Loading ...

Play interactive tourEdit tour

Analysis Report summary.exe

Overview

General Information

Sample Name:summary.exe
Analysis ID:289152
MD5:4b21b233b4fb9b116477fb24cdd8e376
SHA1:8e88400d1292aac8462b0413e039fd16a95112cd
SHA256:2f074d479236e1b4b36733f1e071d6c053a135025cbc62ccc233776b23604390
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains very large array initializations
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • summary.exe (PID: 3356 cmdline: 'C:\Users\user\Desktop\summary.exe' MD5: 4B21B233B4FB9B116477FB24CDD8E376)
    • InstallUtil.exe (PID: 6048 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • explorer.exe (PID: 3372 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • mstsc.exe (PID: 2388 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 5932 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\InstallUtil.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.462007234.00000000030E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.462007234.00000000030E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b2f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c2fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.462007234.00000000030E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183d9:$sqlite3step: 68 34 1C 7B E1
    • 0x184ec:$sqlite3step: 68 34 1C 7B E1
    • 0x18408:$sqlite3text: 68 38 2A 90 C5
    • 0x1852d:$sqlite3text: 68 38 2A 90 C5
    • 0x1841b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18543:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.383189507.0000000000F40000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.383189507.0000000000F40000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b2f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c2fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.InstallUtil.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.InstallUtil.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.InstallUtil.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x175d9:$sqlite3step: 68 34 1C 7B E1
        • 0x176ec:$sqlite3step: 68 34 1C 7B E1
        • 0x17608:$sqlite3text: 68 38 2A 90 C5
        • 0x1772d:$sqlite3text: 68 38 2A 90 C5
        • 0x1761b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17743:$sqlite3blob: 68 53 D8 7F 8C
        7.2.InstallUtil.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.InstallUtil.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b2f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c2fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: summary.exeVirustotal: Detection: 35%Perma Link
          Source: summary.exeReversingLabs: Detection: 18%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.462007234.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.383189507.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.382886940.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.462882938.0000000003430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.383511597.0000000001360000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.462763958.0000000003400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.341618150.00000000074B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: summary.exeJoe Sandbox ML: detected
          Source: 7.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 76.223.26.96:80 -> 192.168.2.6:49707
          Source: global trafficHTTP traffic detected: GET /stats/eurofxref/eurofxref-daily.xml HTTP/1.1Host: www.ecb.intConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /a43/?Cn=9BkdWH52cVJEQe0I8vuTqQEg+iL0PEokvRs78iax/Uk0zPrPZJHGe6NvZlEnl6vkvh3UV/7v0Q==&mvK8E=IltXBb4xcfw HTTP/1.1Host: www.gonnabee.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 185.5.82.138 185.5.82.138
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: C:\Windows\explorer.exeCode function: 8_2_05889782 getaddrinfo,setsockopt,recv,8_2_05889782
          Source: global trafficHTTP traffic detected: GET /stats/eurofxref/eurofxref-daily.xml HTTP/1.1Host: www.ecb.intConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /a43/?Cn=9BkdWH52cVJEQe0I8vuTqQEg+iL0PEokvRs78iax/Uk0zPrPZJHGe6NvZlEnl6vkvh3UV/7v0Q==&mvK8E=IltXBb4xcfw HTTP/1.1Host: www.gonnabee.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ecb.int
          Source: i.dll.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: i.dll.0.drString found in binary or memory: http://ocsp.thawte.com0
          Source: i.dll.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
          Source: i.dll.0.drString found in binary or memory: http://s2.symcb.com0
          Source: i.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
          Source: i.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
          Source: i.dll.0.drString found in binary or memory: http://sv.symcd.com0&
          Source: i.dll.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
          Source: i.dll.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
          Source: i.dll.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: i.dll.0.drString found in binary or memory: http://www.symauth.com/cps0(
          Source: i.dll.0.drString found in binary or memory: http://www.symauth.com/rpa00
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000008.00000000.368553733.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: i.dll.0.drString found in binary or memory: https://d.symcb.com/cps0%
          Source: i.dll.0.drString found in binary or memory: https://d.symcb.com/rpa0
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.462007234.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.383189507.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.382886940.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.462882938.0000000003430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.383511597.0000000001360000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.462763958.0000000003400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.341618150.00000000074B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.462007234.00000000030E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.462007234.00000000030E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.383189507.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.383189507.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.382886940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.382886940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.462882938.0000000003430000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.462882938.0000000003430000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.383511597.0000000001360000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.383511597.0000000001360000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.462763958.0000000003400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.462763958.0000000003400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000003.341618150.00000000074B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000003.341618150.00000000074B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large array initializationsShow sources
          Source: summary.exe, ??u005e14u002f????6u002cu00289????u002b3?2?u002du007b??5?8?/?u002f?6u002a4??8?u007d??u00251?u002c??2?u003f7??5?u005du003b??9??.csLarge array initialization: ?@?9^1???)?6&?7?3*??[?0?: array initializer size 152576
          Source: 0.0.summary.exe.f00000.0.unpack, ??u005e14u002f????6u002cu00289????u002b3?2?u002du007b??5?8?/?u002f?6u002a4??8?u007d??u00251?u002c??2?u003f7??5?u005du003b??9??.csLarge array initialization: ?@?9^1???)?6&?7?3*??[?0?: array initializer size 152576
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00419D30 NtCreateFile,7_2_00419D30
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00419DE0 NtReadFile,7_2_00419DE0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00419E60 NtClose,7_2_00419E60
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00419F10 NtAllocateVirtualMemory,7_2_00419F10
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00419E5B NtClose,7_2_00419E5B
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00419F0A NtAllocateVirtualMemory,7_2_00419F0A
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409540 NtReadFile,LdrInitializeThunk,7_2_01409540
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_01409910
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014095D0 NtClose,LdrInitializeThunk,7_2_014095D0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014099A0 NtCreateSection,LdrInitializeThunk,7_2_014099A0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409840 NtDelayExecution,LdrInitializeThunk,7_2_01409840
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409860 NtQuerySystemInformation,LdrInitializeThunk,7_2_01409860
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014098F0 NtReadVirtualMemory,LdrInitializeThunk,7_2_014098F0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409710 NtQueryInformationToken,LdrInitializeThunk,7_2_01409710
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409780 NtMapViewOfSection,LdrInitializeThunk,7_2_01409780
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014097A0 NtUnmapViewOfSection,LdrInitializeThunk,7_2_014097A0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409A50 NtCreateFile,LdrInitializeThunk,7_2_01409A50
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_01409660
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409A00 NtProtectVirtualMemory,LdrInitializeThunk,7_2_01409A00
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409A20 NtResumeThread,LdrInitializeThunk,7_2_01409A20
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014096E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_014096E0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409950 NtQueueApcThread,7_2_01409950
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409560 NtWriteFile,7_2_01409560
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01409520 NtWaitForSingleObject,7_2_01409520
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0140AD30 NtSetContextThread,7_2_0140AD30
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014099D0 NtCreateProcessEx,7_2_014099D0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014095F0 NtQueryInformationFile,7_2_014095F0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0140B040 NtSuspendThread,7_2_0140B040
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_050F9910
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9540 NtReadFile,LdrInitializeThunk,9_2_050F9540
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F99A0 NtCreateSection,LdrInitializeThunk,9_2_050F99A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F95D0 NtClose,LdrInitializeThunk,9_2_050F95D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9840 NtDelayExecution,LdrInitializeThunk,9_2_050F9840
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9860 NtQuerySystemInformation,LdrInitializeThunk,9_2_050F9860
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9710 NtQueryInformationToken,LdrInitializeThunk,9_2_050F9710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9780 NtMapViewOfSection,LdrInitializeThunk,9_2_050F9780
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9FE0 NtCreateMutant,LdrInitializeThunk,9_2_050F9FE0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9A50 NtCreateFile,LdrInitializeThunk,9_2_050F9A50
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9650 NtQueryValueKey,LdrInitializeThunk,9_2_050F9650
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_050F9660
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F96D0 NtCreateKey,LdrInitializeThunk,9_2_050F96D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F96E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_050F96E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9520 NtWaitForSingleObject,9_2_050F9520
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050FAD30 NtSetContextThread,9_2_050FAD30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9950 NtQueueApcThread,9_2_050F9950
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9560 NtWriteFile,9_2_050F9560
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F99D0 NtCreateProcessEx,9_2_050F99D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F95F0 NtQueryInformationFile,9_2_050F95F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9820 NtEnumerateKey,9_2_050F9820
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050FB040 NtSuspendThread,9_2_050FB040
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F98A0 NtWriteVirtualMemory,9_2_050F98A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F98F0 NtReadVirtualMemory,9_2_050F98F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9B00 NtSetValueKey,9_2_050F9B00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050FA710 NtOpenProcessToken,9_2_050FA710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9730 NtQueryVirtualMemory,9_2_050F9730
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9760 NtOpenProcess,9_2_050F9760
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9770 NtSetInformationFile,9_2_050F9770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050FA770 NtOpenThread,9_2_050FA770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F97A0 NtUnmapViewOfSection,9_2_050F97A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050FA3B0 NtGetContextThread,9_2_050FA3B0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9A00 NtProtectVirtualMemory,9_2_050F9A00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9A10 NtQuerySection,9_2_050F9A10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9610 NtEnumerateValueKey,9_2_050F9610
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9A20 NtResumeThread,9_2_050F9A20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9670 NtQueryInformationProcess,9_2_050F9670
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F9A80 NtOpenDirectoryObject,9_2_050F9A80
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030F9F10 NtAllocateVirtualMemory,9_2_030F9F10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030F9E60 NtClose,9_2_030F9E60
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030F9D30 NtCreateFile,9_2_030F9D30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030F9DE0 NtReadFile,9_2_030F9DE0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030F9F0A NtAllocateVirtualMemory,9_2_030F9F0A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030F9E5B NtClose,9_2_030F9E5B
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_004010307_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0041D83E7_2_0041D83E
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0041E9357_2_0041E935
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0041DBCE7_2_0041DBCE
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00402D877_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00402D907_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00409E2B7_2_00409E2B
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00409E307_2_00409E30
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00402FB07_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_009A20B07_2_009A20B0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013C0D207_2_013C0D20
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01491D557_2_01491D55
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013E41207_2_013E4120
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013CF9007_2_013CF900
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F25817_2_013F2581
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013DD5E07_2_013DD5E0
          Source: C:\Windows\explorer.exeCode function: 8_2_0588BB0E8_2_0588BB0E
          Source: C:\Windows\explorer.exeCode function: 8_2_05883B1F8_2_05883B1F
          Source: C:\Windows\explorer.exeCode function: 8_2_05883B228_2_05883B22
          Source: C:\Windows\explorer.exeCode function: 8_2_058861328_2_05886132
          Source: C:\Windows\explorer.exeCode function: 8_2_05880CEC8_2_05880CEC
          Source: C:\Windows\explorer.exeCode function: 8_2_05880CF28_2_05880CF2
          Source: C:\Windows\explorer.exeCode function: 8_2_05888A328_2_05888A32
          Source: C:\Windows\explorer.exeCode function: 8_2_0588BA6F8_2_0588BA6F
          Source: C:\Windows\explorer.exeCode function: 8_2_058878628_2_05887862
          Source: C:\Windows\explorer.exeCode function: 8_2_0587F0698_2_0587F069
          Source: C:\Windows\explorer.exeCode function: 8_2_0587F0728_2_0587F072
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050BF9009_2_050BF900
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050B0D209_2_050B0D20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050D41209_2_050D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_05181D559_2_05181D55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E25819_2_050E2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050CD5E09_2_050CD5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C841F9_2_050C841F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_051710029_2_05171002
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050CB0909_2_050CB090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050EEBB09_2_050EEBB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050D6E309_2_050D6E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030E2FB09_2_030E2FB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030E9E2B9_2_030E9E2B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030E9E309_2_030E9E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030E2D879_2_030E2D87
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030E2D909_2_030E2D90
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 050BB150 appears 32 times
          Source: 00000009.00000002.462007234.00000000030E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.462007234.00000000030E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.383189507.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.383189507.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.382886940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.382886940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.462882938.0000000003430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.462882938.0000000003430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.383511597.0000000001360000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.383511597.0000000001360000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.462763958.0000000003400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.462763958.0000000003400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.341618150.00000000074B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000003.341618150.00000000074B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@7/3
          Source: C:\Users\user\Desktop\summary.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\summary.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_01
          Source: C:\Users\user\Desktop\summary.exeFile created: C:\Users\user\AppData\Local\Temp\b1f92ac9-345d-4ee6-83d6-512dab76f3b9Jump to behavior
          Source: summary.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\summary.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\summary.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\summary.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\summary.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\summary.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\summary.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: summary.exeVirustotal: Detection: 35%
          Source: summary.exeReversingLabs: Detection: 18%
          Source: unknownProcess created: C:\Users\user\Desktop\summary.exe 'C:\Users\user\Desktop\summary.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\InstallUtil.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\summary.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\InstallUtil.exe'Jump to behavior
          Source: C:\Users\user\Desktop\summary.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: summary.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: summary.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.369615735.000000000D940000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: InstallUtil.exe, 00000007.00000002.383535589.00000000013A0000.00000040.00000001.sdmp, mstsc.exe, 00000009.00000002.463483048.0000000005090000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: InstallUtil.exe, mstsc.exe
          Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000007.00000000.341180049.00000000009A2000.00000002.00020000.sdmp, mstsc.exe, 00000009.00000002.463039003.00000000034D4000.00000004.00000020.sdmp, InstallUtil.exe.0.dr
          Source: Binary string: mstsc.pdbGCTL source: InstallUtil.exe, 00000007.00000002.384380684.0000000003040000.00000040.00000001.sdmp
          Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, mstsc.exe, 00000009.00000002.463039003.00000000034D4000.00000004.00000020.sdmp, InstallUtil.exe.0.dr
          Source: Binary string: mstsc.pdb source: InstallUtil.exe, 00000007.00000002.384380684.0000000003040000.00000040.00000001.sdmp
          Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: i.dll.0.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.369615735.000000000D940000.00000002.00000001.sdmp
          Source: i.dll.0.drStatic PE information: section name: .didat
          Source: i.dll.0.drStatic PE information: section name: .00cfg
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0041339C push edx; iretd 7_2_0041339E
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0041CED2 push eax; ret 7_2_0041CED8
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0041CEDB push eax; ret 7_2_0041CF42
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0041CE85 push eax; ret 7_2_0041CED8
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0041CF3C push eax; ret 7_2_0041CF42
          Source: C:\Windows\explorer.exeCode function: 8_2_0588C3E6 pushad ; ret 8_2_0588C3E7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_0510D0D1 push ecx; ret 9_2_0510D0E4
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030F339C push edx; iretd 9_2_030F339E
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030FCF3C push eax; ret 9_2_030FCF42
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030FCE85 push eax; ret 9_2_030FCED8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030FCEDB push eax; ret 9_2_030FCF42
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_030FCED2 push eax; ret 9_2_030FCED8
          Source: initial sampleStatic PE information: section name: .text entropy: 7.37790472026
          Source: C:\Users\user\Desktop\summary.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
          Source: C:\Users\user\Desktop\summary.exeFile created: C:\Users\user\AppData\Local\Temp\b1f92ac9-345d-4ee6-83d6-512dab76f3b9\i.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE1
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\summary.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\summary.exeRDTSC instruction interceptor: First address: 0000000070881D36 second address: 0000000070882A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [708953C0h], eax 0x00000020 mov dword ptr [708953C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007F9DD43A52FBh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007F9DD43A5336h 0x00000037 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 00000000030E98E4 second address: 00000000030E98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 00000000030E9B4E second address: 00000000030E9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00409A80 rdtsc 7_2_00409A80
          Source: C:\Users\user\Desktop\summary.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\summary.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\summary.exeWindow / User API: threadDelayed 537Jump to behavior
          Source: C:\Users\user\Desktop\summary.exe TID: 5544Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\summary.exe TID: 3564Thread sleep count: 238 > 30Jump to behavior
          Source: C:\Users\user\Desktop\summary.exe TID: 4336Thread sleep count: 34 > 30Jump to behavior
          Source: C:\Users\user\Desktop\summary.exe TID: 4336Thread sleep count: 537 > 30Jump to behavior
          Source: C:\Users\user\Desktop\summary.exe TID: 4716Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\summary.exe TID: 5912Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000008.00000000.367651946.0000000008120000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000008.00000000.365951297.0000000007DB7000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.366266830.0000000007E68000.00000004.00000001.sdmpBinary or memory string: NECVMWarer
          Source: explorer.exe, 00000008.00000000.366266830.0000000007E68000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000008.00000000.360829542.0000000004390000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.360910944.00000000043B5000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}5
          Source: explorer.exe, 00000008.00000000.366428559.0000000007EC8000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000G
          Source: explorer.exe, 00000008.00000000.366053249.0000000007DF5000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000*7k)6
          Source: explorer.exe, 00000008.00000000.367651946.0000000008120000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000008.00000000.367651946.0000000008120000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000008.00000000.366053249.0000000007DF5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000008.00000000.367651946.0000000008120000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\summary.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_00409A80 rdtsc 7_2_00409A80
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0040ACC0 LdrLoadDll,7_2_0040ACC0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01403D43 mov eax, dword ptr fs:[00000030h]7_2_01403D43
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F4D3B mov eax, dword ptr fs:[00000030h]7_2_013F4D3B
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F4D3B mov eax, dword ptr fs:[00000030h]7_2_013F4D3B
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F4D3B mov eax, dword ptr fs:[00000030h]7_2_013F4D3B
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01443540 mov eax, dword ptr fs:[00000030h]7_2_01443540
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F513A mov eax, dword ptr fs:[00000030h]7_2_013F513A
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F513A mov eax, dword ptr fs:[00000030h]7_2_013F513A
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013D3D34 mov eax, dword ptr fs:[00000030h]7_2_013D3D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013CAD30 mov eax, dword ptr fs:[00000030h]7_2_013CAD30
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013E4120 mov eax, dword ptr fs:[00000030h]7_2_013E4120
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013E4120 mov eax, dword ptr fs:[00000030h]7_2_013E4120
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013E4120 mov eax, dword ptr fs:[00000030h]7_2_013E4120
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013E4120 mov eax, dword ptr fs:[00000030h]7_2_013E4120
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013E4120 mov ecx, dword ptr fs:[00000030h]7_2_013E4120
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013C9100 mov eax, dword ptr fs:[00000030h]7_2_013C9100
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013C9100 mov eax, dword ptr fs:[00000030h]7_2_013C9100
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013C9100 mov eax, dword ptr fs:[00000030h]7_2_013C9100
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013EC577 mov eax, dword ptr fs:[00000030h]7_2_013EC577
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013EC577 mov eax, dword ptr fs:[00000030h]7_2_013EC577
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013CB171 mov eax, dword ptr fs:[00000030h]7_2_013CB171
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013CB171 mov eax, dword ptr fs:[00000030h]7_2_013CB171
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013CC962 mov eax, dword ptr fs:[00000030h]7_2_013CC962
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013E7D50 mov eax, dword ptr fs:[00000030h]7_2_013E7D50
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0144A537 mov eax, dword ptr fs:[00000030h]7_2_0144A537
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013EB944 mov eax, dword ptr fs:[00000030h]7_2_013EB944
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013EB944 mov eax, dword ptr fs:[00000030h]7_2_013EB944
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01498D34 mov eax, dword ptr fs:[00000030h]7_2_01498D34
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F1DB5 mov eax, dword ptr fs:[00000030h]7_2_013F1DB5
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F1DB5 mov eax, dword ptr fs:[00000030h]7_2_013F1DB5
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F1DB5 mov eax, dword ptr fs:[00000030h]7_2_013F1DB5
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F35A1 mov eax, dword ptr fs:[00000030h]7_2_013F35A1
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F61A0 mov eax, dword ptr fs:[00000030h]7_2_013F61A0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F61A0 mov eax, dword ptr fs:[00000030h]7_2_013F61A0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013FFD9B mov eax, dword ptr fs:[00000030h]7_2_013FFD9B
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013FFD9B mov eax, dword ptr fs:[00000030h]7_2_013FFD9B
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014541E8 mov eax, dword ptr fs:[00000030h]7_2_014541E8
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F2990 mov eax, dword ptr fs:[00000030h]7_2_013F2990
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_01478DF1 mov eax, dword ptr fs:[00000030h]7_2_01478DF1
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013C2D8A mov eax, dword ptr fs:[00000030h]7_2_013C2D8A
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013C2D8A mov eax, dword ptr fs:[00000030h]7_2_013C2D8A
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013C2D8A mov eax, dword ptr fs:[00000030h]7_2_013C2D8A
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013C2D8A mov eax, dword ptr fs:[00000030h]7_2_013C2D8A
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013C2D8A mov eax, dword ptr fs:[00000030h]7_2_013C2D8A
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013FA185 mov eax, dword ptr fs:[00000030h]7_2_013FA185
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013EC182 mov eax, dword ptr fs:[00000030h]7_2_013EC182
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F2581 mov eax, dword ptr fs:[00000030h]7_2_013F2581
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F2581 mov eax, dword ptr fs:[00000030h]7_2_013F2581
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F2581 mov eax, dword ptr fs:[00000030h]7_2_013F2581
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F2581 mov eax, dword ptr fs:[00000030h]7_2_013F2581
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013CB1E1 mov eax, dword ptr fs:[00000030h]7_2_013CB1E1
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013CB1E1 mov eax, dword ptr fs:[00000030h]7_2_013CB1E1
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013CB1E1 mov eax, dword ptr fs:[00000030h]7_2_013CB1E1
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013DD5E0 mov eax, dword ptr fs:[00000030h]7_2_013DD5E0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013DD5E0 mov eax, dword ptr fs:[00000030h]7_2_013DD5E0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014469A6 mov eax, dword ptr fs:[00000030h]7_2_014469A6
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014451BE mov eax, dword ptr fs:[00000030h]7_2_014451BE
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014451BE mov eax, dword ptr fs:[00000030h]7_2_014451BE
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014451BE mov eax, dword ptr fs:[00000030h]7_2_014451BE
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_014451BE mov eax, dword ptr fs:[00000030h]7_2_014451BE
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F002D mov eax, dword ptr fs:[00000030h]7_2_013F002D
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F002D mov eax, dword ptr fs:[00000030h]7_2_013F002D
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F002D mov eax, dword ptr fs:[00000030h]7_2_013F002D
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F002D mov eax, dword ptr fs:[00000030h]7_2_013F002D
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013F002D mov eax, dword ptr fs:[00000030h]7_2_013F002D
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013FBC2C mov eax, dword ptr fs:[00000030h]7_2_013FBC2C
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0145C450 mov eax, dword ptr fs:[00000030h]7_2_0145C450
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_0145C450 mov eax, dword ptr fs:[00000030h]7_2_0145C450
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013DB02A mov eax, dword ptr fs:[00000030h]7_2_013DB02A
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013DB02A mov eax, dword ptr fs:[00000030h]7_2_013DB02A
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013DB02A mov eax, dword ptr fs:[00000030h]7_2_013DB02A
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 7_2_013DB02A mov eax, dword ptr fs:[00000030h]7_2_013DB02A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050B9100 mov eax, dword ptr fs:[00000030h]9_2_050B9100
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050B9100 mov eax, dword ptr fs:[00000030h]9_2_050B9100
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050B9100 mov eax, dword ptr fs:[00000030h]9_2_050B9100
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_0513A537 mov eax, dword ptr fs:[00000030h]9_2_0513A537
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_05188D34 mov eax, dword ptr fs:[00000030h]9_2_05188D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050D4120 mov eax, dword ptr fs:[00000030h]9_2_050D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050D4120 mov eax, dword ptr fs:[00000030h]9_2_050D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050D4120 mov eax, dword ptr fs:[00000030h]9_2_050D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050D4120 mov eax, dword ptr fs:[00000030h]9_2_050D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050D4120 mov ecx, dword ptr fs:[00000030h]9_2_050D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E513A mov eax, dword ptr fs:[00000030h]9_2_050E513A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E513A mov eax, dword ptr fs:[00000030h]9_2_050E513A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E4D3B mov eax, dword ptr fs:[00000030h]9_2_050E4D3B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E4D3B mov eax, dword ptr fs:[00000030h]9_2_050E4D3B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E4D3B mov eax, dword ptr fs:[00000030h]9_2_050E4D3B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050C3D34 mov eax, dword ptr fs:[00000030h]9_2_050C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050BAD30 mov eax, dword ptr fs:[00000030h]9_2_050BAD30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050DB944 mov eax, dword ptr fs:[00000030h]9_2_050DB944
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050DB944 mov eax, dword ptr fs:[00000030h]9_2_050DB944
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050F3D43 mov eax, dword ptr fs:[00000030h]9_2_050F3D43
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_05133540 mov eax, dword ptr fs:[00000030h]9_2_05133540
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050D7D50 mov eax, dword ptr fs:[00000030h]9_2_050D7D50
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050BC962 mov eax, dword ptr fs:[00000030h]9_2_050BC962
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050BB171 mov eax, dword ptr fs:[00000030h]9_2_050BB171
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050BB171 mov eax, dword ptr fs:[00000030h]9_2_050BB171
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050DC577 mov eax, dword ptr fs:[00000030h]9_2_050DC577
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050DC577 mov eax, dword ptr fs:[00000030h]9_2_050DC577
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050B2D8A mov eax, dword ptr fs:[00000030h]9_2_050B2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050B2D8A mov eax, dword ptr fs:[00000030h]9_2_050B2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050B2D8A mov eax, dword ptr fs:[00000030h]9_2_050B2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050B2D8A mov eax, dword ptr fs:[00000030h]9_2_050B2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050B2D8A mov eax, dword ptr fs:[00000030h]9_2_050B2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050EA185 mov eax, dword ptr fs:[00000030h]9_2_050EA185
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050DC182 mov eax, dword ptr fs:[00000030h]9_2_050DC182
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E2581 mov eax, dword ptr fs:[00000030h]9_2_050E2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E2581 mov eax, dword ptr fs:[00000030h]9_2_050E2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E2581 mov eax, dword ptr fs:[00000030h]9_2_050E2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E2581 mov eax, dword ptr fs:[00000030h]9_2_050E2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050EFD9B mov eax, dword ptr fs:[00000030h]9_2_050EFD9B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050EFD9B mov eax, dword ptr fs:[00000030h]9_2_050EFD9B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E2990 mov eax, dword ptr fs:[00000030h]9_2_050E2990
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_051351BE mov eax, dword ptr fs:[00000030h]9_2_051351BE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_051351BE mov eax, dword ptr fs:[00000030h]9_2_051351BE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_051351BE mov eax, dword ptr fs:[00000030h]9_2_051351BE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_051351BE mov eax, dword ptr fs:[00000030h]9_2_051351BE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E61A0 mov eax, dword ptr fs:[00000030h]9_2_050E61A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E61A0 mov eax, dword ptr fs:[00000030h]9_2_050E61A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E35A1 mov eax, dword ptr fs:[00000030h]9_2_050E35A1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_051369A6 mov eax, dword ptr fs:[00000030h]9_2_051369A6
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E1DB5 mov eax, dword ptr fs:[00000030h]9_2_050E1DB5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 9_2_050E1DB5 mov eax, dword