EFA4EC41ABA76D1FB85700F14853EF94AC7690EBB5A806C759
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0C0A5890 Relevance: 7.5, Strings: 4, Instructions: 2513COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmp, Offset: 0C085000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_c085000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 4F$ 4F$ 4F$gfff
                                                                                                                                        • API String ID: 0-2384452950
                                                                                                                                        • Opcode ID: d42a00bbdc4e9b207bcd9c2cb1da7f197f4ab29db88a16e9ff66627b73762fef
                                                                                                                                        • Instruction ID: df714b5862fde336506835853880400c8227ebc4d917906789fdaf0411495d12
                                                                                                                                        • Opcode Fuzzy Hash: d42a00bbdc4e9b207bcd9c2cb1da7f197f4ab29db88a16e9ff66627b73762fef
                                                                                                                                        • Instruction Fuzzy Hash: FA0316B6B042005BEB18EF78EC41ABA37D5FB84310F54863EF919C7690EA79E40AC755
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0C0914E0 Relevance: 2.1, Strings: 1, Instructions: 803COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmp, Offset: 0C085000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_c085000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: K
                                                                                                                                        • API String ID: 0-856455061
                                                                                                                                        • Opcode ID: 2de6c9d164f3117b86a138c62c406f856e539d8ce89ebf48cb81af45d0cde882
                                                                                                                                        • Instruction ID: fc944c899c7ff26c4a4c2f32fa80e2cd84e590d86b445eb35d25c48c141ee901
                                                                                                                                        • Opcode Fuzzy Hash: 2de6c9d164f3117b86a138c62c406f856e539d8ce89ebf48cb81af45d0cde882
                                                                                                                                        • Instruction Fuzzy Hash: 6B422775B082426BEF14DF28EC807AE7BD5FB46214F148539E809CB391E735E80AD795
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0C08ABB0 Relevance: 1.7, Strings: 1, Instructions: 499COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmp, Offset: 0C085000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_c085000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: VUUU
                                                                                                                                        • API String ID: 0-2040033107
                                                                                                                                        • Opcode ID: 045655fd3325cab0e2dae8daa4520cd58e7cfbee860123de337c4f630cb95253
                                                                                                                                        • Instruction ID: 28bd3b5f039337a39366e4f3a162f8587c20927ac7f420ce2bade878327342c5
                                                                                                                                        • Opcode Fuzzy Hash: 045655fd3325cab0e2dae8daa4520cd58e7cfbee860123de337c4f630cb95253
                                                                                                                                        • Instruction Fuzzy Hash: 1C229B706087468FC724DF28C890AAAFBE2FFC9304F548A6DE585CB355D734A909CB95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0C0B1378 Relevance: .3, Instructions: 259COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmp, Offset: 0C085000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_c085000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                                                                                                                        • Instruction ID: a1031923e33cf335c715b54d8bbc393c3b513de7407c117c38a7b6369aa28173
                                                                                                                                        • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                                                                                                                        • Instruction Fuzzy Hash: A4B14B75A0120ADFDB15CF05C5E0AECFBE2BB48314F1482ADD95A6B342D731EA46CB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0C08E6D0 Relevance: .2, Instructions: 179COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmp, Offset: 0C085000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_c085000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c4ae696130d774f626a9ea25bfd3738dea878a192abe5df4b387b2f9a66c5967
                                                                                                                                        • Instruction ID: e2b4cc77c8d281a70f356c752b3df51b60f926b6d9eea55138e73ad7745c636b
                                                                                                                                        • Opcode Fuzzy Hash: c4ae696130d774f626a9ea25bfd3738dea878a192abe5df4b387b2f9a66c5967
                                                                                                                                        • Instruction Fuzzy Hash: E9514E33E608364BE334CD55CC4066AA693EFCA215F5BC6B8C9997B75AD974BC0287C0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0C0BA671 Relevance: .1, Instructions: 149COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmp, Offset: 0C085000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_c085000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c1c3eeca162a3542835423607404bd722d24ab6ca9e875a0fc2cb9a8b5f5a7d0
                                                                                                                                        • Instruction ID: 348d033313d919a0d45a3700feda4414fcfc462cf9de80bce65bee372d8ee5d1
                                                                                                                                        • Opcode Fuzzy Hash: c1c3eeca162a3542835423607404bd722d24ab6ca9e875a0fc2cb9a8b5f5a7d0
                                                                                                                                        • Instruction Fuzzy Hash: 8E51F071E00209DFDB54CFA9C9807EEBBF5BB08304F24816AE901B7251E3759A85DB60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0C0A7900 Relevance: .1, Instructions: 142COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmp, Offset: 0C085000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_c085000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 88076c0c33e180634602ca5b9fe7fb72fd0f446dc22a1babd929134cb5118fab
                                                                                                                                        • Instruction ID: d66964e22c392b4aff8cbb10406a112bfedf61377c40733f8fea0d02280908f1
                                                                                                                                        • Opcode Fuzzy Hash: 88076c0c33e180634602ca5b9fe7fb72fd0f446dc22a1babd929134cb5118fab
                                                                                                                                        • Instruction Fuzzy Hash: A541803170C6810FE76D8F7A9875677BFE29F8A30035EC6BDD18ACB692C9649006C248
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0C0A39E0 Relevance: .1, Instructions: 96COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmp, Offset: 0C085000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_c085000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 57439122785517a4b687d152a8043d6ecce9241d7005916f0d321680f55ad4e8
                                                                                                                                        • Instruction ID: 71f9188f7d624092c766b0efdf37459945d7b9cb2f52f424174082c0badecac5
                                                                                                                                        • Opcode Fuzzy Hash: 57439122785517a4b687d152a8043d6ecce9241d7005916f0d321680f55ad4e8
                                                                                                                                        • Instruction Fuzzy Hash: 2731C4317086814FE75DCF7AA865677BBE2AF9A30070DC6BDD08ACB6A3D6609406C244
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0C08FBF0 Relevance: 7.8, Strings: 6, Instructions: 275COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmp, Offset: 0C085000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_c085000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 4F$ 4F$ 4F$ 4F$ 4F$heC
                                                                                                                                        • API String ID: 0-772418692
                                                                                                                                        • Opcode ID: ae06115edcb641a05dfcf5b4a5125944856298ee2cabefe28725e30fda5c8ddd
                                                                                                                                        • Instruction ID: 4fa176065558e59050ee77c0e72f3475e77ffc0b8d74e80b2f4861f13f6614c9
                                                                                                                                        • Opcode Fuzzy Hash: ae06115edcb641a05dfcf5b4a5125944856298ee2cabefe28725e30fda5c8ddd
                                                                                                                                        • Instruction Fuzzy Hash: 61814A31B001054BD714DE7898516BA77C2FB84370B69872AFD96C73D4EB66EE0DC254
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0C097F20 Relevance: 5.1, Strings: 4, Instructions: 112COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmp, Offset: 0C085000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_c085000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: zC$$zC$$zC$XfC
                                                                                                                                        • API String ID: 0-782662132
                                                                                                                                        • Opcode ID: 0a1c2ec7d78d10629ae3a2b8d9250caed627eeb30eaf1ae287aa479f68fb7010
                                                                                                                                        • Instruction ID: 570c9f1ef858ca7bfc2eb1fa3f35b840a6132d1a8bf9763f046f595813c4cf7a
                                                                                                                                        • Opcode Fuzzy Hash: 0a1c2ec7d78d10629ae3a2b8d9250caed627eeb30eaf1ae287aa479f68fb7010
                                                                                                                                        • Instruction Fuzzy Hash: BA31B676B14818064B2C853C9921A2E7AC3EAD5371B69832FF977832E4DFE98D05D248
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%