Windows Analysis Report 987421.exe

Overview

General Information

Sample Name: 987421.exe
Analysis ID: 505624
MD5: 75e71ba1842dc3f63198386adb92716f
SHA1: 3dac2a6f86bf211fe4ed33f21dc63bbd1ff04114
SHA256: 72946d33bc1e3945ed628d129fcc9096dc1ff9cedcfe2fe568ade44544519a20
Tags: exe
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected HawkEye Rat
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 987421.exe ReversingLabs: Detection: 38%
Machine Learning detection for sample
Source: 987421.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.987421.exe.446dc1a.3.unpack Avira: Label: TR/Inject.vcoldi
Source: 10.2.InstallUtil.exe.760000.1.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.InstallUtil.exe.760000.1.unpack Avira: Label: SPR/Tool.MailPassView.473

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49750 version: TLS 1.0
Uses 32bit PE files
Source: 987421.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 987421.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: 987421.exe, 00000000.00000003.407192687.0000000006EC5000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557456061.0000000000392000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe
Source: Binary string: InstallUtil.pdb source: 987421.exe, 00000000.00000003.407192687.0000000006EC5000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr

Spreading:

barindex
May infect USB drives
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 17_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 17_2_00407E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 18_2_00406EC3

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then jmp 04CEA630h 10_2_04CEA559
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then jmp 04CEA630h 10_2_04CEA568

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49750 version: TLS 1.0
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49836 -> 173.231.223.186:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49836 -> 173.231.223.186:587
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: InstallUtil.exe, 0000000A.00000002.563169105.0000000007500000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: InstallUtil.exe, 0000000A.00000002.563216260.0000000007557000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: InstallUtil.exe, 0000000A.00000002.563216260.0000000007557000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: InstallUtil.exe, 0000000A.00000002.560687130.0000000002C15000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: InstallUtil.exe, 0000000A.00000003.433873145.000000000582E000.00000004.00000001.sdmp String found in binary or memory: http://en.wikip_
Source: InstallUtil.exe, 0000000A.00000003.432161047.000000000582E000.00000004.00000001.sdmp String found in binary or memory: http://en.wikipedia
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: InstallUtil.exe, 0000000A.00000002.560629519.0000000002C0B000.00000004.00000001.sdmp String found in binary or memory: http://mail.merchantexint.com
Source: InstallUtil.exe, 0000000A.00000002.560629519.0000000002C0B000.00000004.00000001.sdmp String found in binary or memory: http://merchantexint.com
Source: 987421.exe, 00000000.00000002.448648735.00000000074A4000.00000004.00000001.sdmp, 987421.exe, 00000000.00000003.305194249.00000000074AA000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://ocsp.digicert.com0B
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://ocsp.digicert.com0E
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://ocsp.digicert.com0F
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://ocsp.digicert.com0M
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: 987421.exe, 00000000.00000002.428540831.00000000033F1000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: InstallUtil.exe, 0000000A.00000003.438030450.0000000005828000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000003.437499430.0000000005828000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: InstallUtil.exe, 0000000A.00000003.436490625.0000000005828000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coma
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: InstallUtil.exe, 0000000A.00000003.437983668.0000000005828000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comncy
Source: InstallUtil.exe, 0000000A.00000003.437109020.0000000005828000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comroa
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: InstallUtil.exe, 0000000A.00000003.465416496.0000000005825000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: InstallUtil.exe, 0000000A.00000003.449252989.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com.TTF
Source: InstallUtil.exe, 0000000A.00000003.445953221.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com.TTFK
Source: InstallUtil.exe, 0000000A.00000003.446044224.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/$
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: InstallUtil.exe, 0000000A.00000003.446104328.000000000582A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000003.445953221.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: InstallUtil.exe, 0000000A.00000003.449066115.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlt
Source: InstallUtil.exe, 0000000A.00000003.447402419.000000000582A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: InstallUtil.exe, 0000000A.00000003.446530539.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers:
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: InstallUtil.exe, 0000000A.00000003.446530539.000000000582A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: InstallUtil.exe, 0000000A.00000003.446633052.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersf
Source: InstallUtil.exe, 0000000A.00000003.449252989.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersk
Source: InstallUtil.exe, 0000000A.00000003.450047786.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerss
Source: InstallUtil.exe, 0000000A.00000003.452411572.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: InstallUtil.exe, 0000000A.00000003.448056493.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF6
Source: InstallUtil.exe, 0000000A.00000003.449368036.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalsoe
Source: InstallUtil.exe, 0000000A.00000003.465416496.0000000005825000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comasno
Source: InstallUtil.exe, 0000000A.00000003.452411572.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: InstallUtil.exe, 0000000A.00000003.451034728.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdw
Source: InstallUtil.exe, 0000000A.00000003.448056493.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comessed
Source: InstallUtil.exe, 0000000A.00000003.448056493.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comessedw
Source: InstallUtil.exe, 0000000A.00000003.446044224.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comgrita
Source: InstallUtil.exe, 0000000A.00000003.449252989.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comitud
Source: InstallUtil.exe, 0000000A.00000003.445953221.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comk
Source: InstallUtil.exe, 0000000A.00000003.465416496.0000000005825000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coml1
Source: InstallUtil.exe, 0000000A.00000003.450047786.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comoe
Source: InstallUtil.exe, 0000000A.00000003.464420208.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comow
Source: InstallUtil.exe, 0000000A.00000003.450047786.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comsivd
Source: InstallUtil.exe, 0000000A.00000003.446465198.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comue/$
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: InstallUtil.exe, 0000000A.00000003.433873145.000000000582E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.c
Source: InstallUtil.exe, 0000000A.00000003.433873145.000000000582E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: InstallUtil.exe, 0000000A.00000003.435387692.0000000005825000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: InstallUtil.exe, 0000000A.00000003.433784517.0000000005825000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnD
Source: InstallUtil.exe, 0000000A.00000003.434457013.000000000582E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnj
Source: InstallUtil.exe, 0000000A.00000003.454005367.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: InstallUtil.exe, 0000000A.00000003.454005367.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com//
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: InstallUtil.exe, 0000000A.00000003.458973662.0000000005843000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm.5
Source: InstallUtil.exe, 0000000A.00000003.454754908.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/w
Source: InstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: InstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr-c
Source: InstallUtil.exe, 0000000A.00000003.443702950.0000000005828000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000003.442723251.0000000005828000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: InstallUtil.exe, 0000000A.00000003.443702950.0000000005828000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/$
Source: InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: InstallUtil.exe, 0000000A.00000003.444934036.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/6
Source: InstallUtil.exe, 0000000A.00000003.444934036.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Z
Source: InstallUtil.exe, 0000000A.00000003.443702950.0000000005828000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/6
Source: InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/l
Source: InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: InstallUtil.exe, 0000000A.00000003.443702950.0000000005828000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: InstallUtil.exe, 0000000A.00000003.460108105.000000000582A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000003.454171426.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: InstallUtil.exe, 0000000A.00000003.453387839.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.q
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://www.msn.com
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 00000011.00000003.498594832.00000000027E6000.00000004.00000001.sdmp, bhvCA0A.tmp.17.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: vbc.exe, 00000011.00000003.498594832.00000000027E6000.00000004.00000001.sdmp, bhvCA0A.tmp.17.dr String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhvCA0A.tmp.17.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, vbc.exe, 00000012.00000002.491382176.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: InstallUtil.exe, 0000000A.00000003.443494874.0000000005828000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: InstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: InstallUtil.exe, 0000000A.00000003.432698506.000000000582E000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr?
Source: InstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krim
Source: InstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krony
Source: InstallUtil.exe, 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: InstallUtil.exe, 0000000A.00000003.439472593.0000000005828000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comslnt
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: InstallUtil.exe, 0000000A.00000003.445783956.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: InstallUtil.exe, 0000000A.00000003.450406240.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deC
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: InstallUtil.exe, 0000000A.00000003.445783956.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deH
Source: InstallUtil.exe, 0000000A.00000003.445519153.000000000582A000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deld
Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: InstallUtil.exe, 0000000A.00000003.436283853.0000000005826000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cna
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: vbc.exe, 00000011.00000003.498742082.00000000027EF000.00000004.00000001.sdmp, bhvCA0A.tmp.17.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: vbc.exe, 00000011.00000003.498742082.00000000027EF000.00000004.00000001.sdmp, bhvCA0A.tmp.17.dr String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://contextual.media.net/
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000011.00000003.500561241.0000000000A7E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 00000011.00000003.500561241.0000000000A7E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: vbc.exe, 00000011.00000003.498742082.00000000027EF000.00000004.00000001.sdmp, bhvCA0A.tmp.17.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: vbc.exe, 00000011.00000003.498742082.00000000027EF000.00000004.00000001.sdmp, bhvCA0A.tmp.17.dr String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://pki.goog/repository/0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: InstallUtil.exe, 0000000A.00000002.560687130.0000000002C15000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: 987421.exe, 00000000.00000002.428540831.00000000033F1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: 987421.exe, 00000000.00000002.428540831.00000000033F1000.00000004.00000001.sdmp, bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/
Source: vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhvCA0A.tmp.17.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: unknown DNS traffic detected: queries for: www.google.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe, 00000011.00000002.500947062.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe, 00000011.00000002.500947062.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000011.00000003.500561241.0000000000A7E000.00000004.00000001.sdmp String found in binary or memory: me=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.facebook.com (Facebook)
Source: vbc.exe, 00000011.00000003.500561241.0000000000A7E000.00000004.00000001.sdmp String found in binary or memory: me=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.281b2b4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 987421.exe PID: 4344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6920, type: MEMORYSTR
Contains functionality to log keystrokes (.Net Source)
Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs .Net Code: HookKeyboard
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_0040D674 OpenClipboard,GetLastError,DeleteFileW, 17_2_0040D674

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.InstallUtil.exe.281b2b4.6.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large array initializations
Source: 987421.exe, Xc2m/Lq8t.cs Large array initialization: .cctor: array initializer size 4599
Source: 987421.exe, Dg3/Ae0.cs Large array initialization: .cctor: array initializer size 3891
Detected potential crypto function
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F931F9 0_2_00F931F9
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F9399C 0_2_00F9399C
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F9754F 0_2_00F9754F
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_033CEF90 0_2_033CEF90
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 10_2_003920B0 10_2_003920B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 10_2_00B9B29C 10_2_00B9B29C
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 10_2_00B9C310 10_2_00B9C310
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 10_2_00B9B290 10_2_00B9B290
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 10_2_00B999D0 10_2_00B999D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00404419 17_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00404516 17_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00413538 17_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_004145A1 17_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_0040E639 17_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_004337AF 17_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_004399B1 17_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_0043DAE7 17_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00405CF6 17_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00403F85 17_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00411F99 17_2_00411F99
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00404DDB 18_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0040BD8A 18_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00404E4C 18_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00404EBD 18_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00404F4E 18_2_00404F4E
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
Uses 32bit PE files
Source: 987421.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 10.2.InstallUtil.exe.74d0000.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.InstallUtil.exe.7b80000.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.InstallUtil.exe.281b2b4.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.InstallUtil.exe.281b2b4.6.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.InstallUtil.exe.282eae0.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.563407277.0000000007B80000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.563118770.00000000074D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 17_2_00408836
Sample file is different than original file name gathered from version info
Source: 987421.exe Binary or memory string: OriginalFilename vs 987421.exe
Source: 987421.exe, 00000000.00000002.443897348.00000000043F8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs 987421.exe
Source: 987421.exe, 00000000.00000002.428926096.00000000034A0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPe6.dll" vs 987421.exe
Source: 987421.exe, 00000000.00000002.428926096.00000000034A0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs 987421.exe
Source: 987421.exe, 00000000.00000002.421049743.0000000000F92000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamesis.exe" vs 987421.exe
Source: 987421.exe, 00000000.00000003.407192687.0000000006EC5000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInstallUtil.exeT vs 987421.exe
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 987421.exe
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 987421.exe
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs 987421.exe
Source: 987421.exe Binary or memory string: OriginalFilenamesis.exe" vs 987421.exe
Source: 987421.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\987421.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\987421.exe.log Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@7/6@4/3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource, 17_2_00411EF8
Source: 987421.exe ReversingLabs: Detection: 38%
Source: C:\Users\user\Desktop\987421.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\987421.exe 'C:\Users\user\Desktop\987421.exe'
Source: C:\Users\user\Desktop\987421.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\987421.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\987421.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 17_2_00415F87
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe, 00000011.00000002.500947062.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\987421.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 17_2_00411196
Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs Base64 encoded string: 'jwpdbTVcqJzxvfBDtW68q7oRfljM8b8abw7DEV5/tgiR5+6Av2KoKY3S9Gf8JxQe', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\Desktop\987421.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\987421.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\987421.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\987421.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 987421.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: 987421.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 987421.exe Static file information: File size 1335296 > 1048576
Source: 987421.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x145600
Source: 987421.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: 987421.exe, 00000000.00000003.407192687.0000000006EC5000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557456061.0000000000392000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe
Source: Binary string: InstallUtil.pdb source: 987421.exe, 00000000.00000003.407192687.0000000006EC5000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F952E1 push esi; ret 0_2_00F952ED
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F94489 push eax; retf 0_2_00F9449C
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F9587F push edx; iretd 0_2_00F95880
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F94450 push eax; retf 0_2_00F9445C
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F94449 push eax; retf 0_2_00F9444C
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F93818 push ds; retf 0_2_00F93819
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F9281E push ebp; iretd 0_2_00F928EB
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F95F93 push esp; retf 0_2_00F95F96
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F95F43 push cs; retf 0_2_00F95F17
Source: C:\Users\user\Desktop\987421.exe Code function: 0_2_00F95F15 push cs; retf 0_2_00F95F17
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 10_2_00B9E4AF pushad ; retn 027Ch 10_2_00B9E4D9
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 10_2_04CE2651 push es; retf 0004h 10_2_04CE2652
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 10_2_04CE2631 push es; retf 0004h 10_2_04CE2632
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 10_2_04CEAC12 pushfd ; ret 10_2_04CEAC21
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00442871 push ecx; ret 17_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00442A90 push eax; ret 17_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00442A90 push eax; ret 17_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00446E54 push eax; ret 17_2_00446E61
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00411879 push ecx; ret 18_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_004118A0 push eax; ret 18_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_004118A0 push eax; ret 18_2_004118DC
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 17_2_004422C7
Source: 987421.exe, Zn10/Bj0t.cs High entropy of concatenated method names: '.ctor', 'Tg9z', 'Sx73', 'Rg1b', 'Bf43', 'Sx02', 'Gi78', 'i0PZ', 'p6N8', 'Ws50'
Source: 987421.exe, Hw13/z0GL.cs High entropy of concatenated method names: '.ctor', 'g4GN', 'x7P2', 'a9YA', 'Rp9j', 'Hi0b', 'm8Z9', 't5WS', 'q7H1', 'b3Z4'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\987421.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\987421.exe File opened: C:\Users\user\Desktop\987421.exe\:Zone.Identifier read attributes | delete Jump to behavior
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 17_2_00441975
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\987421.exe TID: 7132 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\987421.exe TID: 7132 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\987421.exe TID: 7148 Thread sleep count: 745 > 30 Jump to behavior
Source: C:\Users\user\Desktop\987421.exe TID: 7148 Thread sleep count: 9118 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5256 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 160 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2484 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 3144 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -99735s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -99594s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -99484s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -99363s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -99093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -98532s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -98406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -98296s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -98185s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -97981s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -97806s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -96675s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -96547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -96406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -96297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -96187s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -96077s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -95968s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 17_2_00408836
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\987421.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\987421.exe Window / User API: threadDelayed 745 Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Window / User API: threadDelayed 9118 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 1123 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 2744 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\987421.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 140000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 99735 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 99594 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 99484 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 99363 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 99203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 99093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 98532 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 98406 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 98296 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 98185 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 97981 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 97806 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 96675 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 96547 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 96406 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 96297 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 96187 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 96077 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 95968 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 987421.exe Binary or memory string: IHGFSD
Source: bhvCA0A.tmp.17.dr Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20211019T232911Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=099b8868c2c048b59f1bbe3736c81dbe&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1217169&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1217169&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: InstallUtil.exe, 0000000A.00000002.559174936.0000000000BE5000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\987421.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_004161B0 memset,GetSystemInfo, 17_2_004161B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 17_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 17_2_00407E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 18_2_00406EC3

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 17_2_00408836
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 17_2_004422C7
Enables debug privileges
Source: C:\Users\user\Desktop\987421.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\987421.exe Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 760000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\987421.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 760000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\987421.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 760000 Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 762000 Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 7E2000 Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 7E6000 Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 5AC008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
.NET source code references suspicious native API functions
Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.2.InstallUtil.exe.760000.1.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\987421.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: InstallUtil.exe, 0000000A.00000002.559706836.0000000001290000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: InstallUtil.exe, 0000000A.00000002.559706836.0000000001290000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 0000000A.00000002.559706836.0000000001290000.00000002.00020000.sdmp Binary or memory string: Progman
Source: InstallUtil.exe, 0000000A.00000002.559706836.0000000001290000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\987421.exe Queries volume information: C:\Users\user\Desktop\987421.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\987421.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 17_2_0041604B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 18_2_0040724C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 17_2_00407674 GetVersionExW, 17_2_00407674

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected MailPassView
Source: Yara match File source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.7bfa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.37f9930.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4712e5a.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.37f9930.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.560993203.00000000037F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.491382176.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 987421.exe PID: 4344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6920, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6412, type: MEMORYSTR
Yara detected HawkEye Keylogger
Source: Yara match File source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.281b2b4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 987421.exe PID: 4344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6920, type: MEMORYSTR
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 18_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 18_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 18_2_004033D7
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 0.2.987421.exe.46bcff5.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.37f9930.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4475a27.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.3811b50.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.769c0d.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.3811b50.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.500947062.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.560993203.00000000037F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 987421.exe PID: 4344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6920, type: MEMORYSTR
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior

Remote Access Functionality:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.281b2b4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 987421.exe PID: 4344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6920, type: MEMORYSTR
Detected HawkEye Rat
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: InstallUtil.exe, 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: InstallUtil.exe, 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp String found in binary or memory: gl&HawkEye_Keylogger_Execution_Confirmed_
Source: InstallUtil.exe, 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp String found in binary or memory: gl"HawkEye_Keylogger_Stealer_Records_
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505624 Sample: 987421.exe Startdate: 19/10/2021 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Detected HawkEye Rat 2->47 49 8 other signatures 2->49 7 987421.exe 15 4 2->7         started        process3 dnsIp4 25 www.google.com 142.250.203.100, 443, 49750 GOOGLEUS United States 7->25 27 192.168.2.1 unknown unknown 7->27 21 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\...\987421.exe.log, ASCII 7->23 dropped 51 Writes to foreign memory regions 7->51 53 Allocates memory in foreign processes 7->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->55 57 Injects a PE file into a foreign processes 7->57 12 InstallUtil.exe 4 7->12         started        file5 signatures6 process7 dnsIp8 29 merchantexint.com 173.231.223.186, 49836, 587 INMOTI-1US United States 12->29 31 mail.merchantexint.com 12->31 33 194.167.4.0.in-addr.arpa 12->33 59 Changes the view of files in windows explorer (hidden files and folders) 12->59 61 Writes to foreign memory regions 12->61 63 Sample uses process hollowing technique 12->63 65 Injects a PE file into a foreign processes 12->65 16 vbc.exe 2 12->16         started        19 vbc.exe 1 12->19         started        signatures9 process10 signatures11 35 Tries to steal Mail credentials (via file registry) 16->35 37 Tries to harvest and steal browser information (history, passwords, etc) 16->37 39 Tries to steal Instant Messenger accounts or passwords 19->39 41 Tries to steal Mail credentials (via file access) 19->41
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
173.231.223.186
 merchantexint.com United States
54641 INMOTI-1US false
142.250.203.100
 www.google.com United States
15169 GOOGLEUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
www.google.com 142.250.203.100 true
merchantexint.com 173.231.223.186 true
mail.merchantexint.com unknown unknown
194.167.4.0.in-addr.arpa unknown unknown