Loading ...

Play interactive tourEdit tour

Analysis Report Money gram.exe

Overview

General Information

Sample Name:Money gram.exe
Analysis ID:299747
MD5:b0cff698d1fd64ef9a159e2dbea1abaf
SHA1:44645a78e2dbe6dbd0e23c60204cb28dc4c4136b
SHA256:3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b
Tags:AgentTeslaexeFRAgeoOutlook

Most interesting Screenshot:

Detection

AgentTesla
Score:99
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to register a low level keyboard hook
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Money gram.exe (PID: 408 cmdline: 'C:\Users\user\Desktop\Money gram.exe' MD5: B0CFF698D1FD64EF9A159E2DBEA1ABAF)
    • cmd.exe (PID: 4712 cmdline: 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\Money gram.exe' 'C:\Users\user\AppData\Roaming\application.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4800 cmdline: 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Roaming\application.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • application.exe (PID: 4832 cmdline: C:\Users\user\AppData\Roaming\application.exe MD5: B0CFF698D1FD64EF9A159E2DBEA1ABAF)
        • cmd.exe (PID: 1724 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'applicat' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\application.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 3900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 2404 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'applicat' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\application.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • InstallUtil.exe (PID: 5476 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • application.exe (PID: 5816 cmdline: 'C:\Users\user\AppData\Roaming\application.exe' MD5: B0CFF698D1FD64EF9A159E2DBEA1ABAF)
    • InstallUtil.exe (PID: 4280 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • ljYBX.exe (PID: 5780 cmdline: 'C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 4664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • application.exe (PID: 4532 cmdline: 'C:\Users\user\AppData\Roaming\application.exe' MD5: B0CFF698D1FD64EF9A159E2DBEA1ABAF)
    • InstallUtil.exe (PID: 5944 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • ljYBX.exe (PID: 2924 cmdline: 'C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 1904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "KFCcb2t", "URL: ": "https://sEtTHYPtXbx3I.org", "To: ": "bonjoursx@gmail.com", "ByHost: ": "smtp.gmail.com:587", "Password: ": "kLMr0j4xKC8DT9T", "From: ": "bonjoursx@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.432305522.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000013.00000002.603487260.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.346261022.0000000004922000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000C.00000002.393986646.0000000004C52000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000012.00000002.429480341.0000000004A44000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              19.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                13.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: InstallUtil.exe.4280.13.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "KFCcb2t", "URL: ": "https://sEtTHYPtXbx3I.org", "To: ": "bonjoursx@gmail.com", "ByHost: ": "smtp.gmail.com:587", "Password: ": "kLMr0j4xKC8DT9T", "From: ": "bonjoursx@gmail.com"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\application.exeReversingLabs: Detection: 10%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Money gram.exeReversingLabs: Detection: 10%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\application.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: Money gram.exeJoe Sandbox ML: detected
                  Source: 9.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen7
                  Source: 19.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen7
                  Source: 13.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_06186D10 CryptUnprotectData,9_2_06186D10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061874B9 CryptUnprotectData,9_2_061874B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06526D00 CryptUnprotectData,13_2_06526D00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065274B1 CryptUnprotectData,13_2_065274B1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652755F CryptUnprotectData,13_2_0652755F
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_0147E7C8
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_0147E7C8
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_0147EAE8
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_0147EAE8
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0147DD1C
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0147E2E4
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]0_2_01478473
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_0147E7BC
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_0147E7BC
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then xor edx, edx0_2_0147EA14
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then xor edx, edx0_2_0147EA20
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_0147EADD
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_0147EADD
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then mov ecx, dword ptr [03E6E69Ch]0_2_01477120
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]0_2_01477120
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then push dword ptr [ebp-20h]5_2_018FE7C8
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh5_2_018FE7C8
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then push dword ptr [ebp-24h]5_2_018FEAE8
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh5_2_018FEAE8
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h5_2_018FDD1C
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h5_2_018FE2E4
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then push dword ptr [ebp-20h]5_2_018FE7BC
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh5_2_018FE7BC
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then push dword ptr [ebp-24h]5_2_018FEADD
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh5_2_018FEADD
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then xor edx, edx5_2_018FEA14
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then xor edx, edx5_2_018FEA20
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov ecx, dword ptr [042FE69Ch]5_2_018F7120
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]5_2_018F7120
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then push dword ptr [ebp-20h]12_2_02F7E7C8
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh12_2_02F7E7C8
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then push dword ptr [ebp-24h]12_2_02F7EAE8
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh12_2_02F7EAE8
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h12_2_02F7DD1C
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h12_2_02F7E2E4
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_02F782DB
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then push dword ptr [ebp-20h]12_2_02F7E7BC
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh12_2_02F7E7BC
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then push dword ptr [ebp-24h]12_2_02F7EADD
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh12_2_02F7EADD
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then xor edx, edx12_2_02F7EA20
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 4x nop then xor edx, edx12_2_02F7EA14
                  Source: global trafficTCP traffic: 192.168.2.6:49709 -> 173.194.69.109:587
                  Source: global trafficTCP traffic: 192.168.2.6:49711 -> 173.194.69.108:587
                  Source: global trafficTCP traffic: 192.168.2.6:49709 -> 173.194.69.109:587
                  Source: global trafficTCP traffic: 192.168.2.6:49711 -> 173.194.69.108:587
                  Source: InstallUtil.exe, 00000013.00000002.606088436.0000000002BCA000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                  Source: unknownDNS traffic detected: queries for: smtp.gmail.com
                  Source: InstallUtil.exe, 00000009.00000002.407249319.0000000006018000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.444688540.00000000061F0000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.610619538.0000000005EFA000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: InstallUtil.exe, 00000013.00000002.610673121.0000000005F70000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro
                  Source: InstallUtil.exe, 00000009.00000002.400188975.0000000000D40000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.
                  Source: InstallUtil.exe, 00000009.00000002.407249319.0000000006018000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.439375471.0000000002E1B000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.608373661.0000000002E4E000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                  Source: InstallUtil.exe, 00000009.00000002.407249319.0000000006018000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.438908293.0000000002DA4000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.605140264.0000000000C5F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                  Source: InstallUtil.exe, 00000009.00000002.402518858.0000000002AE8000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.437368708.0000000002B94000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.606088436.0000000002BCA000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                  Source: InstallUtil.exe, 00000009.00000002.402518858.0000000002AE8000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.437368708.0000000002B94000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.606088436.0000000002BCA000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                  Source: InstallUtil.exe, 00000009.00000002.407249319.0000000006018000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.438908293.0000000002DA4000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.605140264.0000000000C5F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                  Source: InstallUtil.exe, 00000009.00000002.407249319.0000000006018000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.439375471.0000000002E1B000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.608373661.0000000002E4E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                  Source: InstallUtil.exe, 00000009.00000002.407249319.0000000006018000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.439375471.0000000002E1B000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.608373661.0000000002E4E000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                  Source: InstallUtil.exe, 00000009.00000002.403415613.0000000002CFC000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.438908293.0000000002DA4000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.607552891.0000000002DCE000.00000004.00000001.sdmpString found in binary or memory: http://smtp.gmail.com
                  Source: InstallUtil.exe, 00000009.00000002.407249319.0000000006018000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.438908293.0000000002DA4000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.605140264.0000000000C5F000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
                  Source: InstallUtil.exe, 00000013.00000002.606501710.0000000002CD8000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.607749463.0000000002DF7000.00000004.00000001.sdmpString found in binary or memory: https://sEtTHYPtXbx3I.org
                  Source: InstallUtil.exe, 00000009.00000002.402518858.0000000002AE8000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.437368708.0000000002B94000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.606088436.0000000002BCA000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                  Source: InstallUtil.exe, 00000009.00000002.402518858.0000000002AE8000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.437368708.0000000002B94000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.606088436.0000000002BCA000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: InstallUtil.exe, 00000009.00000002.402518858.0000000002AE8000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.437368708.0000000002B94000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.606088436.0000000002BCA000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                  Source: InstallUtil.exe, 00000009.00000002.402518858.0000000002AE8000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.437368708.0000000002B94000.00000004.00000001.sdmp, InstallUtil.exe, 00000013.00000002.606088436.0000000002BCA000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Contains functionality to register a low level keyboard hookShow sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653C22C SetWindowsHookExW 0000000D,00000000,?,?13_2_0653C22C
                  Installs a global keyboard hookShow sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  Source: Money gram.exe, 00000000.00000002.344577283.000000000124A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow created: window name: CLIPBRDWNDCLASS

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: Money gram.exe, fQu007c7u002fg/jDu007c65z.csLarge array initialization: H$e41j: array initializer size 91152
                  Source: 0.0.Money gram.exe.a70000.0.unpack, fQu007c7u002fg/jDu007c65z.csLarge array initialization: H$e41j: array initializer size 91152
                  Source: 0.2.Money gram.exe.a70000.0.unpack, fQu007c7u002fg/jDu007c65z.csLarge array initialization: H$e41j: array initializer size 91152
                  Source: application.exe.1.dr, fQu007c7u002fg/jDu007c65z.csLarge array initialization: H$e41j: array initializer size 91152
                  Source: 5.2.application.exe.ec0000.0.unpack, fQu007c7u002fg/jDu007c65z.csLarge array initialization: H$e41j: array initializer size 91152
                  Source: 5.0.application.exe.ec0000.0.unpack, fQu007c7u002fg/jDu007c65z.csLarge array initialization: H$e41j: array initializer size 91152
                  Source: 12.0.application.exe.cf0000.0.unpack, fQu007c7u002fg/jDu007c65z.csLarge array initialization: H$e41j: array initializer size 91152
                  Source: 12.2.application.exe.cf0000.0.unpack, fQu007c7u002fg/jDu007c65z.csLarge array initialization: H$e41j: array initializer size 91152
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 0_2_014722720_2_01472272
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 0_2_014754580_2_01475458
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 0_2_014717700_2_01471770
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 0_2_014739990_2_01473999
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 0_2_0147F8500_2_0147F850
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 0_2_0147A3D00_2_0147A3D0
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 0_2_014771200_2_01477120
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 0_2_0147F2900_2_0147F290
                  Source: C:\Users\user\Desktop\Money gram.exeCode function: 0_2_0147F2A00_2_0147F2A0
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 5_2_018F22735_2_018F2273
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 5_2_018F54585_2_018F5458
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 5_2_018F17705_2_018F1770
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 5_2_018F39995_2_018F3999
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 5_2_018FF8505_2_018FF850
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 5_2_018FA3D05_2_018FA3D0
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 5_2_018F71205_2_018F7120
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 5_2_018FF2905_2_018FF290
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 5_2_018FF2A05_2_018FF2A0
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 5_2_018F9BF15_2_018F9BF1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0297A2C89_2_0297A2C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_029763389_2_02976338
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_02978BD09_2_02978BD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_02975FF09_2_02975FF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_02976C089_2_02976C08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0297A2BC9_2_0297A2BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0297E6929_2_0297E692
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0297E6A09_2_0297E6A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0297F6189_2_0297F618
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0297A43A9_2_0297A43A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_02971C039_2_02971C03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_02971D029_2_02971D02
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_051883089_2_05188308
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_05180D609_2_05180D60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_051849289_2_05184928
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_05183C609_2_05183C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_051885C39_2_051885C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0518867A9_2_0518867A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_051883079_2_05188307
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_05180D199_2_05180D19
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0518CD109_2_0518CD10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_05184D539_2_05184D53
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_05180CC69_2_05180CC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_051809939_2_05180993
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_051808939_2_05180893
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_051808B09_2_051808B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_05180B619_2_05180B61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_05183B739_2_05183B73
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061886289_2_06188628
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0618B7509_2_0618B750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0618CC189_2_0618CC18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0618ADC89_2_0618ADC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0618FAB09_2_0618FAB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061868309_2_06186830
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061867389_2_06186738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0618B7419_2_0618B741
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0618C76E9_2_0618C76E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061887A49_2_061887A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0618F5189_2_0618F518
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0618BAA59_2_0618BAA5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061800409_2_06180040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0618B8919_2_0618B891
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0618D8939_2_0618D893
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0618E8C89_2_0618E8C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061811599_2_06181159
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A83489_2_061A8348
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A8B489_2_061A8B48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A00409_2_061A0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A4C989_2_061A4C98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A599D9_2_061A599D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A2E089_2_061A2E08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A1E239_2_061A1E23
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A1E6D9_2_061A1E6D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A00409_2_061A0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A1ECD9_2_061A1ECD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A1F179_2_061A1F17
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A17039_2_061A1703
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A23599_2_061A2359
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A102C9_2_061A102C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A1C2C9_2_061A1C2C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A10BA9_2_061A10BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A1CBB9_2_061A1CBB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A1D4A9_2_061A1D4A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A1D949_2_061A1D94
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A19D49_2_061A19D4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_084800409_2_08480040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_084850109_2_08485010
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_084893609_2_08489360
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_084855789_2_08485578
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_084827009_2_08482700
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_084800069_2_08480006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_084842209_2_08484220
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_084855689_2_08485568
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 12_2_02F7227812_2_02F72278
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 12_2_02F7178012_2_02F71780
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 12_2_02F7546812_2_02F75468
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 12_2_02F7F84112_2_02F7F841
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 12_2_02F739A812_2_02F739A8
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 12_2_02F7226B12_2_02F7226B
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 12_2_02F7F2A012_2_02F7F2A0
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 12_2_02F7F29012_2_02F7F290
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 12_2_02F7177012_2_02F71770
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 12_2_02F7545A12_2_02F7545A
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 12_2_02F79BF112_2_02F79BF1
                  Source: C:\Users\user\AppData\Roaming\application.exeCode function: 12_2_02F7399912_2_02F73999
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0297A23813_2_0297A238
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0297633813_2_02976338
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_02978BD013_2_02978BD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_02975FF013_2_02975FF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_02976C0813_2_02976C08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0297E83013_2_0297E830
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0297E84013_2_0297E840
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_02971C0313_2_02971C03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_02971D0213_2_02971D02
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0536830813_2_05368308
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_05360D6013_2_05360D60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0536492813_2_05364928
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_05363C6013_2_05363C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_053685C313_2_053685C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0536867A13_2_0536867A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0536CD1013_2_0536CD10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_05364D5213_2_05364D52
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_05360CC613_2_05360CC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0536099313_2_05360993
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_053608B013_2_053608B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0536089213_2_05360892
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_05360B6113_2_05360B61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_05363BD213_2_05363BD2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652F78813_2_0652F788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652FA8013_2_0652FA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652682813_2_06526828
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652C8E813_2_0652C8E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652B77513_2_0652B775
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652671613_2_06526716
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652673013_2_06526730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652847413_2_06528474
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652B41013_2_0652B410
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652C43E13_2_0652C43E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652B56113_2_0652B561
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652E5A013_2_0652E5A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065282F813_2_065282F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652004013_2_06520040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652115913_2_06521159
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652F1F013_2_0652F1F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652BC8013_2_0652BC80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06528AF013_2_06528AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0652897913_2_06528979
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653065813_2_06530658
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653468813_2_06534688
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653378813_2_06533788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653702713_2_06537027
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065370B013_2_065370B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653A0B013_2_0653A0B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653B18013_2_0653B180
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06530E6013_2_06530E60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06538EC013_2_06538EC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653CE8C13_2_0653CE8C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06535F5013_2_06535F50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06533A9813_2_06533A98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06531BA013_2_06531BA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653064813_2_06530648
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653467A13_2_0653467A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653374013_2_06533740
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653149013_2_06531490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065314A013_2_065314A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653A0A013_2_0653A0A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0653B16213_2_0653B162
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06533E1013_2_06533E10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06539DE713_2_06539DE7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06531B9013_2_06531B90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0654571513_2_06545715
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0654004013_2_06540040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0654281013_2_06542810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065450C013_2_065450C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065480A013_2_065480A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065488A013_2_065488A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065449D313_2_065449D3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06541E7713_2_06541E77
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06541E1913_2_06541E19
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0654EE8013_2_0654EE80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06541EBF13_2_06541EBF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065416B913_2_065416B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06541C6F13_2_06541C6F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06541CFC13_2_06541CFC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06541D4413_2_06541D44
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06541DD113_2_06541DD1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0654004013_2_06540040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0654C22A13_2_0654C22A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065422FD13_2_065422FD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06541BE213_2_06541BE2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0654100813_2_06541008
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0654109413_2_06541094
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0654198A13_2_0654198A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065429A613_2_065429A6
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                  Source: Money gram.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: application.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: Money gram.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: application.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Money gram.exeBinary or memory string: OriginalFilename vs Money gram.exe
                  Source: Money gram.exe, 00000000.00000002.346261022.0000000004922000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamecxWlVgzyJXCqbjKqdSekvKKkpgCBtpIp.exe4 vs Money gram.exe
                  Source: Money gram.exe, 00000000.00000002.344577283.000000000124A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Money gram.exe
                  Source: Money gram.exe, 00000000.00000002.349874673.0000000008D80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Money gram.exe
                  Source: Money gram.exe, 00000000.00000002.350109166.0000000008E70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Money gram.exe
                  Source: Money gram.exe, 00000000.00000002.350109166.0000000008E70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Money gram.exe
                  Source: Money gram.exe, 00000000.00000002.348945797.0000000005450000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Money gram.exe
                  Source: Money gram.exe, 00000000.00000002.345780519.0000000003EA7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDESdgdhser.dll0 vs Money gram.exe
                  Source: C:\Users\user\Desktop\Money gram.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\application.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'applicat' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\application.exe'
                  Source: Money gram.exe, Ht3u002a6u0024oC/cQ_30u0029fL.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.Money gram.exe.a70000.0.unpack, Ht3u002a6u0024oC/cQ_30u0029fL.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.Money gram.exe.a70000.0.unpack, Ht3u002a6u0024oC/cQ_30u0029fL.csCryptographic APIs: 'CreateDecryptor'
                  Source: application.exe.1.dr, Ht3u002a6u0024oC/cQ_30u0029fL.csCryptographic APIs: 'CreateDecryptor'
                  Source: 5.2.application.exe.ec0000.0.unpack, Ht3u002a6u0024oC/cQ_30u0029fL.csCryptographic APIs: 'CreateDecryptor'
                  Source: 5.0.application.exe.ec0000.0.unpack, Ht3u002a6u0024oC/cQ_30u0029fL.csCryptographic APIs: 'CreateDecryptor'
                  Source: 12.0.application.exe.cf0000.0.unpack, Ht3u002a6u0024oC/cQ_30u0029fL.csCryptographic APIs: 'CreateDecryptor'
                  Source: 12.2.application.exe.cf0000.0.unpack, Ht3u002a6u0024oC/cQ_30u0029fL.csCryptographic APIs: 'CreateDecryptor'
                  Source: classification engineClassification label: mal99.troj.spyw.evad.winEXE@26/13@3/3
                  Source: C:\Users\user\Desktop\Money gram.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Money gram.exe.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1904:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3900:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4664:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:240:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_01
                  Source: Money gram.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Money gram.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\application.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\application.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\application.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Money gram.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: Money gram.exeReversingLabs: Detection: 10%
                  Source: unknownProcess created: C:\Users\user\Desktop\Money gram.exe 'C:\Users\user\Desktop\Money gram.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\Money gram.exe' 'C:\Users\user\AppData\Roaming\application.exe'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Roaming\application.exe'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\application.exe C:\Users\user\AppData\Roaming\application.exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'applicat' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\application.exe'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'applicat' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\application.exe'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\application.exe 'C:\Users\user\AppData\Roaming\application.exe'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe 'C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\application.exe 'C:\Users\user\AppData\Roaming\application.exe'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe 'C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Money gram.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\Money gram.exe' 'C:\Users\user\AppData\Roaming\application.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Roaming\application.exe'Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\application.exe C:\Users\user\AppData\Roaming\application.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\application.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'applicat' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\application.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\application.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'applicat' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\application.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\application.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\application.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  Source: C:\Users\user\Desktop\Money gram.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeAutomated click: OK
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeAutomated click: OK
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeAutomated click: OK
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeAutomated click: OK
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\Money gram.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Money gram.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Money gram.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                  Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: ljYBX.exe, 0000000E.00000002.402886597.00000000008B2000.00000002.00020000.sdmp, ljYBX.exe, 00000014.00000000.433504703.00000000001E2000.00000002.00020000.sdmp, ljYBX.exe.9.dr
                  Source: Binary string: InstallUtil.pdb source: ljYBX.exe, 0000000E.00000002.402886597.00000000008B2000.00000002.00020000.sdmp, ljYBX.exe, 00000014.00000000.433504703.00000000001E2000.00000002.00020000.sdmp, ljYBX.exe.9.dr

                  Data Obfuscation:

                  barindex
                  .NET source code contains potential unpackerShow sources
                  Source: Money gram.exe, u0030f_YEu002f3j/Rm9u0024u0028Xx2.cs.Net Code: n$6EK4z) System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.0.Money gram.exe.a70000.0.unpack, u0030f_YEu002f3j/Rm9u0024u0028Xx2.cs.Net Code: n$6EK4z) System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.2.Money gram.exe.a70000.0.unpack, u0030f_YEu002f3j/Rm9u0024u0028Xx2.cs.Net Code: n$6EK4z) System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: application.exe.1.dr, u0030f_YEu002f3j/Rm9u0024u0028Xx2.cs.Net Code: n$6EK4z) System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 5.2.application.exe.ec0000.0.unpack, u0030f_YEu002f3j/Rm9u0024u0028Xx2.cs.Net Code: n$6EK4z) System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 5.0.application.exe.ec0000.0.unpack, u0030f_YEu002f3j/Rm9u0024u0028Xx2.cs.Net Code: n$6EK4z) System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 12.0.application.exe.cf0000.0.unpack, u0030f_YEu002f3j/Rm9u0024u0028Xx2.cs.Net Code: n$6EK4z) System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 12.2.application.exe.cf0000.0.unpack, u0030f_YEu002f3j/Rm9u0024u0028Xx2.cs.Net Code: n$6EK4z) System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_06189498 push ds; iretd 9_2_0618949A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061894B3 push 8BD08B05h; iretd 9_2_061894B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_06180040 push es; ret 9_2_06180DC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061880EC push cs; retf 9_2_061880F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061849E8 push edx; rep ret 9_2_061849E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A3E09 pushfd ; ret 9_2_061A3E1F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_061A27A5 push es; iretd 9_2_061A27A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0848B863 push esp; iretd 9_2_0848B869
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0848B8E0 push esp; iretd 9_2_0848B8E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0848B896 push esp; iretd 9_2_0848B897
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0848B998 push ebx; iretd 9_2_0848B999
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0848BB50 push edx; iretd 9_2_0848BB51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_08487CC1 push es; ret 9_2_08487CD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0536AE88 push esp; retf 13_2_0536AE95
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06520040 push es; ret 13_2_06520DC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065249E8 push edx; rep ret 13_2_065249E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065385AA push es; ret 13_2_065385F4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06539933 push es; retf 13_2_06539948
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06543F20 push es; iretd 13_2_06543F70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06543F90 push es; ret 13_2_06543F94
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0654D4CE push edi; iretd 13_2_0654D5AD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_06547DCA push es; ret 13_2_06547DCC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_0654C04E push es; retf 13_2_0654C070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 13_2_065439B2 pushfd ; ret 13_2_065439BF
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\application.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Creates multiple autostart registry keysShow sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CrywfRZeJump to behavior
                  Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run applicatJump to behavior
                  Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run applicatJump to behavior
                  Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run applicatJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CrywfRZeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CrywfRZeJump to behavior

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                  Source: C:\Users\user\Desktop\Money gram.exeFile opened: C:\Users\user\Desktop\Money gram.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\application.exeFile opened: C:\Users\user\AppData\Roaming\application.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\application.exeFile opened: C:\Users\user\AppData\Roaming\application.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe:Zone.Identifier read attributes | delete
                  Source: C:\Users\user\AppData\Roaming\application.exeFile opened: C:\Users\user\AppData\Roaming\application.exe:Zone.Identifier read attributes | delete
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe:Zone.Identifier read attributes | delete
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Money gram.exeProcess information set: NOOPENFILEERRORBOX