Edit tour

Windows Analysis Report
aMail_Ver1.exe

Overview

General Information

Sample name:	aMail_Ver1.exe
Analysis ID:	1430795
MD5:	06b0347315d3ab5385a0479134ec22cc
SHA1:	784d20632b7aa1c4d4c6a8f1c9597037ac94ab12
SHA256:	c9de15f068399626b8296c218150f31f1f9c0065442f0580cf1e3a9acad70464
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains long sleeps (>= 3 min)

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Potential Persistence Via Visual Studio Tools for Office

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64_ra

aMail_Ver1.exe (PID: 7044 cmdline: "C:\Users\user\Desktop\aMail_Ver1.exe" MD5: 06B0347315D3AB5385A0479134EC22CC)

VSTOInstaller.exe (PID: 7132 cmdline: VSTOInstaller.exe /install https://system.asite.com/aMail_Installer/aMail.vsto MD5: 42E23E8A343675A507C17815E0C4A164)

cleanup

Sigma Signatures

Sigma detected: Potential Persistence Via Visual Studio Tools for Office

Source: Registry Key set

Author: Bhabesh Raj: Data: Details: https://system.asite.com/aMail_Installer/aMail.vsto, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, ProcessId: 7132, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\VSTO\Security\Inclusion\0175bf24-f0a3-4cc6-a020-204e1e4a320f\Url

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: aMail_Ver1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\863B0E4D270BF0E3C1BC13FDCDEAD53E5AE09E163A0364B324EC12450D2C7B6A

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Temp\VSDEC4.tmp\install.log

Jump to behavior

Source: aMail_Ver1.exe

Static PE information: certificate valid

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 72.21.92.220:443 -> 192.168.2.16:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.21.92.220:443 -> 192.168.2.16:49705 version: TLS 1.2

Source: aMail_Ver1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb source: aMail_Ver1.exe
Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb? source: aMail_Ver1.exe

Source: global traffic	HTTP traffic detected: GET /aMail_Installer/aMail.vsto HTTP/1.1Host: system.asite.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aMail_Installer/Application%20Files/aMail_2_0_0_3/aMail.dll.manifest HTTP/1.1Host: system.asite.comAccept-Encoding: gzip

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /aMail_Installer/aMail.vsto HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: system.asite.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /aMail_Installer/aMail.vsto HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: system.asite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aMail_Installer/aMail.vsto HTTP/1.1Host: system.asite.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aMail_Installer/Application%20Files/aMail_2_0_0_3/aMail.dll.manifest HTTP/1.1Host: system.asite.comAccept-Encoding: gzip

Source: unknown

DNS traffic detected: queries for: system.asite.com

Source: aMail_Ver1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: aMail_Ver1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: aMail_Ver1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD40.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: aMail_Ver1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: aMail_Ver1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: aMail_Ver1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: aMail_Ver1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: aMail_Ver1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: aMail_Ver1.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: aMail_Ver1.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: aMail_Ver1.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: aMail_Ver1.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: aMail_Ver1.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: aMail_Ver1.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: aMail_Ver1.exe, 00000000.00000003.1179652158.0000000004693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: aMail_Ver1.exe, 00000000.00000003.1179652158.0000000004693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/
Source: aMail_Ver1.exe, 00000000.00000003.1179652158.0000000004693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/UJ
Source: WSML3T3I.log.2.dr	String found in binary or memory: https://system.asite.com/aMail_Installer/Application%20Files/aMail_2_0_0_3/aMail.dll.manifest
Source: aMail_Ver1.exe, 00000000.00000003.1179652158.000000000463C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/BDF279
Source: aMail_Ver1.exe, 00000000.00000003.1179652158.000000000463C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/F47D3D
Source: aMail_Ver1.exe	String found in binary or memory: https://system.asite.com/aMail_Installer/TruePABegin
Source: aMail_Ver1.exe, 00000000.00000002.1179915580.0000000004395000.00000004.00000010.00020000.00000000.sdmp, aMail_Ver1.exe, 00000000.00000002.1179971388.000000000467F000.00000004.00000020.00020000.00000000.sdmp, aMail_Ver1.exe, 00000000.00000003.1179588703.00000000046E1000.00000004.00000020.00020000.00000000.sdmp, aMail_Ver1.exe, 00000000.00000003.1179652158.0000000004693000.00000004.00000020.00020000.00000000.sdmp, aMail_Ver1.exe, 00000000.00000003.1179652158.000000000463C000.00000004.00000020.00020000.00000000.sdmp, WSML3T3I.log.2.dr	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vsto
Source: aMail_Ver1.exe, 00000000.00000003.1179652158.000000000463C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vsto&
Source: aMail_Ver1.exe, 00000000.00000003.1179652158.000000000463C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vsto-AllOS-ENU.exe
Source: aMail_Ver1.exe, 00000000.00000003.1179588703.00000000046E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vsto0
Source: aMail_Ver1.exe, 00000000.00000002.1180368192.00000000047B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vstoC:
Source: aMail_Ver1.exe, 00000000.00000003.1179588703.00000000046E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vstoLMEMh
Source: aMail_Ver1.exe, 00000000.00000003.1179588703.00000000046E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vstoR
Source: aMail_Ver1.exe, 00000000.00000003.1179588703.00000000046CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vstoRRC:
Source: aMail_Ver1.exe, 00000000.00000003.1179344134.00000000076A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vstoex
Source: aMail_Ver1.exe, 00000000.00000003.1179652158.0000000004693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vstol

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown	HTTPS traffic detected: 72.21.92.220:443 -> 192.168.2.16:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.21.92.220:443 -> 192.168.2.16:49705 version: TLS 1.2

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Jump to dropped file

Source: aMail_Ver1.exe, 00000000.00000000.1160458446.0000000000138000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesetup.exe vs aMail_Ver1.exe
Source: aMail_Ver1.exe	Binary or memory string: OriginalFilenamesetup.exe vs aMail_Ver1.exe

Source: aMail_Ver1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: clean5.winEXE@3/9@1/1

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\aMail[1].vsto

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Temp\VSDEC4.tmp

Jump to behavior

Source: aMail_Ver1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\aMail_Ver1.exe "C:\Users\user\Desktop\aMail_Ver1.exe"
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe VSTOInstaller.exe /install https://system.asite.com/aMail_Installer/aMail.vsto
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe VSTOInstaller.exe /install https://system.asite.com/aMail_Installer/aMail.vsto	Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Section loaded: cabinet.dll	Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\863B0E4D270BF0E3C1BC13FDCDEAD53E5AE09E163A0364B324EC12450D2C7B6A

Jump to behavior

Source: aMail_Ver1.exe

Static PE information: certificate valid

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: aMail_Ver1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: aMail_Ver1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb source: aMail_Ver1.exe
Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb? source: aMail_Ver1.exe

Source: aMail_Ver1.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Temp\VSDEC4.tmp\install.log

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599872	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599760	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599648	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599536	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599408	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599280	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599168	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599058	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598950	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598839	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598727	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598616	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598505	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598377	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598138	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598028	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597917	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597805	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597694	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597582	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597217	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597107	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596996	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596884	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596772	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596660	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596533	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596405	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596293	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596182	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596057	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 595945	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 595833	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

Window / User API: threadDelayed 9638

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -599872s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -599760s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -599648s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -599536s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -599408s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -599280s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -599168s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -599058s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -598950s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -598839s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -598727s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -598616s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -598505s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -598377s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -598138s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -598028s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -597917s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -597805s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -597694s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -597582s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -597454s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -597217s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -597107s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -596996s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -596884s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -596772s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -596660s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -596533s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -596405s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -596293s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -596182s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -596057s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -595945s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe TID: 5336	Thread sleep time: -595833s >= -30000s	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599872	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599760	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599648	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599536	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599408	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599280	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599168	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 599058	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598950	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598839	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598727	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598616	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598505	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598377	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598138	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 598028	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597917	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597805	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597694	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597582	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597217	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 597107	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596996	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596884	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596772	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596660	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596533	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596405	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596293	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596182	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 596057	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 595945	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Thread delayed: delay time: 595833	Jump to behavior

Source: aMail_Ver1.exe, 00000000.00000003.1179652158.00000000046BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*
Source: aMail_Ver1.exe, 00000000.00000003.1179652158.000000000463C000.00000004.00000020.00020000.00000000.sdmp, aMail_Ver1.exe, 00000000.00000003.1179652158.00000000046BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: aMail_Ver1.exe, 00000000.00000003.1179652158.00000000046BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Runtime\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.Hosting.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.ServerDocument\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Runtime\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\userbri.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\userbrili.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\userFR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\userFI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\userFB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\userST.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\userSTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\userSTB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\userSTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cs195.adn.deltacdn.net	0%	Virustotal		Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cs195.adn.deltacdn.net	72.21.92.220	true	false	0%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown
system.asite.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://system.asite.com/aMail_Installer/Application%20Files/aMail_2_0_0_3/aMail.dll.manifest	false		high
https://system.asite.com/aMail_Installer/aMail.vsto	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://system.asite.com/aMail_Installer/aMail.vsto&	aMail_Ver1.exe, 00000000.00000003.1179652158.000000000463C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://system.asite.com/aMail_Installer/aMail.vsto-AllOS-ENU.exe	aMail_Ver1.exe, 00000000.00000003.1179652158.000000000463C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://system.asite.com/aMail_Installer/F47D3D	aMail_Ver1.exe, 00000000.00000003.1179652158.000000000463C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://system.asite.com/	aMail_Ver1.exe, 00000000.00000003.1179652158.0000000004693000.00000004.00000020.00020000.00000000.sdmp	false	high
https://system.asite.com/aMail_Installer/aMail.vstol	aMail_Ver1.exe, 00000000.00000003.1179652158.0000000004693000.00000004.00000020.00020000.00000000.sdmp	false	high
https://system.asite.com/aMail_Installer/TruePABegin	aMail_Ver1.exe	false	high
https://system.asite.com/aMail_Installer/aMail.vstoLMEMh	aMail_Ver1.exe, 00000000.00000003.1179588703.00000000046E1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://system.asite.com/aMail_Installer/aMail.vstoC:	aMail_Ver1.exe, 00000000.00000002.1180368192.00000000047B5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://system.asite.com/aMail_Installer/BDF279	aMail_Ver1.exe, 00000000.00000003.1179652158.000000000463C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://system.asite.com/UJ	aMail_Ver1.exe, 00000000.00000003.1179652158.0000000004693000.00000004.00000020.00020000.00000000.sdmp	false	high
https://system.asite.com/aMail_Installer/aMail.vstoR	aMail_Ver1.exe, 00000000.00000003.1179588703.00000000046E1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://system.asite.com/aMail_Installer/aMail.vstoex	aMail_Ver1.exe, 00000000.00000003.1179344134.00000000076A0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://system.asite.com/aMail_Installer/aMail.vsto0	aMail_Ver1.exe, 00000000.00000003.1179588703.00000000046E1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://system.asite.com/aMail_Installer/aMail.vstoRRC:	aMail_Ver1.exe, 00000000.00000003.1179588703.00000000046CB000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
72.21.92.220	cs195.adn.deltacdn.net	United States		15133	EDGECASTUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430795
Start date and time:	2024-04-24 07:23:38 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	aMail_Ver1.exe
Detection:	CLEAN
Classification:	clean5.winEXE@3/9@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 192.229.211.108, 23.220.73.132, 23.220.73.166
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, cacerts.digicert.com, ctldl.windowsupdate.com, b-ring-fallback.msedge.net, a767.dspw65.akamai.net, teams-ring.msedge.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:24:11	API Interceptor	3391955x Sleep call for process: VSTOInstaller.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	192.229.211.108
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	192.229.211.108
	http://rum.browser-intake-foxbusiness.com:443	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://42.193.223.169/extensioncompabilitynode.exe	Get hash	malicious	Unknown	Browse	192.229.211.108
	SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	192.229.211.108
	ScreenConnect.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.211.108
	ScreenConnect.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.211.108
	SecuriteInfo.com.Python.Stealer.1437.14994.32063.exe	Get hash	malicious	Python Stealer	Browse	192.229.211.108
	https://www.longin-eki.co.jp.cduhzkc.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.longin-eki.co.jp.nebxshr.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EDGECASTUS	SecuriteInfo.com.Trojan.MSIL.zgRAT.Heur.21652.15881.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	152.195.19.97
	https://magnisteel.lk/4765445b-32c6-49b0-83e6-1d93765276ca.php	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://u44058082.ct.sendgrid.net/ls/click?upn=u001.wjMLvmoK1OC9dTKy5UL4VbqcIJmZWkGKJypB0ZF6j6rXk8HVnxe0g2af-2BenroUoONz6EEWthgE-2Bi2vVRUosKTZRVQ5v63hCdxrdKCztVooIv51imK8tr-2Bb3beAsH6u-2FNluJlUKmd7nST-2B9m-2Bl2Rgv4y6uHLimO0TjhZzZ-2F-2BDlllJQne3tT99z6x4W12pJpddTL-2BoJ2-2Bdo6961pFN3dV2Rg-3D-3DeWGT_h-2FW4DSvZGhKY-2FmU3Rq-2F3L-2FXo2OZSHdaVvlpgAgHQWDXPYB9CNYi-2FcvonFCbsEhjt9RP-2BQa7dTwbMJOOaP3JRnMW6mQAitl6qAb1EkaAR-2BmnZDE6Bi3ooqtCrrMW-2F3TPNMK3AVi1YKIdTOZivmUJGaXdrtbqCykfnTTkN9KMRy80rdRqf6LWUCYWGeeaXb-2BD6jokMbr-2FaJKvKMHDNWAfHyhaE6QO9pw7souFUseKb40g-3D	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	EXTERNAL Bonnie St Dryden is inviting you to collaborate on One_docx(Apr 23) DOC3848493.msg	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	192.229.211.108
	https://www.jottacloud.com/s/359ee8b110b8ca8464998842a5d227ed979	Get hash	malicious	HTMLPhisher	Browse	152.195.19.97
	https://assets-usa.mkt.dynamics.com/6f8aa86c-81f8-ee11-a1fa-0022482e8338/digitalassets/standaloneforms/4b367e61-8601-ef11-a1fd-0022482f3701	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	http://divbracket.com	Get hash	malicious	Unknown	Browse	192.229.163.25
	https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-website	Get hash	malicious	Unknown	Browse	152.199.24.163
	https://main-bvxea6i-qhygy63sspp2a.ca-1.platformsh.site/sample-page/	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	72.21.92.220
	hesaphareketi_1.scr.exe	Get hash	malicious	AgentTesla	Browse	72.21.92.220
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	72.21.92.220
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	72.21.92.220
	DAIKIN AC SPAIN 2024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	72.21.92.220
	transferencia.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	72.21.92.220
	1000901 LIQUIDACION.vbs	Get hash	malicious	FormBook, GuLoader	Browse	72.21.92.220
	Zapytanie ofertowe (7427-23 ROCKFIN).vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	72.21.92.220
	Factura240413227178.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	72.21.92.220
	JUSTIFICANTE DE PAGO.vbs	Get hash	malicious	Unknown	Browse	72.21.92.220
37f463bf4616ecd445d4a1937da06e19	#U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exe	Get hash	malicious	GuLoader, Remcos	Browse	72.21.92.220
	DAIKIN AC SPAIN 2024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	72.21.92.220
	transferencia.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	72.21.92.220
	1000901 LIQUIDACION.vbs	Get hash	malicious	FormBook, GuLoader	Browse	72.21.92.220
	Zapytanie ofertowe (7427-23 ROCKFIN).vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	72.21.92.220
	Factura240413227178.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	72.21.92.220
	Price request N#U00b0DEM23000199.js	Get hash	malicious	AsyncRAT, PureLog Stealer, RedLine	Browse	72.21.92.220
	orden de compra.vbs	Get hash	malicious	AgentTesla	Browse	72.21.92.220
	FT. 40FE CNY .xlsx.lnk	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	72.21.92.220
	DHL Shipping doc.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	72.21.92.220

Process:	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69993
Entropy (8bit):	7.99584879649948
Encrypted:	true
SSDEEP:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
MD5:	29F65BA8E88C063813CC50A4EA544E93
SHA1:	05A7040D5C127E68C25D81CC51271FFB8BEF3568
SHA-256:	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
SHA-512:	E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[I.hOB."..rK.RQ..}f..f...}....9.\|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..\|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..\|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1428
Entropy (8bit):	7.688784034406474
Encrypted:	false
SSDEEP:	24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
MD5:	78F2FCAA601F2FB4EBC937BA532E7549
SHA1:	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
SHA-256:	552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
SHA-512:	BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0...0..x..........W..!2.9...wu\0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0....H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...sn..\|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..\|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0....H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.130858325867486
Encrypted:	false
SSDEEP:	6:kKOQXlDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:BXlMkPlE99SNxAhUeVLVt
MD5:	1DC1CDAAB7692B5767E3F171C48ACE5B
SHA1:	5DF3B7944FF855C545C00BF91B689DA37DE6B7F6
SHA-256:	70EC086DFFB0076F817BC3A4D87A3D7894712EC5944E37E9C720584DA0463730
SHA-512:	251510B9B701EC52C85AC2B6E964EBCEE4DCF76815E00596F280037F99C1B7B85C12BF354DB98B393FF4130D94253F4B948B1D8008E3639E8391D4968C14CE00
Malicious:	false
Reputation:	low
Preview:	p...... ........_ .`8...(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
File Type:	data
Category:	dropped
Size (bytes):	254
Entropy (8bit):	3.046561699749037
Encrypted:	false
SSDEEP:	6:kKXgLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:ILYS4tWOxSW0PAMsZp
MD5:	88796C696945CCBBB1D512BB5020B058
SHA1:	2D3E6F5D767BEAA3BE031FBF66EB2C61A43CEFC1
SHA-256:	4D9CDD6D487B76E64D05E6987DF02A545B1254F781CAB84ADE44988A84747077
SHA-512:	B9EB8FC78189A8A0EA2F28A3E01C6DDFD1825EE1084B3BBD8F66039709F9475C3A2BB7EB422FDF2468DFFF9972D04E7A49A63CF9A7594DCCB0BAC87D1E11DD43
Malicious:	false
Reputation:	low
Preview:	p...... ....l...eGF.0...(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\WSML3T3I.log

Download File

Process:	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2600
Entropy (8bit):	3.7517130652049486
Encrypted:	false
SSDEEP:	48:ZkqdHhKGe41yVyYkVyYls1wGXzl1Oy+QaMmt3SwG73n:tdBVZuBqaOy0lt3LS3n
MD5:	C2464EFB261B8B4A1FFC8167FCB5F9B2
SHA1:	3E08AF8A5D4B68E063E64B219A76274534FBD1D8
SHA-256:	711D8AC2DE611D211AD0E6273E707FF8A1A198B1A458EDCEFF08C0B20D16B5EB
SHA-512:	AB923B18A9AB03606F8DFA21580B879E8CFB0D9B1FA47310251B41FC326CE5090B86777CCFED1B43E3BC5D7E2F54E4082B7DFDB9C449E2D53AC70513926A934E
Malicious:	false
Reputation:	low
Preview:	..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .6...2...9.2.0.0...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.6.5.4...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.B.......c.l.r...d.l.l. .......:. .4...8...4.6.4.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.B.......d.f.d.l.l...d.l.l. .......:. .4...8...4.6.5.4...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.B.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.s.y.s.t.e.m...a.s.i.t.e...c.o.m./.a.M.a.i.l._.I.n.s.t.a.l.l.e.r./.a.M.a.i.l...v.s.t.o.......A.p.p.l.i.c.a.t.i.o.n. .u.r.l.......:. .h.t.t.p.s.:././.s.y.s.t.e.m...a.s.i.t.e...c.o.m./.a.M.a.i.l._.I.n.s.t.a.l.l.e.r./.A.p.p.l.i.c.a.t.i.o.n.%.2.0.F.i.l.e.s./.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\aMail[1].vsto

Download File

Process:	C:\Users\user\Desktop\aMail_Ver1.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10116), with CRLF line terminators
Category:	dropped
Size (bytes):	11921
Entropy (8bit):	6.090480868962329
Encrypted:	false
SSDEEP:	192:ok7IvEh1CMeOUwdsVkcv7vUwdspAIUwdsL2x2QP8ZAEDh7BqWoUA:NLGlOUwdsVk0vUwdsxUwdsL/QP8aM7Y7
MD5:	ACCD0105D6E3C72A05E474253199A172
SHA1:	5DDA9CCDD9013A6E8D15994AC6D699B4D334267C
SHA-256:	93EE015EA4716614ECEC968D243DFF54A11D3B10CE06F785833EFE4D38E93EF5
SHA-512:	B97B29A4CE604AA2418E38513666CD36B00CA435AF5B4B42C0300B800294C855261F1EDE790A5535E2204760CBABA1C64DE6D72BEC877C666527BEC1C6D82327
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="aMail.vsto" version="2.0.0.3" publicKeyToken="44f05c3d5bd6a977" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="aMail" asmv2:product="aMail" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" mapFileExtensions="true" />.. <dependency>.. <dependentAssembly dependencyType="in

C:\Users\user\AppData\Local\Temp\Deployment\135WTG68.YRB\HGGB98OY.93M.application

Download File

Process:	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10116), with CRLF line terminators
Category:	dropped
Size (bytes):	11921
Entropy (8bit):	6.090480868962329
Encrypted:	false
SSDEEP:	192:ok7IvEh1CMeOUwdsVkcv7vUwdspAIUwdsL2x2QP8ZAEDh7BqWoUA:NLGlOUwdsVk0vUwdsxUwdsL/QP8aM7Y7
MD5:	ACCD0105D6E3C72A05E474253199A172
SHA1:	5DDA9CCDD9013A6E8D15994AC6D699B4D334267C
SHA-256:	93EE015EA4716614ECEC968D243DFF54A11D3B10CE06F785833EFE4D38E93EF5
SHA-512:	B97B29A4CE604AA2418E38513666CD36B00CA435AF5B4B42C0300B800294C855261F1EDE790A5535E2204760CBABA1C64DE6D72BEC877C666527BEC1C6D82327
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="aMail.vsto" version="2.0.0.3" publicKeyToken="44f05c3d5bd6a977" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="aMail" asmv2:product="aMail" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" mapFileExtensions="true" />.. <dependency>.. <dependentAssembly dependencyType="in

C:\Users\user\AppData\Local\Temp\Deployment\QDRG8X6X.MRC\9Q4O68KE.51L\aMail.dll.manifest

Download File

Process:	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10087), with CRLF line terminators
Category:	dropped
Size (bytes):	39021
Entropy (8bit):	5.6501168652733185
Encrypted:	false
SSDEEP:	384:FXYcAeUz3abJx5m6h67rMwBgjbtF2JA4bGDbYSuuAQmNHzCUwds4K2UwdsxUwds7:FXYcAeNT/h8B+U4vUxUL/QP+0O
MD5:	E6464DE63B7069E0ADA295AF79233ECE
SHA1:	BCE94445F77AFFF412314B3BA554997D6A3A8E41
SHA-256:	C16049D9B25540DB4E976820C4E8FAB3B1D7125075C29E009CFD0CE948904B59
SHA-512:	47D0770571E2183A841F6FCD4FB5DBDC97B9E507656619FBDEC20DE6271D77E41A5F591B06E27E4C62725916B4D5CC81707F6E048AA22B99B64D782E60F2484F
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="aMail.dll" version="2.0.0.3" publicKeyToken="44f05c3d5bd6a977" language="neutral" processorArchitecture="msil" type="win32" />.. <description xmlns="urn:schemas-microsoft-com:asm.v1">aMail</description>.. <application />.. <entryPoint>.. <co.v1:customHostSpecified />.. </entryPoint>.. <trustInfo>.. <security>.. <applicationRequestMinimum>.. <PermissionSet Unrestricted="true" ID="Custom" SameSi

C:\Users\user\AppData\Local\Temp\VSDEC4.tmp\install.log

Download File

Process:	C:\Users\user\Desktop\aMail_Ver1.exe
File Type:	data
Category:	dropped
Size (bytes):	5650
Entropy (8bit):	3.6330736015332423
Encrypted:	false
SSDEEP:	96:s85/imysxK8An6Bj7rBF7gBEO18Aj7PPERApH7bHj:V50CfpA2gfbD
MD5:	25F0C9B3DAEE296DE1A8BB7D519837C7
SHA1:	48CD74407636D3EDF095028EADD38A0B6E75766F
SHA-256:	F49870DF7C6186B7092BC79AE69400DF8D2ACB1578487598E7A2EBFE629C4DE5
SHA-512:	BCC3E41C9C26CED73ACFBD7FB72031114BA4A42CAE9DAE65FB733702C7CE290D31D7791FBD0E70710232886F69AAC023D9E0B403CF71869C78A5EC1E1ACDAF54
Malicious:	false
Reputation:	low
Preview:	T.h.e. .f.o.l.l.o.w.i.n.g. .p.r.o.p.e.r.t.i.e.s. .h.a.v.e. .b.e.e.n. .s.e.t.:.....P.r.o.p.e.r.t.y.:. .[.A.d.m.i.n.U.s.e.r.]. .=. .t.r.u.e. .{.b.o.o.l.e.a.n.}.....P.r.o.p.e.r.t.y.:. .[.I.n.s.t.a.l.l.M.o.d.e.]. .=. .H.o.m.e.S.i.t.e. .{.s.t.r.i.n.g.}.....P.r.o.p.e.r.t.y.:. .[.N.T.P.r.o.d.u.c.t.T.y.p.e.]. .=. .1. .{.i.n.t.}.....P.r.o.p.e.r.t.y.:. .[.P.r.o.c.e.s.s.o.r.A.r.c.h.i.t.e.c.t.u.r.e.]. .=. .A.M.D.6.4. .{.s.t.r.i.n.g.}.....P.r.o.p.e.r.t.y.:. .[.V.e.r.s.i.o.n.N.T.]. .=. .1.0...0...0. .{.v.e.r.s.i.o.n.}.....R.u.n.n.i.n.g. .c.h.e.c.k.s. .f.o.r. .p.a.c.k.a.g.e. .'.M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4...8. .(.x.8.6. .a.n.d. .x.6.4.).'.,. .p.h.a.s.e. .B.u.i.l.d.L.i.s.t.....R.e.a.d.i.n.g. .v.a.l.u.e. .'.R.e.l.e.a.s.e.'. .o.f. .r.e.g.i.s.t.r.y. .k.e.y. .'.H.K.L.M.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.N.E.T. .F.r.a.m.e.w.o.r.k. .S.e.t.u.p.\.N.D.P.\.v.4.\.F.u.l.l.'.....R.e.a.d. .i.n.t.e.g.e.r. .v.a.l.u.e. .5.2.8.3.7.2.....S.e.t.t.i.n.g. .v.a.l.u.e. .'.5.2.8.3.7.2. .{.i.n.t.}.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.658326719275916
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	aMail_Ver1.exe
File size:	908'040 bytes
MD5:	06b0347315d3ab5385a0479134ec22cc
SHA1:	784d20632b7aa1c4d4c6a8f1c9597037ac94ab12
SHA256:	c9de15f068399626b8296c218150f31f1f9c0065442f0580cf1e3a9acad70464
SHA512:	7deaaef9344541db361fc0d3ea074bec35c5c8efa1e2cd0af64c2331f338023d35ba504a1bb1cdaeb703e06929c2576ff9aa9ea30959c324caf31be50f76b05b
SSDEEP:	12288:XLNJYdaqX8PzxRU0EZ6CDQrwaVGua8eMb01JQntLOC9p9wNw:7xqsPzxWDQZem9pl
TLSH:	021541265AD8B569E3F79B307FF242D3AB69BC623934CC4E12D1030D0965A41FDA076E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.W.L...L...L..u.n..L..u.l._L..u.m..L...0...L...0...L...0...L....T..L...L...M...0...L...0...L...0...L...0`..L...0...L..Rich.L.

File Icon


Icon Hash:	0e0f396929630f0e

Static PE Info

General

Entrypoint:	0x43a1e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A6FEE0 [Thu Jul 6 17:50:24 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	2e4063684e52e96403e6efd64e422891

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	26/04/2022 02:00:00 20/06/2024 01:59:59
Subject Chain	CN=Asite Solutions Limited, O=Asite Solutions Limited, L=London, C=GB
Version:	3
Thumbprint MD5:	86EA3382B09890E3D2C31FC46C92B4B2
Thumbprint SHA-1:	EA51B1554C793D9EC73B4406F4B76BE860B36F7C
Thumbprint SHA-256:	C9C5AB2780E1885EC4FA6260BCD703F6240CF682A735A3ABF71CBE2FC6CFD104
Serial:	074002E0E1228CA7CE34E1C3685BF8BF

Entrypoint Preview

Instruction
call 00007F22393B5918h
jmp 00007F22393B532Dh
push ebp
mov ebp, esp
jmp 00007F22393B54BFh
push dword ptr [ebp+08h]
call 00007F22393C0EC1h
pop ecx
test eax, eax
je 00007F22393B54C1h
push dword ptr [ebp+08h]
call 00007F22393C0F4Ah
pop ecx
test eax, eax
je 00007F22393B5498h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F22393908D6h
jmp 00007F22393B5C77h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F22393B55F3h
pop ecx
pop ebp
ret
cmp ecx, dword ptr [0046205Ch]
jne 00007F22393B54B3h
ret
jmp 00007F22393B5CA0h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F22393B5489h
jmp 00007F22393B5492h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 00007F22393B547Ah
jmp 00007F22393B5483h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0046205Ch]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x61070	0x78	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x65340	0xc8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x68000	0x7445c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xdb200	0x2908
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdd000	0x384c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12b80	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6e60	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x65000	0x338	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x60d3c	0x80	.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x600e8	0x60200	0d2e544ab6aab672ed6c6576f2015fe9	False	0.5105428112808843	data	6.450164375603211	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x62000	0x252c	0x1400	f41d72eb2c226a3a1a0907190befa736	False	0.266796875	DOS executable (block device driver)	3.3161911498156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x65000	0x1570	0x1600	de93a4c825fc59143b8094bac90af12c	False	0.42631392045454547	data	5.421901541324144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x67000	0x70	0x200	27eaca3c248e8b18c15c2a0a0bf4df22	False	0.162109375	data	1.1460240260218542	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x68000	0x7445c	0x74600	e6513936fd06999b428973bca2753ab9	False	0.13159573039742212	data	4.219840040807034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdd000	0x384c	0x3a00	f7059413bd1f0b66ae84c624fdf523f2	False	0.7380118534482759	data	6.589152632057299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x69c8c	0x1e16	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9881848870423267
RT_ICON	0x6baa4	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.18363539445628999
RT_ICON	0x6c94c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.23736462093862815
RT_ICON	0x6d1f4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.1856936416184971
RT_ICON	0x6d75c	0x1e8c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9874680306905371
RT_ICON	0x6f5e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.08260510155880964
RT_ICON	0x73810	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.10518672199170125
RT_ICON	0x75db8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.16135084427767354
RT_ICON	0x76e60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2801418439716312
RT_ICON	0x772c8	0x75d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8058355437665783
RT_ICON	0x77a28	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.06716417910447761
RT_ICON	0x788d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.08167870036101083
RT_ICON	0x79178	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.08164739884393063
RT_ICON	0x796e0	0x830	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8664122137404581
RT_ICON	0x79f10	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.025330656589513462
RT_ICON	0x7e138	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.03464730290456432
RT_ICON	0x806e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.054643527204502815
RT_ICON	0x81788	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.10460992907801418
RT_DIALOG	0x81bf0	0x90	data	English	United States	0.7083333333333334
RT_DIALOG	0x81c80	0x1b4	data	English	United States	0.4724770642201835
RT_DIALOG	0x81e34	0x1a4	data	English	United States	0.5095238095238095
RT_GROUP_ICON	0x81fd8	0x84	data	English	United States	0.6515151515151515
RT_GROUP_ICON	0x8205c	0x84	data	English	United States	0.6590909090909091
RT_VERSION	0x820e0	0x2dc	data	English	United States	0.49043715846994534
RT_MANIFEST	0x823bc	0x562	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.4528301886792453
None	0x82920	0x54	data			0.8333333333333334
None	0x82974	0xa	data			1.8
None	0x82980	0x46c4	data			0.1445131375579598
None	0x87044	0x10	data			1.5
None	0x87054	0x14	data			1.3
None	0x87068	0xe	data			1.5714285714285714
None	0x87078	0x18	data			1.25
None	0x87090	0x18	data			1.25
None	0x870a8	0x8	data			2.0
None	0x870b0	0x6	data			2.3333333333333335
None	0x870b8	0x7a	data			0.680327868852459
None	0x87134	0x8a	data			0.644927536231884
None	0x871c0	0x34	data			0.9423076923076923
None	0x871f4	0x3c	data			0.9
None	0x87230	0x12	data			1.4444444444444444
None	0x87244	0x22	data			1.0294117647058822
None	0x87268	0x122	data			0.5103448275862069
None	0x8738c	0x1a6	data			0.43364928909952605
None	0x87534	0x410	data			0.32211538461538464
None	0x87944	0x36	data			0.9444444444444444
None	0x8797c	0xe	data			1.4285714285714286
None	0x8798c	0x62	data			0.7755102040816326
None	0x879f0	0xa	data			1.8
None	0x879fc	0x48	data			0.8888888888888888
None	0x87a44	0x9a	data			0.6753246753246753
None	0x87ae0	0x7a	data			0.6885245901639344
None	0x87b5c	0x84	data			0.6590909090909091
None	0x87be0	0x17e	data			0.4319371727748691
None	0x87d60	0x46	data			0.8285714285714286
None	0x87da8	0xc4	data			0.5969387755102041
None	0x87e6c	0x4a	data			0.8513513513513513
None	0x87eb8	0x66	data			0.7843137254901961
None	0x87f20	0x100	data			0.578125
None	0x88020	0xc	data			1.6666666666666667
None	0x8802c	0x48	data			0.8194444444444444
None	0x88074	0x20	data			1.15625
None	0x88094	0x42	data			0.8939393939393939
None	0x880d8	0x74	data			0.7155172413793104
None	0x8814c	0x6c	data			0.7592592592592593
None	0x881b8	0x9e	data			0.6518987341772152
None	0x88258	0x5a	data			0.8222222222222222
None	0x882b4	0x68	data			0.75
None	0x8831c	0x58	data			0.8068181818181818
None	0x88374	0x2	data			5.0
None	0x88378	0x16	data			1.2272727272727273
None	0x88390	0x58	data			0.7954545454545454
None	0x883e8	0xa6	data			0.6265060240963856
None	0x88490	0xe	data			1.5714285714285714
None	0x884a0	0x30	data			1.0208333333333333
None	0x884d0	0x12	data			1.4444444444444444
None	0x884e4	0xb8	data			0.6304347826086957
None	0x8859c	0x10	data			1.5
None	0x885ac	0x14c	data			0.5271084337349398
None	0x886f8	0x78	data			0.7666666666666667
None	0x88770	0x3c	data			0.9333333333333333
None	0x887ac	0xce	data			0.5194174757281553
None	0x8887c	0x2e	data			1.0
None	0x888ac	0x74	data			0.7155172413793104
None	0x88920	0xb6	data			0.6043956043956044
None	0x889d8	0x10	data			1.375
None	0x889e8	0x1c	data			1.1785714285714286
None	0x88a04	0x78	data			0.725
None	0x88a7c	0x6c	data			0.7407407407407407
None	0x88ae8	0x52	data			0.8292682926829268
None	0x88b3c	0x4e	data			0.8717948717948718
None	0x88b8c	0x12	data			1.3333333333333333
None	0x88ba0	0x10	data			1.5
None	0x88bb0	0x12	data			1.4444444444444444
None	0x88bc4	0x130	data			0.5131578947368421
None	0x88cf4	0x56	data			0.7906976744186046
None	0x88d4c	0x4a	data			0.9594594594594594
None	0x88d98	0x6c	data			0.7777777777777778
None	0x88e04	0x76	data			0.6864406779661016
None	0x88e7c	0x44	data			0.8676470588235294
None	0x88ec0	0x44	data			0.8676470588235294
None	0x88f04	0x5a	data			0.7777777777777778
None	0x88f60	0xda	data			0.573394495412844
None	0x8903c	0x84	data			0.7045454545454546
None	0x890c0	0xd2	data			0.5428571428571428
None	0x89194	0x5e	data			0.7872340425531915
None	0x891f4	0x8c	data			0.7142857142857143
None	0x89280	0xc8	data			0.595
None	0x89348	0xd2	data			0.5857142857142857
None	0x8941c	0x50	data			0.8125
None	0x8946c	0x88	data			0.7573529411764706
None	0x894f4	0x78	data			0.6916666666666667
None	0x8956c	0x4e	data			0.8974358974358975
None	0x895bc	0x8e	data			0.6690140845070423
None	0x8964c	0xa8	data			0.6130952380952381
None	0x896f4	0x6c	data			0.7314814814814815
None	0x89760	0x82	data			0.7153846153846154
None	0x897e4	0xe4	data			0.5789473684210527
None	0x898c8	0x7a	data			0.7377049180327869
None	0x89944	0xee	data			0.5714285714285714
None	0x89a34	0x6	data			2.3333333333333335
None	0x89a3c	0x4	data			3.0
None	0x89a40	0x26cc	data			0.2400322190898107
None	0x8c10c	0x5013e	data			0.08128403221970866
None	0xdc24c	0xa	data			1.6
None	0xdc258	0x202	data			0.29377431906614787

Imports

DLL	Import
KERNEL32.dll	GetNativeSystemInfo, EndUpdateResourceW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetEvent, CreateEventW, LoadResource, LockResource, SizeofResource, FindResourceW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, DeleteFileW, GetFileAttributesW, GetTempFileNameW, GetCurrentProcessId, GetTempPathW, GetCurrentProcess, GetSystemInfo, GetSystemDirectoryW, GetWindowsDirectoryW, GetVersionExW, GetModuleFileNameW, GlobalAlloc, GlobalFree, LocalFree, FormatMessageW, CopyFileW, GetDateFormatW, GetTimeFormatW, CompareStringW, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, Sleep, HeapSetInformation, SetFilePointer, GetDiskFreeSpaceExW, CreateFileW, DeleteCriticalSection, CreateThread, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, lstrlenW, OpenProcess, MulDiv, GetTickCount, GetExitCodeProcess, LoadLibraryW, ReadFile, SwitchToThread, FindNextFileW, BeginUpdateResourceA, FindResourceA, lstrlenA, DeleteFileA, CreateFileA, UpdateResourceW, BeginUpdateResourceW, GetVersion, GetEnvironmentVariableA, LCMapStringEx, InitializeCriticalSectionEx, HeapReAlloc, HeapSize, WriteConsoleW, GetProcessHeap, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, IsValidCodePage, FindFirstFileExW, OutputDebugStringW, SetEndOfFile, SetFilePointerEx, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, FindFirstFileW, FindClose, GetProcAddress, FreeLibrary, WaitForSingleObject, GetLastError, CloseHandle, UpdateResourceA, WriteFile, LCMapStringW, HeapFree, HeapAlloc, GetFileType, GetStringTypeW, GetACP, GetModuleHandleExW, RaiseException, VirtualProtect, VirtualQuery, GetModuleHandleW, LoadLibraryExA, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, TerminateProcess, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, MultiByteToWideChar, ExitProcess
GDI32.dll	GetStockObject, EnumFontFamiliesExW, DeleteObject, CreateFontIndirectW, GetObjectW, GetTextMetricsW, SelectObject, GetTextExtentPoint32W, GetDeviceCaps, DeleteDC, CreateCompatibleDC
ole32.dll	CoUninitialize, CoInitialize
Secur32.dll	GetComputerObjectNameW
SHELL32.dll	ShellExecuteExW, SHGetMalloc, SHGetPathFromIDListW, SHGetSpecialFolderLocation, ShellExecuteW, ShellExecuteA
USER32.dll	SystemParametersInfoW, IsDialogMessageW, LoadImageW, LoadIconW, LoadCursorW, SetClassLongW, ScreenToClient, GetWindowRect, GetClientRect, SetWindowTextW, ShowScrollBar, SetForegroundWindow, EnableWindow, MsgWaitForMultipleObjects, SetFocus, SendDlgItemMessageW, SetDlgItemTextW, GetDlgItem, CreateDialogIndirectParamW, CreateDialogParamW, MoveWindow, ShowWindow, DestroyWindow, SendMessageW, SendMessageA, PeekMessageW, DispatchMessageW, TranslateMessage, ExitWindowsEx, MessageBoxW, ReleaseDC, GetDC, DrawTextW, GetSystemMetrics, GetDialogBaseUnits, MessageBoxA, SetCursor, GetFocus
CRYPT32.dll	CertGetCertificateChain, CertFreeCertificateChain, CertVerifyCertificateChainPolicy
WININET.dll	InternetCrackUrlW, InternetCombineUrlW
msi.dll

Exports

Name	Ordinal	Address
_DecodePointerInternal@4	1	0x424800
_EncodePointerInternal@4	2	0x424830

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 07:24:09.450704098 CEST	49704	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:09.450743914 CEST	443	49704	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:09.450836897 CEST	49704	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:09.465553999 CEST	49704	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:09.465569973 CEST	443	49704	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:09.957389116 CEST	443	49704	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:09.957472086 CEST	49704	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:10.010200024 CEST	49704	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:10.010221958 CEST	443	49704	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:10.010607004 CEST	443	49704	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:10.010677099 CEST	49704	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:10.013709068 CEST	49704	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:10.056116104 CEST	443	49704	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:10.819377899 CEST	443	49704	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:10.819612980 CEST	49704	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:10.819648027 CEST	443	49704	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:10.819655895 CEST	443	49704	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:10.819694042 CEST	443	49704	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:10.819715023 CEST	443	49704	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:10.819724083 CEST	49704	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:10.819792032 CEST	49704	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:10.824805021 CEST	49704	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:10.824822903 CEST	443	49704	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:12.352540970 CEST	49705	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:12.352576017 CEST	443	49705	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:12.352974892 CEST	49705	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:12.359230042 CEST	49705	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:12.359241962 CEST	443	49705	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:12.844057083 CEST	443	49705	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:12.844199896 CEST	49705	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:12.845964909 CEST	49705	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:12.845982075 CEST	443	49705	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:12.846263885 CEST	443	49705	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:12.883362055 CEST	49705	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:12.928133011 CEST	443	49705	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:13.309680939 CEST	443	49705	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:13.309941053 CEST	443	49705	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:13.309950113 CEST	443	49705	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:13.309968948 CEST	443	49705	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:13.310003996 CEST	49705	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:13.310017109 CEST	443	49705	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:13.310075998 CEST	49705	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:13.313204050 CEST	49705	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:13.487813950 CEST	49708	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:13.487879992 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:13.487970114 CEST	49708	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:13.488249063 CEST	49708	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:13.488265038 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:13.971342087 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:13.974133015 CEST	49708	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:13.974154949 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:14.832107067 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:14.832715034 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:14.832731009 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:14.832772970 CEST	49708	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:14.832794905 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:14.832817078 CEST	49708	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:14.832848072 CEST	49708	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:14.839966059 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:14.839987040 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:14.840071917 CEST	49708	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:14.840079069 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:14.840136051 CEST	49708	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:14.991641998 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:14.991741896 CEST	443	49708	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:14.991774082 CEST	49708	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:14.991820097 CEST	49708	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:14.992394924 CEST	49708	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:52.041816950 CEST	49715	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:52.041872025 CEST	443	49715	72.21.92.220	192.168.2.16
Apr 24, 2024 07:24:52.042032957 CEST	49715	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:52.042412043 CEST	49715	443	192.168.2.16	72.21.92.220
Apr 24, 2024 07:24:52.042423964 CEST	443	49715	72.21.92.220	192.168.2.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 07:24:09.204773903 CEST	56186	53	192.168.2.16	1.1.1.1
Apr 24, 2024 07:24:09.443825006 CEST	53	56186	1.1.1.1	192.168.2.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 07:24:09.204773903 CEST	192.168.2.16	1.1.1.1	0xb402	Standard query (0)	system.asite.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 07:24:09.443825006 CEST	1.1.1.1	192.168.2.16	0xb402	No error (0)	system.asite.com	cs195.adn.deltacdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 07:24:09.443825006 CEST	1.1.1.1	192.168.2.16	0xb402	No error (0)	cs195.adn.deltacdn.net		72.21.92.220	A (IP address)	IN (0x0001)	false
Apr 24, 2024 07:24:15.344413996 CEST	1.1.1.1	192.168.2.16	0xdd45	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 07:24:15.344413996 CEST	1.1.1.1	192.168.2.16	0xdd45	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

system.asite.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.16	49704	72.21.92.220	443	7044	C:\Users\user\Desktop\aMail_Ver1.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 05:24:10 UTC	302	OUT	GET /aMail_Installer/aMail.vsto HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: system.asite.com Connection: Keep-Alive
2024-04-24 05:24:10 UTC	777	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Authorization, X-Requested-With, Content-Type, Accept, Origin, Content-Range, Content-Disposition, X-Prototype-Version, ASessionID, ApiKey, hasattachment, access-control-allow-origin, range Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD, DELETE Cache-Control: max-age=604800 Content-Security-Policy: frame-ancestors 'self' https://*.asite.com Date: Wed, 24 Apr 2024 05:24:10 GMT Last-Modified: Sun, 21 Apr 2024 05:00:10 GMT Server: Asite Web Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: sameorigin X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block Content-Length: 11921 Connection: close
2024-04-24 05:24:10 UTC	11921	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.16	49705	72.21.92.220	443	7132	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 05:24:12 UTC	115	OUT	GET /aMail_Installer/aMail.vsto HTTP/1.1 Host: system.asite.com Accept-Encoding: gzip Connection: Keep-Alive
2024-04-24 05:24:13 UTC	777	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Authorization, X-Requested-With, Content-Type, Accept, Origin, Content-Range, Content-Disposition, X-Prototype-Version, ASessionID, ApiKey, hasattachment, access-control-allow-origin, range Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD, DELETE Cache-Control: max-age=604800 Content-Security-Policy: frame-ancestors 'self' https://*.asite.com Date: Wed, 24 Apr 2024 05:24:13 GMT Last-Modified: Sun, 21 Apr 2024 05:00:13 GMT Server: Asite Web Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: sameorigin X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block Content-Length: 11921 Connection: close
2024-04-24 05:24:13 UTC	11921	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.16	49708	72.21.92.220	443	7132	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 05:24:13 UTC	133	OUT	GET /aMail_Installer/Application%20Files/aMail_2_0_0_3/aMail.dll.manifest HTTP/1.1 Host: system.asite.com Accept-Encoding: gzip
2024-04-24 05:24:14 UTC	812	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Authorization, X-Requested-With, Content-Type, Accept, Origin, Content-Range, Content-Disposition, X-Prototype-Version, ASessionID, ApiKey, hasattachment, access-control-allow-origin, range Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD, DELETE Cache-Control: max-age=604800 Content-Security-Policy: frame-ancestors 'self' https://*.asite.com Content-Type: text/cache-manifest Date: Wed, 24 Apr 2024 05:24:14 GMT Last-Modified: Sun, 21 Apr 2024 05:00:13 GMT Server: Asite Web Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: sameorigin X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block Content-Length: 39021 Connection: close
2024-04-24 05:24:14 UTC	15567	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
2024-04-24 05:24:14 UTC	16383	IN	Data Raw: 61 73 68 54 72 61 6e 73 66 6f 72 6d 73 2e 49 64 65 6e 74 69 74 79 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 73 69 67 3a 54 72 61 6e 73 66 6f 72 6d 73 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 73 69 67 3a 44 69 67 65 73 74 4d 65 74 68 6f 64 20 41 6c 67 6f 72 69 74 68 6d 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 73 68 61 32 35 36 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 73 69 67 3a 44 69 67 65 73 74 56 61 6c 75 65 3e 41 59 39 66 34 6f 67 4d 56 42 6e 4e 71 4e 4b 76 47 63 30 4b 6f 38 55 33 58 73 49 44 65 4c 68 55 2f 63 35 6a 6b 79 37 78 32 5a 63 3d 3c 2f 64 73 69 67 3a 44 69 67 65 73 74 56 61 6c 75 65 3e 0d 0a 20 20 20 20 20 20 3c 2f 68 61 73 68 3e 0d 0a 20 20 20 20 3c 2f 64 65 70 Data Ascii: ashTransforms.Identity" /> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" /> <dsig:DigestValue>AY9f4ogMVBnNqNKvGc0Ko8U3XsIDeLhU/c5jky7x2Zc=</dsig:DigestValue> </hash> </dep
2024-04-24 05:24:14 UTC	1	IN	Data Raw: 61 Data Ascii: a
2024-04-24 05:24:14 UTC	7070	IN	Data Raw: 74 75 72 65 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 22 3e 3c 53 69 67 6e 65 64 49 6e 66 6f 3e 3c 43 61 6e 6f 6e 69 63 61 6c 69 7a 61 74 69 6f 6e 4d 65 74 68 6f 64 20 41 6c 67 6f 72 69 74 68 6d 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 31 30 2f 78 6d 6c 2d 65 78 63 2d 63 31 34 6e 23 22 20 2f 3e 3c 53 69 67 6e 61 74 75 72 65 4d 65 74 68 6f 64 20 41 6c 67 6f 72 69 74 68 6d 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 72 73 61 2d 73 68 61 32 35 36 22 20 2f 3e 3c 52 65 66 65 72 65 6e 63 65 20 55 52 49 3d 22 22 3e 3c 54 72 61 6e 73 66 6f 72 6d 73 3e 3c 54 72 61 6e 73 66 6f 72 6d Data Ascii: ture" xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanoniuserzationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256" /><Reference URI=""><Transforms><Transform

Target ID:	0
Start time:	07:24:08
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\aMail_Ver1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aMail_Ver1.exe"
Imagebase:	0xd0000
File size:	908'040 bytes
MD5 hash:	06B0347315D3AB5385A0479134EC22CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:24:10
Start date:	24/04/2024
Path:	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
Wow64 process (32bit):	true
Commandline:	VSTOInstaller.exe /install https://system.asite.com/aMail_Installer/aMail.vsto
Imagebase:	0x1000000
File size:	86'040 bytes
MD5 hash:	42E23E8A343675A507C17815E0C4A164
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aMail_Ver1.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\WSML3T3I.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\aMail[1].vsto

C:\Users\user\AppData\Local\Temp\Deployment\135WTG68.YRB\HGGB98OY.93M.application

C:\Users\user\AppData\Local\Temp\Deployment\QDRG8X6X.MRC\9Q4O68KE.51L\aMail.dll.manifest

C:\Users\user\AppData\Local\Temp\VSDEC4.tmp\install.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
aMail_Ver1.exe