Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 987421.exe

Overview

General Information

Sample Name:987421.exe
Analysis ID:505624
MD5:75e71ba1842dc3f63198386adb92716f
SHA1:3dac2a6f86bf211fe4ed33f21dc63bbd1ff04114
SHA256:72946d33bc1e3945ed628d129fcc9096dc1ff9cedcfe2fe568ade44544519a20
Tags:exe
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected HawkEye Rat
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • 987421.exe (PID: 4344 cmdline: 'C:\Users\user\Desktop\987421.exe' MD5: 75E71BA1842DC3F63198386ADB92716F)
    • InstallUtil.exe (PID: 6920 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • vbc.exe (PID: 7160 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6412 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b6c8:$key: HawkEyeKeylogger
  • 0x7d8ba:$salt: 099u787978786
  • 0x7bcd5:$string1: HawkEye_Keylogger
  • 0x7cb28:$string1: HawkEye_Keylogger
  • 0x7d81a:$string1: HawkEye_Keylogger
  • 0x7c0be:$string2: holdermail.txt
  • 0x7c0de:$string2: holdermail.txt
  • 0x7c000:$string3: wallet.dat
  • 0x7c018:$string3: wallet.dat
  • 0x7c02e:$string3: wallet.dat
  • 0x7d3fc:$string4: Keylog Records
  • 0x7d714:$string4: Keylog Records
  • 0x7d912:$string5: do not script -->
  • 0x7b6b0:$string6: \pidloc.txt
  • 0x7b70a:$string7: BSPLIT
  • 0x7b71a:$string7: BSPLIT
0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd2d:$hawkstr1: HawkEye Keylogger
        • 0x7cb6e:$hawkstr1: HawkEye Keylogger
        • 0x7ce9d:$hawkstr1: HawkEye Keylogger
        • 0x7cff8:$hawkstr1: HawkEye Keylogger
        • 0x7d15b:$hawkstr1: HawkEye Keylogger
        • 0x7d3d4:$hawkstr1: HawkEye Keylogger
        • 0x7b8bb:$hawkstr2: Dear HawkEye Customers!
        • 0x7cef0:$hawkstr2: Dear HawkEye Customers!
        • 0x7d047:$hawkstr2: Dear HawkEye Customers!
        • 0x7d1ae:$hawkstr2: Dear HawkEye Customers!
        • 0x7b9dc:$hawkstr3: HawkEye Logger Details:
        Click to see the 25 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        10.2.InstallUtil.exe.74d0000.9.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        10.2.InstallUtil.exe.7b80000.10.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        10.2.InstallUtil.exe.7bfa72.3.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x1dc56:$key: HawkEyeKeylogger
        • 0x1fe48:$salt: 099u787978786
        • 0x1e263:$string1: HawkEye_Keylogger
        • 0x1f0b6:$string1: HawkEye_Keylogger
        • 0x1fda8:$string1: HawkEye_Keylogger
        • 0x1e64c:$string2: holdermail.txt
        • 0x1e66c:$string2: holdermail.txt
        • 0x1e58e:$string3: wallet.dat
        • 0x1e5a6:$string3: wallet.dat
        • 0x1e5bc:$string3: wallet.dat
        • 0x1f98a:$string4: Keylog Records
        • 0x1fca2:$string4: Keylog Records
        • 0x1fea0:$string5: do not script -->
        • 0x1dc3e:$string6: \pidloc.txt
        • 0x1dc98:$string7: BSPLIT
        • 0x1dca8:$string7: BSPLIT
        10.2.InstallUtil.exe.7bfa72.3.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          10.2.InstallUtil.exe.7bfa72.3.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            Click to see the 78 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\Desktop\987421.exe' , ParentImage: C:\Users\user\Desktop\987421.exe, ParentProcessId: 4344, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6920

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: 987421.exeReversingLabs: Detection: 38%
            Machine Learning detection for sampleShow sources
            Source: 987421.exeJoe Sandbox ML: detected
            Source: 0.2.987421.exe.446dc1a.3.unpackAvira: Label: TR/Inject.vcoldi
            Source: 10.2.InstallUtil.exe.760000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 10.2.InstallUtil.exe.760000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49750 version: TLS 1.0
            Source: 987421.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 987421.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp
            Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: 987421.exe, 00000000.00000003.407192687.0000000006EC5000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557456061.0000000000392000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: InstallUtil.pdb source: 987421.exe, 00000000.00000003.407192687.0000000006EC5000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then jmp 04CEA630h
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then jmp 04CEA630h
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49750 version: TLS 1.0
            Source: global trafficTCP traffic: 192.168.2.3:49836 -> 173.231.223.186:587
            Source: global trafficTCP traffic: 192.168.2.3:49836 -> 173.231.223.186:587
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
            Source: InstallUtil.exe, 0000000A.00000002.563169105.0000000007500000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: InstallUtil.exe, 0000000A.00000002.563216260.0000000007557000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: InstallUtil.exe, 0000000A.00000002.563216260.0000000007557000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: InstallUtil.exe, 0000000A.00000002.560687130.0000000002C15000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: InstallUtil.exe, 0000000A.00000003.433873145.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip_
            Source: InstallUtil.exe, 0000000A.00000003.432161047.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: InstallUtil.exe, 0000000A.00000002.560629519.0000000002C0B000.00000004.00000001.sdmpString found in binary or memory: http://mail.merchantexint.com
            Source: InstallUtil.exe, 0000000A.00000002.560629519.0000000002C0B000.00000004.00000001.sdmpString found in binary or memory: http://merchantexint.com
            Source: 987421.exe, 00000000.00000002.448648735.00000000074A4000.00000004.00000001.sdmp, 987421.exe, 00000000.00000003.305194249.00000000074AA000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0:
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0B
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0E
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0F
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0I
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0K
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0M
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://ocsp.msocsp.com0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
            Source: 987421.exe, 00000000.00000002.428540831.00000000033F1000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: InstallUtil.exe, 0000000A.00000003.438030450.0000000005828000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000003.437499430.0000000005828000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: InstallUtil.exe, 0000000A.00000003.436490625.0000000005828000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: InstallUtil.exe, 0000000A.00000003.437983668.0000000005828000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comncy
            Source: InstallUtil.exe, 0000000A.00000003.437109020.0000000005828000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comroa
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://www.digicert.com/CPS0
            Source: InstallUtil.exe, 0000000A.00000003.465416496.0000000005825000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: InstallUtil.exe, 0000000A.00000003.449252989.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
            Source: InstallUtil.exe, 0000000A.00000003.445953221.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFK
            Source: InstallUtil.exe, 0000000A.00000003.446044224.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/$
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: InstallUtil.exe, 0000000A.00000003.446104328.000000000582A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000003.445953221.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: InstallUtil.exe, 0000000A.00000003.449066115.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlt
            Source: InstallUtil.exe, 0000000A.00000003.447402419.000000000582A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: InstallUtil.exe, 0000000A.00000003.446530539.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: InstallUtil.exe, 0000000A.00000003.446530539.000000000582A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: InstallUtil.exe, 0000000A.00000003.446633052.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersf
            Source: InstallUtil.exe, 0000000A.00000003.449252989.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersk
            Source: InstallUtil.exe, 0000000A.00000003.450047786.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
            Source: InstallUtil.exe, 0000000A.00000003.452411572.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: InstallUtil.exe, 0000000A.00000003.448056493.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF6
            Source: InstallUtil.exe, 0000000A.00000003.449368036.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsoe
            Source: InstallUtil.exe, 0000000A.00000003.465416496.0000000005825000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasno
            Source: InstallUtil.exe, 0000000A.00000003.452411572.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: InstallUtil.exe, 0000000A.00000003.451034728.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdw
            Source: InstallUtil.exe, 0000000A.00000003.448056493.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
            Source: InstallUtil.exe, 0000000A.00000003.448056493.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedw
            Source: InstallUtil.exe, 0000000A.00000003.446044224.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
            Source: InstallUtil.exe, 0000000A.00000003.449252989.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitud
            Source: InstallUtil.exe, 0000000A.00000003.445953221.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk
            Source: InstallUtil.exe, 0000000A.00000003.465416496.0000000005825000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml1
            Source: InstallUtil.exe, 0000000A.00000003.450047786.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoe
            Source: InstallUtil.exe, 0000000A.00000003.464420208.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comow
            Source: InstallUtil.exe, 0000000A.00000003.450047786.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsivd
            Source: InstallUtil.exe, 0000000A.00000003.446465198.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comue/$
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: InstallUtil.exe, 0000000A.00000003.433873145.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
            Source: InstallUtil.exe, 0000000A.00000003.433873145.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: InstallUtil.exe, 0000000A.00000003.435387692.0000000005825000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: InstallUtil.exe, 0000000A.00000003.433784517.0000000005825000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
            Source: InstallUtil.exe, 0000000A.00000003.434457013.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnj
            Source: InstallUtil.exe, 0000000A.00000003.454005367.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: InstallUtil.exe, 0000000A.00000003.454005367.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com//
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: InstallUtil.exe, 0000000A.00000003.458973662.0000000005843000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm.5
            Source: InstallUtil.exe, 0000000A.00000003.454754908.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/w
            Source: InstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: InstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-c
            Source: InstallUtil.exe, 0000000A.00000003.443702950.0000000005828000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000003.442723251.0000000005828000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: InstallUtil.exe, 0000000A.00000003.443702950.0000000005828000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$
            Source: InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
            Source: InstallUtil.exe, 0000000A.00000003.444934036.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
            Source: InstallUtil.exe, 0000000A.00000003.444934036.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
            Source: InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
            Source: InstallUtil.exe, 0000000A.00000003.443702950.0000000005828000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/6
            Source: InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
            Source: InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
            Source: InstallUtil.exe, 0000000A.00000003.443702950.0000000005828000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
            Source: InstallUtil.exe, 0000000A.00000003.460108105.000000000582A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000003.454171426.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: InstallUtil.exe, 0000000A.00000003.453387839.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.q
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://www.msn.com
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://www.msn.com/
            Source: vbc.exe, 00000011.00000003.498594832.00000000027E6000.00000004.00000001.sdmp, bhvCA0A.tmp.17.drString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: vbc.exe, 00000011.00000003.498594832.00000000027E6000.00000004.00000001.sdmp, bhvCA0A.tmp.17.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
            Source: bhvCA0A.tmp.17.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
            Source: vbc.exe, vbc.exe, 00000012.00000002.491382176.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: InstallUtil.exe, 0000000A.00000003.443494874.0000000005828000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: InstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: InstallUtil.exe, 0000000A.00000003.432698506.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr?
            Source: InstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krim
            Source: InstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krony
            Source: InstallUtil.exe, 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: InstallUtil.exe, 0000000A.00000003.439472593.0000000005828000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: InstallUtil.exe, 0000000A.00000003.445783956.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: InstallUtil.exe, 0000000A.00000003.450406240.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deC
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: InstallUtil.exe, 0000000A.00000003.445783956.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deH
            Source: InstallUtil.exe, 0000000A.00000003.445519153.000000000582A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deld
            Source: InstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: InstallUtil.exe, 0000000A.00000003.436283853.0000000005826000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
            Source: vbc.exe, 00000011.00000003.498742082.00000000027EF000.00000004.00000001.sdmp, bhvCA0A.tmp.17.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
            Source: vbc.exe, 00000011.00000003.498742082.00000000027EF000.00000004.00000001.sdmp, bhvCA0A.tmp.17.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://contextual.media.net/
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: vbc.exe, 00000011.00000003.500561241.0000000000A7E000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: vbc.exe, 00000011.00000003.500561241.0000000000A7E000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: vbc.exe, 00000011.00000003.498742082.00000000027EF000.00000004.00000001.sdmp, bhvCA0A.tmp.17.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: vbc.exe, 00000011.00000003.498742082.00000000027EF000.00000004.00000001.sdmp, bhvCA0A.tmp.17.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://pki.goog/repository/0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: InstallUtil.exe, 0000000A.00000002.560687130.0000000002C15000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
            Source: 987421.exe, 00000000.00000002.428540831.00000000033F1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
            Source: 987421.exe, 00000000.00000002.428540831.00000000033F1000.00000004.00000001.sdmp, bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
            Source: bhvCA0A.tmp.17.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
            Source: unknownDNS traffic detected: queries for: www.google.com
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe, 00000011.00000002.500947062.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe, 00000011.00000002.500947062.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000011.00000003.500561241.0000000000A7E000.00000004.00000001.sdmpString found in binary or memory: me=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000011.00000003.500561241.0000000000A7E000.00000004.00000001.sdmpString found in binary or memory: me=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.yahoo.com (Yahoo)

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.281b2b4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 987421.exe PID: 4344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6920, type: MEMORYSTR
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs.Net Code: HookKeyboard
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.InstallUtil.exe.281b2b4.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large array initializationsShow sources
            Source: 987421.exe, Xc2m/Lq8t.csLarge array initialization: .cctor: array initializer size 4599
            Source: 987421.exe, Dg3/Ae0.csLarge array initialization: .cctor: array initializer size 3891
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F931F9
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F9399C
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F9754F
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_033CEF90
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_003920B0
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_00B9B29C
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_00B9C310
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_00B9B290
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_00B999D0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00404419
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00404516
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00413538
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_004145A1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_0040E639
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_004337AF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_004399B1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_0043DAE7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00405CF6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00403F85
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00411F99
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404DDB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040BD8A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404E4C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404EBD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404F4E
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
            Source: 987421.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 10.2.InstallUtil.exe.74d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.2.InstallUtil.exe.7b80000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.InstallUtil.exe.281b2b4.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.2.InstallUtil.exe.281b2b4.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.InstallUtil.exe.282eae0.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.563407277.0000000007B80000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0000000A.00000002.563118770.00000000074D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: 987421.exeBinary or memory string: OriginalFilename vs 987421.exe
            Source: 987421.exe, 00000000.00000002.443897348.00000000043F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs 987421.exe
            Source: 987421.exe, 00000000.00000002.428926096.00000000034A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs 987421.exe
            Source: 987421.exe, 00000000.00000002.428926096.00000000034A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 987421.exe
            Source: 987421.exe, 00000000.00000002.421049743.0000000000F92000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesis.exe" vs 987421.exe
            Source: 987421.exe, 00000000.00000003.407192687.0000000006EC5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstallUtil.exeT vs 987421.exe
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 987421.exe
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 987421.exe
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 987421.exe
            Source: 987421.exeBinary or memory string: OriginalFilenamesis.exe" vs 987421.exe
            Source: 987421.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\987421.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\987421.exe.logJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/6@4/3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,
            Source: 987421.exeReversingLabs: Detection: 38%
            Source: C:\Users\user\Desktop\987421.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\987421.exe 'C:\Users\user\Desktop\987421.exe'
            Source: C:\Users\user\Desktop\987421.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\Desktop\987421.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
            Source: C:\Users\user\Desktop\987421.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe, 00000011.00000002.500947062.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: C:\Users\user\Desktop\987421.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
            Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.csBase64 encoded string: 'jwpdbTVcqJzxvfBDtW68q7oRfljM8b8abw7DEV5/tgiR5+6Av2KoKY3S9Gf8JxQe', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: C:\Users\user\Desktop\987421.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\987421.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\987421.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\987421.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: 987421.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: 987421.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 987421.exeStatic file information: File size 1335296 > 1048576
            Source: 987421.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x145600
            Source: 987421.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp
            Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: 987421.exe, 00000000.00000003.407192687.0000000006EC5000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557456061.0000000000392000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: InstallUtil.pdb source: 987421.exe, 00000000.00000003.407192687.0000000006EC5000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F952E1 push esi; ret
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F94489 push eax; retf
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F9587F push edx; iretd
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F94450 push eax; retf
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F94449 push eax; retf
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F93818 push ds; retf
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F9281E push ebp; iretd
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F95F93 push esp; retf
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F95F43 push cs; retf
            Source: C:\Users\user\Desktop\987421.exeCode function: 0_2_00F95F15 push cs; retf
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_00B9E4AF pushad ; retn 027Ch
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_04CE2651 push es; retf 0004h
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_04CE2631 push es; retf 0004h
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_04CEAC12 pushfd ; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00442871 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00442A90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00442A90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00446E54 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00411879 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004118A0 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004118A0 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: 987421.exe, Zn10/Bj0t.csHigh entropy of concatenated method names: '.ctor', 'Tg9z', 'Sx73', 'Rg1b', 'Bf43', 'Sx02', 'Gi78', 'i0PZ', 'p6N8', 'Ws50'
            Source: 987421.exe, Hw13/z0GL.csHigh entropy of concatenated method names: '.ctor', 'g4GN', 'x7P2', 'a9YA', 'Rp9j', 'Hi0b', 'm8Z9', 't5WS', 'q7H1', 'b3Z4'
            Source: C:\Users\user\Desktop\987421.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\987421.exeFile opened: C:\Users\user\Desktop\987421.exe\:Zone.Identifier read attributes | delete
            Changes the view of files in windows explorer (hidden files and folders)Show sources
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\987421.exe TID: 7132Thread sleep time: -20291418481080494s >= -30000s
            Source: C:\Users\user\Desktop\987421.exe TID: 7132Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\Desktop\987421.exe TID: 7148Thread sleep count: 745 > 30
            Source: C:\Users\user\Desktop\987421.exe TID: 7148Thread sleep count: 9118 > 30
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5256Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 160Thread sleep time: -120000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2484Thread sleep time: -140000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 3144Thread sleep time: -180000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -11990383647911201s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -100000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -99735s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -99594s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -99484s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -99363s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -99203s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -99093s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -98532s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -98406s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -98296s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -98185s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -97981s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -97806s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -96675s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -96547s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -96406s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -96297s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -96187s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -96077s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -95968s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2808Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: C:\Users\user\Desktop\987421.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 180000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\987421.exeWindow / User API: threadDelayed 745
            Source: C:\Users\user\Desktop\987421.exeWindow / User API: threadDelayed 9118
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 1123
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 2744
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\987421.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\987421.exeThread delayed: delay time: 30000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 120000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 140000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 180000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 100000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 99735
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 99594
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 99484
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 99363
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 99203
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 99093
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 98532
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 98406
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 98296
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 98185
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 97981
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 97806
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 96675
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 96547
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 96406
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 96297
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 96187
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 96077
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 95968
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
            Source: 987421.exeBinary or memory string: IHGFSD
            Source: bhvCA0A.tmp.17.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20211019T232911Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=099b8868c2c048b59f1bbe3736c81dbe&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1217169&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1217169&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
            Source: InstallUtil.exe, 0000000A.00000002.559174936.0000000000BE5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\987421.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_004161B0 memset,GetSystemInfo,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\987421.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\987421.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\Desktop\987421.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 760000 protect: page execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\987421.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 760000 value starts with: 4D5A
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\987421.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 760000
            Source: C:\Users\user\Desktop\987421.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 762000
            Source: C:\Users\user\Desktop\987421.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 7E2000
            Source: C:\Users\user\Desktop\987421.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 7E6000
            Source: C:\Users\user\Desktop\987421.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 5AC008
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
            .NET source code references suspicious native API functionsShow sources
            Source: 10.2.InstallUtil.exe.760000.1.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 10.2.InstallUtil.exe.760000.1.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
            Source: C:\Users\user\Desktop\987421.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: InstallUtil.exe, 0000000A.00000002.559706836.0000000001290000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: InstallUtil.exe, 0000000A.00000002.559706836.0000000001290000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: InstallUtil.exe, 0000000A.00000002.559706836.0000000001290000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: InstallUtil.exe, 0000000A.00000002.559706836.0000000001290000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\987421.exeQueries volume information: C:\Users\user\Desktop\987421.exe VolumeInformation
            Source: C:\Users\user\Desktop\987421.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\987421.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\987421.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\987421.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\987421.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\987421.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\987421.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\987421.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\987421.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00407674 GetVersionExW,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.7bfa72.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.37f9930.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4712e5a.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.37f9930.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.560993203.00000000037F1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.491382176.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 987421.exe PID: 4344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6920, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6412, type: MEMORYSTR
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.281b2b4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 987421.exe PID: 4344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6920, type: MEMORYSTR
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 0.2.987421.exe.46bcff5.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.37f9930.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4475a27.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.3811b50.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.769c0d.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.3811b50.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.500947062.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.560993203.00000000037F1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 987421.exe PID: 4344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6920, type: MEMORYSTR
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

            Remote Access Functionality:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 10.2.InstallUtil.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.760000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.446dc1a.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.769c0d.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4475a27.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.768208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.446dc1a.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4474022.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.4712e5a.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.46bb5f0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.987421.exe.46bcff5.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.281b2b4.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 987421.exe PID: 4344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6920, type: MEMORYSTR
            Detected HawkEye RatShow sources
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: 987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: InstallUtil.exe, 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
            Source: InstallUtil.exe, 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: gl&HawkEye_Keylogger_Execution_Confirmed_
            Source: InstallUtil.exe, 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: gl"HawkEye_Keylogger_Stealer_Records_

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Replication Through Removable Media1Windows Management Instrumentation21Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API11Boot or Logon Initialization ScriptsProcess Injection412Deobfuscate/Decode Files or Information11Input Capture1Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information31Credentials in Registry2Account Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing11Credentials In Files1File and Directory Discovery1Distributed Component Object ModelInput Capture1Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSystem Information Discovery19SSHClipboard Data1Data Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsSecurity Software Discovery31VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection412DCSyncVirtualization/Sandbox Evasion31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories2Proc FilesystemProcess Discovery4Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 505624 Sample: 987421.exe Startdate: 19/10/2021 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Detected HawkEye Rat 2->47 49 8 other signatures 2->49 7 987421.exe 15 4 2->7         started        process3 dnsIp4 25 www.google.com 142.250.203.100, 443, 49750 GOOGLEUS United States 7->25 27 192.168.2.1 unknown unknown 7->27 21 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\...\987421.exe.log, ASCII 7->23 dropped 51 Writes to foreign memory regions 7->51 53 Allocates memory in foreign processes 7->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->55 57 Injects a PE file into a foreign processes 7->57 12 InstallUtil.exe 4 7->12         started        file5 signatures6 process7 dnsIp8 29 merchantexint.com 173.231.223.186, 49836, 587 INMOTI-1US United States 12->29 31 mail.merchantexint.com 12->31 33 194.167.4.0.in-addr.arpa 12->33 59 Changes the view of files in windows explorer (hidden files and folders) 12->59 61 Writes to foreign memory regions 12->61 63 Sample uses process hollowing technique 12->63 65 Injects a PE file into a foreign processes 12->65 16 vbc.exe 2 12->16         started        19 vbc.exe 1 12->19         started        signatures9 process10 signatures11 35 Tries to steal Mail credentials (via file registry) 16->35 37 Tries to harvest and steal browser information (history, passwords, etc) 16->37 39 Tries to steal Instant Messenger accounts or passwords 19->39 41 Tries to steal Mail credentials (via file access) 19->41

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            987421.exe39%ReversingLabsWin32.Trojan.AgentTesla
            987421.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            17.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
            0.2.987421.exe.446dc1a.3.unpack100%AviraTR/Inject.vcoldiDownload File
            10.2.InstallUtil.exe.760000.1.unpack100%AviraTR/AD.MExecute.lzracDownload File
            10.2.InstallUtil.exe.760000.1.unpack100%AviraSPR/Tool.MailPassView.473Download File

            Domains

            SourceDetectionScannerLabelLink
            merchantexint.com0%VirustotalBrowse
            194.167.4.0.in-addr.arpa0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.goodfont.co.kr-c0%Avira URL Cloudsafe
            http://www.fontbureau.comessedw0%Avira URL Cloudsafe
            https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
            http://www.fontbureau.comgrita0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/60%URL Reputationsafe
            http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/$0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sandoll.co.kr?0%Avira URL Cloudsafe
            https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%URL Reputationsafe
            http://www.carterandcone.coma0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
            https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%URL Reputationsafe
            https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            http://www.fontbureau.com.TTFK0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/l0%URL Reputationsafe
            http://www.sandoll.co.krim0%URL Reputationsafe
            http://www.carterandcone.comncy0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://www.fontbureau.comalsoe0%Avira URL Cloudsafe
            http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
            http://www.fontbureau.comow0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.urwpp.deld0%Avira URL Cloudsafe
            https://aefd.nelreports.net/api/report?cat=bingth0%URL Reputationsafe
            http://www.carterandcone.comroa0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.fontbureau.comF60%Avira URL Cloudsafe
            http://www.monotype.q0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/w0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.fontbureau.comasno0%Avira URL Cloudsafe
            http://www.founder.com.c0%URL Reputationsafe
            http://www.fontbureau.comdw0%Avira URL Cloudsafe
            http://www.fontbureau.comsivd0%Avira URL Cloudsafe
            http://en.wikip_0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ0%URL Reputationsafe
            https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
            http://www.galapagosdesign.com//0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js0%URL Reputationsafe
            http://mail.merchantexint.com0%Avira URL Cloudsafe
            http://ns.adobe.c/g0%URL Reputationsafe
            http://www.fontbureau.comessed0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.google.com
            		142.250.203.100
            		truefalse
              		high
              merchantexint.com
              		173.231.223.186
              		truefalseunknown
              mail.merchantexint.com
              		unknown
              		unknownfalse
                		unknown
                194.167.4.0.in-addr.arpa
                		unknown
                		unknownfalseunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://www.google.com/chrome/static/css/main.v2.min.cssbhvCA0A.tmp.17.drfalse
                  		high
                  http://www.goodfont.co.kr-cInstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.comessedwInstallUtil.exe, 0000000A.00000003.448056493.000000000582A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.msn.combhvCA0A.tmp.17.drfalse
                    		high
                    http://www.fontbureau.com/designersInstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpfalse
                      		high
                      https://deff.nelreports.net/api/report?cat=msnbhvCA0A.tmp.17.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhvCA0A.tmp.17.drfalse
                        		high
                        https://www.google.com/chrome/bhvCA0A.tmp.17.drfalse
                          		high
                          http://www.jiyu-kobo.co.jp/9InstallUtil.exe, 0000000A.00000003.444934036.000000000582A000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comgritaInstallUtil.exe, 0000000A.00000003.446044224.000000000582A000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/6InstallUtil.exe, 0000000A.00000003.444934036.000000000582A000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp//InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166vbc.exe, 00000011.00000003.498742082.00000000027EF000.00000004.00000001.sdmp, bhvCA0A.tmp.17.drfalse
                            		high
                            https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msnbhvCA0A.tmp.17.drfalse
                              		high
                              http://whatismyipaddress.com/-987421.exe, 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/DPleaseInstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Y0InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.site.com/logs.phpInstallUtil.exe, 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmpfalse
                                  		high
                                  https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://cvbc.exe, 00000011.00000003.500561241.0000000000A7E000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/$InstallUtil.exe, 0000000A.00000003.443702950.0000000005828000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnInstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name987421.exe, 00000000.00000002.428540831.00000000033F1000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.kr?InstallUtil.exe, 0000000A.00000003.432698506.000000000582E000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.cssbhvCA0A.tmp.17.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comaInstallUtil.exe, 0000000A.00000003.436490625.0000000005828000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/ZInstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937bhvCA0A.tmp.17.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.google.com/chrome/static/images/fallback/icon-file-download.jpgbhvCA0A.tmp.17.drfalse
                                        		high
                                        https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5bhvCA0A.tmp.17.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhvCA0A.tmp.17.drfalse
                                          		high
                                          https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhvCA0A.tmp.17.drfalse
                                            		high
                                            https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhvCA0A.tmp.17.drfalse
                                              		high
                                              https://pki.goog/repository/0bhvCA0A.tmp.17.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com.TTFKInstallUtil.exe, 0000000A.00000003.445953221.000000000582A000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comlInstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.msn.com/bhvCA0A.tmp.17.drfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/xInstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674bhvCA0A.tmp.17.drfalse
                                                  		high
                                                  https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhvCA0A.tmp.17.drfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/lInstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sandoll.co.krimInstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhvCA0A.tmp.17.drfalse
                                                      		high
                                                      https://www.google.com/accounts/serviceloginvbc.exefalse
                                                        		high
                                                        http://www.carterandcone.comncyInstallUtil.exe, 0000000A.00000003.437983668.0000000005828000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://crl.pki.goog/gsr2/gsr2.crl0?bhvCA0A.tmp.17.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.comalsoeInstallUtil.exe, 0000000A.00000003.449368036.000000000582A000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://pki.goog/gsr2/GTSGIAG3.crt0)bhvCA0A.tmp.17.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhvCA0A.tmp.17.drfalse
                                                          		high
                                                          http://www.fontbureau.comowInstallUtil.exe, 0000000A.00000003.464420208.000000000582A000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cn/bTheInstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.urwpp.deldInstallUtil.exe, 0000000A.00000003.445519153.000000000582A000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://aefd.nelreports.net/api/report?cat=bingthbhvCA0A.tmp.17.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.google.com/chrome/static/images/homepage/google-canary.pngbhvCA0A.tmp.17.drfalse
                                                            		high
                                                            http://www.carterandcone.comroaInstallUtil.exe, 0000000A.00000003.437109020.0000000005828000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhvCA0A.tmp.17.drfalse
                                                              		high
                                                              https://www.google.com/chrome/static/js/main.v2.min.jsbhvCA0A.tmp.17.drfalse
                                                                		high
                                                                https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpgbhvCA0A.tmp.17.drfalse
                                                                  		high
                                                                  https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhvCA0A.tmp.17.drfalse
                                                                    		high
                                                                    http://www.jiyu-kobo.co.jp/~InstallUtil.exe, 0000000A.00000003.443702950.0000000005828000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.typography.netDInstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://fontfabrik.comInstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.comF6InstallUtil.exe, 0000000A.00000003.448056493.000000000582A000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.monotype.qInstallUtil.exe, 0000000A.00000003.453387839.000000000582A000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhvCA0A.tmp.17.drfalse
                                                                      		high
                                                                      http://www.galapagosdesign.com/wInstallUtil.exe, 0000000A.00000003.454754908.000000000582A000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhvCA0A.tmp.17.drfalse
                                                                        		high
                                                                        http://www.fonts.comInstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.sandoll.co.krInstallUtil.exe, 0000000A.00000003.432892970.000000000582E000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0bhvCA0A.tmp.17.drfalse
                                                                            		high
                                                                            http://www.urwpp.deInstallUtil.exe, 0000000A.00000003.445783956.000000000582A000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173bhvCA0A.tmp.17.drfalse
                                                                              		high
                                                                              https://www.google.com/chrome/static/js/installer.min.jsbhvCA0A.tmp.17.drfalse
                                                                                		high
                                                                                http://www.fontbureau.comasnoInstallUtil.exe, 0000000A.00000003.465416496.0000000005825000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.fontbureau.com/designers/cabarga.htmltInstallUtil.exe, 0000000A.00000003.449066115.000000000582A000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.founder.com.cInstallUtil.exe, 0000000A.00000003.433873145.000000000582E000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://www.google.com/chrome/static/images/download-browser/pixel_tablet.pngbhvCA0A.tmp.17.drfalse
                                                                                    		high
                                                                                    http://www.fontbureau.comdwInstallUtil.exe, 0000000A.00000003.451034728.000000000582A000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.fontbureau.comsivdInstallUtil.exe, 0000000A.00000003.450047786.000000000582A000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://en.wikip_InstallUtil.exe, 0000000A.00000003.433873145.000000000582E000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		low
                                                                                    http://www.jiyu-kobo.co.jp/jp/InstallUtil.exe, 0000000A.00000003.443702950.0000000005828000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000003.442297868.0000000005825000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJbhvCA0A.tmp.17.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhvCA0A.tmp.17.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://www.google.com/chrome/static/images/homepage/google-beta.pngbhvCA0A.tmp.17.drfalse
                                                                                      		high
                                                                                      http://www.msn.com/de-ch/?ocid=iehpvbc.exe, 00000011.00000003.498594832.00000000027E6000.00000004.00000001.sdmp, bhvCA0A.tmp.17.drfalse
                                                                                        		high
                                                                                        https://www.google.com/chrome/static/images/icon-file-download.svgbhvCA0A.tmp.17.drfalse
                                                                                          		high
                                                                                          http://www.fontbureau.com/designers/cabarga.htmlNInstallUtil.exe, 0000000A.00000002.562676514.0000000006B02000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://www.galapagosdesign.com//InstallUtil.exe, 0000000A.00000003.454005367.000000000582A000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.founder.com.cn/cnInstallUtil.exe, 0000000A.00000003.433873145.000000000582E000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.monotype.InstallUtil.exe, 0000000A.00000003.460108105.000000000582A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000003.454171426.000000000582A000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1bhvCA0A.tmp.17.drfalse
                                                                                              		high
                                                                                              https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.jsbhvCA0A.tmp.17.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47bhvCA0A.tmp.17.drfalse
                                                                                                		high
                                                                                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gbhvCA0A.tmp.17.drfalse
                                                                                                  		high
                                                                                                  http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatebhvCA0A.tmp.17.drfalse
                                                                                                    		high
                                                                                                    https://www.google.com/chrome/static/images/folder-applications.svgbhvCA0A.tmp.17.drfalse
                                                                                                      		high
                                                                                                      http://mail.merchantexint.comInstallUtil.exe, 0000000A.00000002.560629519.0000000002C0B000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpgbhvCA0A.tmp.17.drfalse
                                                                                                        		high
                                                                                                        http://ns.adobe.c/g987421.exe, 00000000.00000002.448648735.00000000074A4000.00000004.00000001.sdmp, 987421.exe, 00000000.00000003.305194249.00000000074AA000.00000004.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://www.fontbureau.comessedInstallUtil.exe, 0000000A.00000003.448056493.000000000582A000.00000004.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://www.google.com/chrome/static/images/chrome-logo.svgbhvCA0A.tmp.17.drfalse
                                                                                                          		high

                                                                                                          Contacted IPs

                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs

                                                                                                          Public

                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          173.231.223.186
                                                                                                          		merchantexint.comUnited States
                                                                                                          		54641INMOTI-1USfalse
                                                                                                          142.250.203.100
                                                                                                          		www.google.comUnited States
                                                                                                          		15169GOOGLEUSfalse

                                                                                                          Private

                                                                                                          IP
                                                                                                          192.168.2.1

                                                                                                          General Information

                                                                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                                                                          Analysis ID:505624
                                                                                                          Start date:19.10.2021
                                                                                                          Start time:16:28:28
                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                          Overall analysis duration:0h 12m 53s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:light
                                                                                                          Sample file name:987421.exe
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                          Number of analysed new started processes analysed:21
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • HDC enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Detection:MAL
                                                                                                          Classification:mal100.phis.troj.spyw.evad.winEXE@7/6@4/3
                                                                                                          EGA Information:Failed
                                                                                                          HDC Information:
                                                                                                          • Successful, ratio: 5.6% (good quality ratio 4.6%)
                                                                                                          • Quality average: 66.9%
                                                                                                          • Quality standard deviation: 38.2%
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 98%
                                                                                                          • Number of executed functions: 0
                                                                                                          • Number of non-executed functions: 0
                                                                                                          Cookbook Comments:
                                                                                                          • Adjust boot time
                                                                                                          • Enable AMSI
                                                                                                          • Found application associated with file extension: .exe
                                                                                                          Warnings:
                                                                                                          Show All
                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                          • TCP Packets have been reduced to 100
                                                                                                          • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 204.79.197.200, 13.107.21.200, 20.82.210.154, 2.20.178.56, 2.20.178.10, 20.199.120.182, 20.199.120.151, 20.54.110.249, 40.112.88.60, 2.20.178.33, 2.20.178.24, 20.199.120.85
                                                                                                          • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, a-0001.a-afdentry.net.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                          Simulations

                                                                                                          Behavior and APIs

                                                                                                          TimeTypeDescription
                                                                                                          16:29:46API Interceptor204x Sleep call for process: 987421.exe modified
                                                                                                          16:30:54API Interceptor25x Sleep call for process: InstallUtil.exe modified

                                                                                                          Joe Sandbox View / Context

                                                                                                          IPs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          173.231.223.186482471.exeGet hashmaliciousBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                                                            ASN

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            INMOTI-1US70654 SSEBACT.exeGet hashmaliciousBrowse
                                                                                                            • 104.193.142.174
                                                                                                            70654 SSEBACT.exeGet hashmaliciousBrowse
                                                                                                            • 104.193.142.174
                                                                                                            BANKING INFORMATION.exeGet hashmaliciousBrowse
                                                                                                            • 104.193.142.174
                                                                                                            COSCOSH SHANGHAI SHIP MANAGEMENT CO LTD.exeGet hashmaliciousBrowse
                                                                                                            • 104.193.142.174
                                                                                                            Angebot Anfrage Maschinensucher YOM.exeGet hashmaliciousBrowse
                                                                                                            • 173.205.124.65
                                                                                                            COSCOSH SHANGHAI SHIP MANAGEMENT CO LTD.exeGet hashmaliciousBrowse
                                                                                                            • 104.193.142.174
                                                                                                            SecuriteInfo.com.__vbaHresultCheckObj.9268.exeGet hashmaliciousBrowse
                                                                                                            • 104.247.76.214
                                                                                                            TRANSFER REQUEST FORM.exeGet hashmaliciousBrowse
                                                                                                            • 104.193.142.174
                                                                                                            TRANSFER REQUEST FORM.exeGet hashmaliciousBrowse
                                                                                                            • 104.193.142.174
                                                                                                            Equiniti.AP Summary.3405.htmlGet hashmaliciousBrowse
                                                                                                            • 173.231.220.228
                                                                                                            ugsuHxq7Ey.exeGet hashmaliciousBrowse
                                                                                                            • 209.182.206.86
                                                                                                            waff.xlsGet hashmaliciousBrowse
                                                                                                            • 173.231.245.32
                                                                                                            QOJ48GT1(09-17-2021).vbsGet hashmaliciousBrowse
                                                                                                            • 199.250.202.192
                                                                                                            QJfoKgzkov.exeGet hashmaliciousBrowse
                                                                                                            • 199.250.199.190
                                                                                                            orderDetails.xlsxGet hashmaliciousBrowse
                                                                                                            • 199.250.194.93
                                                                                                            orderDetails.xlsxGet hashmaliciousBrowse
                                                                                                            • 199.250.194.93
                                                                                                            Dynamic_OrderDetails&Invoice.jsGet hashmaliciousBrowse
                                                                                                            • 199.250.194.93
                                                                                                            orderDetails.xlsxGet hashmaliciousBrowse
                                                                                                            • 199.250.194.93
                                                                                                            orderDetails.xlsxGet hashmaliciousBrowse
                                                                                                            • 199.250.194.93
                                                                                                            orderDetails.xlsxGet hashmaliciousBrowse
                                                                                                            • 199.250.194.93

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            54328bd36c14bd82ddaa0c04b25ed9adHalkbank_Ekstre_202110019_095125_132879.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            hesaphareketi-01.pdf.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            TDH_011523075202IMG.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            Purchase Order PDF.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            TDH_71036210065IMG.xlsGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            eLJyojaW0RFPJhK.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            TDH_71036210065IMG.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            banka_ekstresi_10-18-2021.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            New order WEEK 42.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            SecuriteInfo.com.Variant.MSILKrypt.4.27251.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            hesaphareketi-01.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            _10_2021.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            DHL AWB.pdf.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            DHL_1012617429350,pdf.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            hesaphareketi-01.PDF.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            RFQ-10202114365.vbsGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            hesaphareketi-01.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            PO.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            785963.exeGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100
                                                                                                            Ref 0180066743.vbsGet hashmaliciousBrowse
                                                                                                            • 142.250.203.100

                                                                                                            Dropped Files

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            C:\Users\user\AppData\Local\Temp\InstallUtil.exe1jFL48LG1f.exeGet hashmaliciousBrowse
                                                                                                              _10_2021.exeGet hashmaliciousBrowse
                                                                                                                785963.exeGet hashmaliciousBrowse
                                                                                                                  SecuriteInfo.com.Variant.Cerbu.117505.10723.exeGet hashmaliciousBrowse
                                                                                                                    201586.exeGet hashmaliciousBrowse
                                                                                                                      UmCQxOLk0D.exeGet hashmaliciousBrowse
                                                                                                                        DO1021.exeGet hashmaliciousBrowse
                                                                                                                          YkvUaJLax2.exeGet hashmaliciousBrowse
                                                                                                                            Bankdetails86507.exeGet hashmaliciousBrowse
                                                                                                                              13MH7svRRs.exeGet hashmaliciousBrowse
                                                                                                                                amJMFKmRB2.exeGet hashmaliciousBrowse
                                                                                                                                  75lT7DuXrs.exeGet hashmaliciousBrowse
                                                                                                                                    NZi63BWERD.exeGet hashmaliciousBrowse
                                                                                                                                      p6fx0L15Ae.exeGet hashmaliciousBrowse
                                                                                                                                        Mn21Tzx74m.exeGet hashmaliciousBrowse
                                                                                                                                          3NJdgX4P5W.exeGet hashmaliciousBrowse
                                                                                                                                            GZ904kda5f.exeGet hashmaliciousBrowse
                                                                                                                                              FedExOVO PRA#U0106ENJE-pdf.exeGet hashmaliciousBrowse
                                                                                                                                                .07.2021.exeGet hashmaliciousBrowse

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\987421.exe.log
                                                                                                                                                  Process:C:\Users\user\Desktop\987421.exe
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1402
                                                                                                                                                  Entropy (8bit):5.338819835253785
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKoesXE8:MIHK5HKXE1qHxvbHK5AHKzvRYHKhQnoe
                                                                                                                                                  MD5:1B32E71ED0326337C6593D13A55E54F4
                                                                                                                                                  SHA1:0452CD9E26B6C35A3D186FD6DDB1B3365AFDB16C
                                                                                                                                                  SHA-256:047E61E1F57F4922CA346203710E828859BB61800D9A72C2E64092EBB218CCA8
                                                                                                                                                  SHA-512:1B5BF6D43F14FFEC6A58366222F606CB9EA1781E9E4A7E6F340E9982DD82F296ACA693EA94105F78705C01D254A7B7897050C7289CC942122C7B83221CC15DAA
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                                  Process:C:\Users\user\Desktop\987421.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):41064
                                                                                                                                                  Entropy (8bit):6.164873449128079
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                                                                                  MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                                                                  SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                                                                                  SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                                                                                  SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                  • Filename: 1jFL48LG1f.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: _10_2021.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: 785963.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: SecuriteInfo.com.Variant.Cerbu.117505.10723.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: 201586.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: UmCQxOLk0D.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: DO1021.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: YkvUaJLax2.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: Bankdetails86507.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: 13MH7svRRs.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: amJMFKmRB2.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: 75lT7DuXrs.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: NZi63BWERD.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: p6fx0L15Ae.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: Mn21Tzx74m.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: 3NJdgX4P5W.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: GZ904kda5f.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: FedExOVO PRA#U0106ENJE-pdf.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: .07.2021.exe, Detection: malicious, Browse
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhvCA0A.tmp
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa8f0ce9c, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):26738688
                                                                                                                                                  Entropy (8bit):1.0500074532746373
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:+UlA2TaNxucRfDw/ZD0Xko5QqbMgSFDb7uBi:oRfDDy
                                                                                                                                                  MD5:75C00C30F27079918155B76A8A191FA2
                                                                                                                                                  SHA1:AF42DB18B94CCA7218275D513923866D270C80AD
                                                                                                                                                  SHA-256:7C3545274D802709DFB528F9AFD130075C1A0F20E40C0F544DE8EA565888E148
                                                                                                                                                  SHA-512:BFECFAA9ECA4E0ED79E24E6975211A4010D3AA24902B4DC1B72E3A7292D5E59998CC96398363A8506D87775306A2F39C7BE8A1C3634A374DB507AFDEA0DEBC3D
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: ...... .......F1.......te3....wg.......................o..........yG......y..h.q.........................6..43....wI.............................................................................................Z............B.................................................................................................................. ............y........................................................................................................................................................................................................................................x.....y.}................5...1....y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2
                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: ..
                                                                                                                                                  C:\Users\user\AppData\Roaming\pid.txt
                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4
                                                                                                                                                  Entropy (8bit):2.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:CV:CV
                                                                                                                                                  MD5:659B7B42E9C002CE0075077CD55A1623
                                                                                                                                                  SHA1:7C51F33F354F6755A5C2D63F4FFB0AA5ADBCB825
                                                                                                                                                  SHA-256:28C83F4635D193B3CF29A03DCDA640E46122AF04869854943F7364387164E212
                                                                                                                                                  SHA-512:1DDB6234BB5395C973CDA4CBB5B71E849D341583019CABD294FE9A34CAD349E76B9E3A87B7FDC0A1A07EA169B7DF5C87D314FED610485BE4E22B0283E8CB57AF
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: 6920
                                                                                                                                                  C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):49
                                                                                                                                                  Entropy (8bit):4.361973558701858
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:oNWXp5cViE2J5xAIOWRxRI0dAn:oNWXp+N23f5RndA
                                                                                                                                                  MD5:8069A620598F6D0795A045BC4C040FCE
                                                                                                                                                  SHA1:BE6C7D1B6E3A49925674F335C601A53E985A2496
                                                                                                                                                  SHA-256:85E54950497C2B5262439CC09BB7E0779225EAFF0C50B75D59DECE689F2B0625
                                                                                                                                                  SHA-512:D9AB55D7A597CB3DB20E069AA4893654C7033E42738AD5CF3AA489C5745E3D85CBAD12530542241CD2133C52E108368AA5DB7255692177745A1EEAAFB3398306
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                  Entropy (8bit):6.459765346752096
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                  File name:987421.exe
                                                                                                                                                  File size:1335296
                                                                                                                                                  MD5:75e71ba1842dc3f63198386adb92716f
                                                                                                                                                  SHA1:3dac2a6f86bf211fe4ed33f21dc63bbd1ff04114
                                                                                                                                                  SHA256:72946d33bc1e3945ed628d129fcc9096dc1ff9cedcfe2fe568ade44544519a20
                                                                                                                                                  SHA512:e0c2b6d689d6455e46d97079f28fcf7219a043bb1cb943c0d16ea5220b07f6bcc3267382db6a99783f3c2a0d6ec47e10f67a31491fc8bf9612eb15d3c7cdc834
                                                                                                                                                  SSDEEP:24576:VWkquDJ+ssHgu3bt5KbLmYeKSKLRzFmt5J2NYKF:NqqARQyYV9FmzJ2j
                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....1P.................V...........t... ........@.. ....................................`................................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x5474de
                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                                                                  Time Stamp:0x5031DAE8 [Mon Aug 20 06:36:24 2012 UTC]
                                                                                                                                                  TLS Callbacks:
                                                                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                                                                  OS Version Major:4
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:4
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1474900x4b.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1480000x57e.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x14a0000xc.reloc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .text0x20000x1454e40x145600False0.593298297637data6.4640596927IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rsrc0x1480000x57e0x600False0.414713541667data4.06709741889IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .reloc0x14a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                                                  RT_VERSION0x1480a00x2f2data
                                                                                                                                                  RT_MANIFEST0x1483940x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                                                  Version Infos

                                                                                                                                                  DescriptionData
                                                                                                                                                  Translation0x0000 0x04b0
                                                                                                                                                  LegalCopyright
                                                                                                                                                  Assembly Version1.0.7962.23557
                                                                                                                                                  InternalNamesis.exe
                                                                                                                                                  FileVersion1.0.7962.23557
                                                                                                                                                  CompanyName
                                                                                                                                                  LegalTrademarks
                                                                                                                                                  Comments
                                                                                                                                                  ProductName
                                                                                                                                                  ProductVersion1.0.7962.23557
                                                                                                                                                  FileDescription
                                                                                                                                                  OriginalFilenamesis.exe

                                                                                                                                                  Network Behavior

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Oct 19, 2021 16:29:26.902723074 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:26.902779102 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:26.905790091 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:26.995239019 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:26.995682001 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.066140890 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.068841934 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.076247931 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.076272011 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.077106953 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.135695934 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.544321060 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.596878052 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.640609980 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.640666008 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.640700102 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.640729904 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.640738010 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.640753984 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.640763998 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.640788078 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.640815973 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.648833990 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.648911953 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.648956060 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.648974895 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.648998022 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.649040937 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.649049997 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.649060011 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.655735016 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.655783892 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.661933899 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.661979914 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.663800955 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.663817883 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.663947105 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.665383101 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.665400028 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.665405035 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.672923088 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.672940016 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.672951937 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.673106909 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.674453020 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.676784992 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.676903009 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.676992893 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.677123070 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.679306984 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.679322958 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.679332018 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.679414988 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:27.679415941 CEST44349750142.250.203.100192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:29:27.682765961 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:29:36.426956892 CEST49750443192.168.2.3142.250.203.100
                                                                                                                                                  Oct 19, 2021 16:31:10.560446024 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:10.692929029 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:10.693047047 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:10.883949995 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:10.884293079 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:11.016813040 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:11.017040968 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:11.151046038 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:11.205898046 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:11.596952915 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:11.737518072 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:11.737541914 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:11.737559080 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:11.737571955 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:11.737616062 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:11.737654924 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:11.740853071 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:11.784707069 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:11.905358076 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:12.038116932 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:12.080972910 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:12.146744013 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:12.279211998 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:12.290302038 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:12.423094034 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:12.471631050 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:13.406855106 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:13.548321962 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:13.549061060 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:13.681525946 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:13.681993008 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:13.854335070 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:13.880106926 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:13.880609035 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:14.013668060 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:14.017752886 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:14.018146992 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:14.018572092 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:14.018767118 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:14.018856049 CEST49836587192.168.2.3173.231.223.186
                                                                                                                                                  Oct 19, 2021 16:31:14.150135994 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:14.150351048 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:14.150840998 CEST58749836173.231.223.186192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:14.150911093 CEST58749836173.231.223.186192.168.2.3

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Oct 19, 2021 16:29:26.837239027 CEST6078453192.168.2.38.8.8.8
                                                                                                                                                  Oct 19, 2021 16:29:26.858906031 CEST53607848.8.8.8192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:30:49.761821032 CEST6436753192.168.2.38.8.8.8
                                                                                                                                                  Oct 19, 2021 16:30:49.786411047 CEST53643678.8.8.8192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:10.206275940 CEST5539353192.168.2.38.8.8.8
                                                                                                                                                  Oct 19, 2021 16:31:10.384677887 CEST53553938.8.8.8192.168.2.3
                                                                                                                                                  Oct 19, 2021 16:31:10.438400984 CEST5058553192.168.2.38.8.8.8
                                                                                                                                                  Oct 19, 2021 16:31:10.545103073 CEST53505858.8.8.8192.168.2.3

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                  Oct 19, 2021 16:29:26.837239027 CEST192.168.2.38.8.8.80xa6d4Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                                                                                                                  Oct 19, 2021 16:30:49.761821032 CEST192.168.2.38.8.8.80xec5Standard query (0)194.167.4.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                                                  Oct 19, 2021 16:31:10.206275940 CEST192.168.2.38.8.8.80x5907Standard query (0)mail.merchantexint.comA (IP address)IN (0x0001)
                                                                                                                                                  Oct 19, 2021 16:31:10.438400984 CEST192.168.2.38.8.8.80x9b98Standard query (0)mail.merchantexint.comA (IP address)IN (0x0001)

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                  Oct 19, 2021 16:29:26.858906031 CEST8.8.8.8192.168.2.30xa6d4No error (0)www.google.com142.250.203.100A (IP address)IN (0x0001)
                                                                                                                                                  Oct 19, 2021 16:30:49.786411047 CEST8.8.8.8192.168.2.30xec5Name error (3)194.167.4.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                                                                  Oct 19, 2021 16:31:10.384677887 CEST8.8.8.8192.168.2.30x5907No error (0)mail.merchantexint.commerchantexint.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                  Oct 19, 2021 16:31:10.384677887 CEST8.8.8.8192.168.2.30x5907No error (0)merchantexint.com173.231.223.186A (IP address)IN (0x0001)
                                                                                                                                                  Oct 19, 2021 16:31:10.545103073 CEST8.8.8.8192.168.2.30x9b98No error (0)mail.merchantexint.commerchantexint.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                  Oct 19, 2021 16:31:10.545103073 CEST8.8.8.8192.168.2.30x9b98No error (0)merchantexint.com173.231.223.186A (IP address)IN (0x0001)

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • www.google.com

                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  0192.168.2.349750142.250.203.100443C:\Users\user\Desktop\987421.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  2021-10-19 14:29:27 UTC0OUTGET / HTTP/1.1
                                                                                                                                                  Host: www.google.com
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  2021-10-19 14:29:27 UTC0INHTTP/1.1 200 OK
                                                                                                                                                  Date: Tue, 19 Oct 2021 14:29:27 GMT
                                                                                                                                                  Expires: -1
                                                                                                                                                  Cache-Control: private, max-age=0
                                                                                                                                                  Content-Type: text/html; charset=ISO-8859-1
                                                                                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                                                  Server: gws
                                                                                                                                                  X-XSS-Protection: 0
                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                  Set-Cookie: CONSENT=PENDING+100; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
                                                                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                                                                  Accept-Ranges: none
                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                  Connection: close
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  2021-10-19 14:29:27 UTC0INData Raw: 35 30 33 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 66 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c
                                                                                                                                                  Data Ascii: 503b<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="fr"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><
                                                                                                                                                  2021-10-19 14:29:27 UTC1INData Raw: 2c 32 30 32 33 2c 31 37 37 37 2c 35 32 30 2c 31 34 36 37 30 2c 33 32 32 37 2c 34 31 39 2c 32 34 32 36 2c 37 2c 34 37 37 33 2c 37 35 38 31 2c 35 30 39 36 2c 31 31 36 32 35 2c 34 31 34 32 2c 35 35 33 2c 39 30 38 2c 32 2c 33 35 35 35 2c 31 33 31 34 32 2c 33 2c 33 34 36 2c 32 33 30 2c 36 34 35 39 2c 31 34 39 2c 31 33 39 37 35 2c 31 2c 31 2c 32 2c 31 35 32 38 2c 32 33 30 34 2c 31 32 33 36 2c 35 38 30 33 2c 34 36 38 34 2c 32 30 31 34 2c 31 31 35 30 31 2c 33 38 32 34 2c 33 30 35 30 2c 32 36 35 38 2c 37 33 35 37 2c 33 30 2c 38 39 34 2c 34 37 32 31 2c 34 39 2c 37 39 36 34 2c 32 33 30 35 2c 36 33 38 2c 31 38 32 38 30 2c 35 38 31 32 2c 32 35 34 35 2c 34 30 39 34 2c 31 37 2c 33 31 32 31 2c 36 2c 39 30 38 2c 33 2c 33 35 34 31 2c 31 2c 31 34 37 31 30 2c 31 38 31 35 2c
                                                                                                                                                  Data Ascii: ,2023,1777,520,14670,3227,419,2426,7,4773,7581,5096,11625,4142,553,908,2,3555,13142,3,346,230,6459,149,13975,1,1,2,1528,2304,1236,5803,4684,2014,11501,3824,3050,2658,7357,30,894,4721,49,7964,2305,638,18280,5812,2545,4094,17,3121,6,908,3,3541,1,14710,1815,
                                                                                                                                                  2021-10-19 14:29:27 UTC2INData Raw: 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69 6f 6e 20 6c 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c 68 7d 66 75 6e 63 74 69 6f 6e 20 6d 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 6e 75 6c 6c 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 6c 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7d 0a 66 75 6e 63 74 69 6f 6e 20 6e 28 61 2c 62 2c 63 2c 64 2c 67 29 7b 76 61 72
                                                                                                                                                  Data Ascii: f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||h}function m(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b}function n(a,b,c,d,g){var
                                                                                                                                                  2021-10-19 14:29:27 UTC3INData Raw: 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 73 75 62 6d 69 74 66 61 6c 73 65 22 29 3b 61 3d 22 31 22 3d 3d 3d 63 7c 7c 22 71 22 3d 3d 3d 63 26 26 21 61 2e 65 6c 65 6d 65 6e 74 73 2e 71 2e 76 61 6c 75 65 3f 21 30 3a 21 31 7d 65 6c 73 65 20 61 3d 21 31 3b 61 26 26 28 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 2c 62 2e 73 74 6f 70 50 72 6f 70 61 67 61 74 69 6f 6e 28
                                                                                                                                                  Data Ascii: l(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-submitfalse");a="1"===c||"q"===c&&!a.elements.q.value?!0:!1}else a=!1;a&&(b.preventDefault(),b.stopPropagation(
                                                                                                                                                  2021-10-19 14:29:27 UTC5INData Raw: 74 3a 30 7d 2e 67 62 78 78 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 78 6f 7b 6f 70 61 63 69 74 79 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 2d 31 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c
                                                                                                                                                  Data Ascii: t:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibility:hidden;text-align:left;border:1px solid #bebebe;background:#fff;-moz-box-shadow:-1px 1px 1px rgba(0,0,
                                                                                                                                                  2021-10-19 14:29:27 UTC6INData Raw: 31 7d 2e 67 62 74 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 67 62 74 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 74 6f 7b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30
                                                                                                                                                  Data Ascii: 1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*display:inline}.gbto{box-shadow:0 2px 4px rgba(0,0,0,.2);-moz-box-shadow:0 2px 4px rgba(0,0,0,.2);-webkit-box-shadow:0 2px 4px rgba(0
                                                                                                                                                  2021-10-19 14:29:27 UTC7INData Raw: 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 6a 73 20 2e 67 62 74 6f 20 2e 67 62 6d 7b 6d 69 6e 2d 77 69 64 74 68 3a 39 39 25 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 64 64 34 62 33 39 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 34 73 2c 23 67 62 69 34 73 31 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 23 67 62 67 36 2e 67 62 67 74 2d 68 76 72 2c 23 67 62 67 36 2e 67 62 67 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67
                                                                                                                                                  Data Ascii: und-repeat:repeat-x;outline:none;text-decoration:none !important}.gbpdjs .gbto .gbm{min-width:99%}.gbz0l .gbtb2{border-top-color:#dd4b39!important}#gbi4s,#gbi4s1{font-weight:bold}#gbg6.gbgt-hvr,#gbg6.gbgt:focus{background-color:transparent;background-imag
                                                                                                                                                  2021-10-19 14:29:27 UTC8INData Raw: 6f 72 3a 23 39 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 31 30 70 78 7d 2e 67 62 6d 6c
                                                                                                                                                  Data Ascii: or:#900 !important}.gbmt,.gbml1,.gbmlb,.gbmt:visited,.gbml1:visited,.gbmlb:visited{color:#36c !important;text-decoration:none !important}.gbmt,.gbmt:visited{display:block}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{display:inline-block;margin:0 10px}.gbml
                                                                                                                                                  2021-10-19 14:29:27 UTC10INData Raw: 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 23 67 62 6d 70 73 7b 2a 7a 6f 6f 6d 3a 31 7d 23 67 62 64 34 20 2e 67 62 70 63 2c 23 67 62 6d 70 61 73 20 2e 67 62 6d 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 37 70 78 7d 23 67 62 64 34 20 2e 67 62 70 67 73 20 2e 67 62 6d 74 63 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 23 67 62 64 34 20 2e 67 62 6d 74 63 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c
                                                                                                                                                  Data Ascii: margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gbpc,#gbmpas .gbmt{line-height:17px}#gbd4 .gbpgs .gbmtc{line-height:27px}#gbd4 .gbmtc{border-bottom:1px sol
                                                                                                                                                  2021-10-19 14:29:27 UTC11INData Raw: 69 67 6e 3a 72 69 67 68 74 7d 23 67 62 6d 70 61 73 62 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 23 67 62 6d 70 61 6c 20 2e 67 62 71 66 62 62 7b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 2e 67 62 70 30 20 2e 67 62 70 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 61 2e 67 62 69 62 61 7b 6d 61 72 67 69 6e 3a 38 70 78 20 32 30 70 78 20 31 30 70 78 7d 2e 67 62 6d 70 69 61 77 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 31 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 36 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 7d 2e 67 62 78 76 7b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 2e 67 62 6d 70 69 61 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61
                                                                                                                                                  Data Ascii: ign:right}#gbmpasb .gbps{color:#000}#gbmpal .gbqfbb{margin:0 20px}.gbp0 .gbps{*display:inline}a.gbiba{margin:8px 20px 10px}.gbmpiaw{display:inline-block;padding-right:10px;margin-bottom:6px;margin-top:10px}.gbxv{visibility:hidden}.gbmpiaa{display:block;ma
                                                                                                                                                  2021-10-19 14:29:27 UTC12INData Raw: 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 2d 68 76 72 2c 2e 67 62 71 66 62 61 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 2e 67 62 71 66 62 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 2e 67 62 71 66 62 61 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 2e 67 62 71 66 62 62 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 7b 62 6f 72 64 65 72 3a
                                                                                                                                                  Data Ascii: ox-shadow:none}.gbqfb-hvr,.gbqfba-hvr,.gbqfbb-hvr{-webkit-box-shadow:0 1px 1px rgba(0,0,0,.1);-moz-box-shadow:0 1px 1px rgba(0,0,0,.1);box-shadow:0 1px 1px rgba(0,0,0,.1)}.gbqfb::-moz-focus-inner,.gbqfba::-moz-focus-inner,.gbqfbb::-moz-focus-inner{border:
                                                                                                                                                  2021-10-19 14:29:27 UTC14INData Raw: 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 7d 2e 67 62 71 66 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 33 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61
                                                                                                                                                  Data Ascii: d90fe,#357ae8);background-image:-o-linear-gradient(top,#4d90fe,#357ae8);background-image:linear-gradient(top,#4d90fe,#357ae8)}.gbqfb:active{background-color:inherit;-webkit-box-shadow:inset 0 1px 2px rgba(0, 0, 0, 0.3);-moz-box-shadow:inset 0 1px 2px rgba
                                                                                                                                                  2021-10-19 14:29:27 UTC15INData Raw: 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 38 66 38 66 38 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 31 66 31 66 31 27 29 7d 2e 67 62 71 66 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66 66 66 29 2c 74 6f 28 23 66 62 66 62 66 62 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 66 66 2c 23 66 62 66 62 66 62 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c 69 6e 65 61
                                                                                                                                                  Data Ascii: dient(startColorStr='#f8f8f8',EndColorStr='#f1f1f1')}.gbqfbb{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(#fff),to(#fbfbfb));background-image:-webkit-linear-gradient(top,#fff,#fbfbfb);background-image:-moz-linea
                                                                                                                                                  2021-10-19 14:29:27 UTC16INData Raw: 69 76 65 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 0a 23 67 62 6d 70 61 73 7b 6d 61 78 2d 68 65 69 67 68 74 3a 32 32 30 70 78 7d 23 67 62 6d 6d 7b 6d 61 78 2d 68 65 69 67 68 74 3a 35 33 30 70 78 7d 2e 67 62 73 62 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61
                                                                                                                                                  Data Ascii: ive{-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}#gbmpas{max-height:220px}#gbmm{max-height:530px}.gbsb{-webkit-box-sizing:border-box;display:block;position:rela
                                                                                                                                                  2021-10-19 14:29:27 UTC17INData Raw: 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 6c 65 66 74 20 74 6f 70 2c 66 72 6f 6d 28 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 29 2c 74 6f 28 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 61 63 6b 67 72 6f 75
                                                                                                                                                  Data Ascii: a(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));background:-webkit-gradient(linear,left bottom,left top,from(rgba(0,0,0,.2)),to(rgba(0,0,0,0)));background-image:-webkit-linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));backgrou
                                                                                                                                                  2021-10-19 14:29:27 UTC19INData Raw: 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 33 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 7d 2e 6c 73 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 66 39 66 61 3b 62 6f 72 64 65 72 3a 73 6f 6c 69 64 20 31 70 78 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 64 61 64 63 65 30 20 23 37 30 37 35 37 61 20 23 37 30 37 35 37 61 20 23 64 61 64 63 65 30 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 2e 6c 73 62 62 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 23 57 71 51 41 4e 62 20 61 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 31 32 70 78 7d 2e 6c 73 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 69 6d 61 67 65 73 2f 6e 61 76 5f 6c 6f 67 6f 32 32 39 2e 70 6e 67 29 20 30 20 2d 32 36 31 70 78 20 72 65 70 65 61
                                                                                                                                                  Data Ascii: margin-left:13px;font-size:11px}.lsbb{background:#f8f9fa;border:solid 1px;border-color:#dadce0 #70757a #70757a #dadce0;height:30px}.lsbb{display:block}#WqQANb a{display:inline-block;margin:0 12px}.lsb{background:url(/images/nav_logo229.png) 0 -261px repea
                                                                                                                                                  2021-10-19 14:29:27 UTC20INData Raw: 7c 7c 67 6f 6f 67 6c 65 2e 6c 6f 67 28 30 2c 22 22 2c 61 29 3b 72 65 74 75 72 6e 20 61 7d 3b 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 65 2c 6d 2c 64 29 7b 70 21 3d 3d 61 26 26 67 6f 6f 67 6c 65 2e 6d 6c 28 64 20 69 6e 73 74 61 6e 63 65 6f 66 20 45 72 72 6f 72 3f 64 3a 45 72 72 6f 72 28 61 29 2c 21 31 2c 76 6f 69 64 20 30 2c 21 31 2c 21 64 7c 7c 64 20 69 6e 73 74 61 6e 63 65 6f 66 20 53 79 6e 74 61 78 45 72 72 6f 72 3f 32 3a 30 29 3b 70 3d 6e 75 6c 6c 3b 6c 26 26 6e 3e 3d 6b 26 26 28 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 3d 6e 75 6c 6c 29 7d 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20
                                                                                                                                                  Data Ascii: ||google.log(0,"",a);return a};window.onerror=function(a,b,e,m,d){p!==a&&google.ml(d instanceof Error?d:Error(a),!1,void 0,!1,!d||d instanceof SyntaxError?2:0);p=null;l&&n>=k&&(window.onerror=null)};})();(function(){try{/* Copyright The Closure Library
                                                                                                                                                  2021-10-19 14:29:27 UTC20INData Raw: 31 31 36 0d 0a 22 63 66 67 22 2c 62 2c 63 5d 2e 6a 6f 69 6e 28 22 2e 22 29 3b 77 69 6e 64 6f 77 2e 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 61 2c 64 29 7d 3b 76 61 72 20 67 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3d 77 69 6e 64 6f 77 2e 67 62 61 72 7c 7c 7b 7d 2c 68 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 7c 7c 7b 7d 2c 62 61 3b 66 75 6e 63 74 69 6f 6e 20 5f 74 76 6e 28 61 2c 62 29 7b 61 3d 70 61 72 73 65 49 6e 74 28 61 2c 31 30 29 3b 72 65 74 75 72 6e 20 69 73 4e 61 4e 28 61 29 3f 62 3a 61 7d 66 75 6e 63 74 69 6f 6e 20 5f 74 76 66 28 61 2c 62 29 7b 61 3d 70 61 72 73 65 46 6c 6f 61 74 28 61 29 3b 72 65 74 75 72 6e 20 69 73 4e 61 4e 28 61 29 3f 62 3a 61 7d 66 75 6e 63 74 69 6f 6e 20 5f 74 76 76 28 61 29 7b 72 65
                                                                                                                                                  Data Ascii: 116"cfg",b,c].join(".");window.gbar.logger.ml(a,d)};var g=window.gbar=window.gbar||{},h=window.gbar.i=window.gbar.i||{},ba;function _tvn(a,b){a=parseInt(a,10);return isNaN(a)?b:a}function _tvf(a,b){a=parseFloat(a);return isNaN(a)?b:a}function _tvv(a){re
                                                                                                                                                  2021-10-19 14:29:27 UTC21INData Raw: 36 65 38 31 0d 0a 7c 7c 67 29 5b 61 5d 3d 62 7d 67 2e 62 76 3d 7b 6e 3a 5f 74 76 6e 28 22 32 22 2c 30 29 2c 72 3a 22 22 2c 66 3a 22 2e 36 36 2e 22 2c 65 3a 22 22 2c 6d 3a 5f 74 76 6e 28 22 31 22 2c 31 29 7d 3b 0a 66 75 6e 63 74 69 6f 6e 20 63 61 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 3d 22 6f 6e 22 2b 62 3b 69 66 28 61 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 29 61 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 62 2c 63 2c 21 31 29 3b 65 6c 73 65 20 69 66 28 61 2e 61 74 74 61 63 68 45 76 65 6e 74 29 61 2e 61 74 74 61 63 68 45 76 65 6e 74 28 64 2c 63 29 3b 65 6c 73 65 7b 76 61 72 20 66 3d 61 5b 64 5d 3b 61 5b 64 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6b 3d 66 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 2c
                                                                                                                                                  Data Ascii: 6e81||g)[a]=b}g.bv={n:_tvn("2",0),r:"",f:".66.",e:"",m:_tvn("1",1)};function ca(a,b,c){var d="on"+b;if(a.addEventListener)a.addEventListener(b,c,!1);else if(a.attachEvent)a.attachEvent(d,c);else{var f=a[d];a[d]=function(){var k=f.apply(this,arguments),
                                                                                                                                                  2021-10-19 14:29:27 UTC22INData Raw: 7c 7c 63 5b 31 5d 2e 73 7c 7c 28 63 5b 31 5d 2e 73 3d 21 30 2c 73 61 28 32 2c 61 29 2c 63 5b 31 5d 2e 75 72 6c 26 26 72 61 28 63 5b 31 5d 2e 75 72 6c 2c 61 29 2c 63 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 63 5b 31 5d 2e 6c 69 62 73 29 29 7d 2c 74 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 41 28 22 67 63 22 2c 61 29 7d 2c 75 61 3d 6e 75 6c 6c 2c 76 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 75 61 3d 61 7d 2c 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 75 61 29 7b 61 3d 7b 74 3a 61 2c 62 3a 62 7d 3b 69 66 28 63 29 66 6f 72 28 76 61 72 20 64 20 69 6e 20 63 29 61 5b 64 5d 3d 63 5b 64 5d 3b 74 72 79 7b 75 61 28 61 29 7d 63 61 74 63 68 28 66 29 7b 7d 7d 7d 3b 70 28 22 6d 64 63 22 2c 76 29 3b 70 28 22 6d 64 69 22 2c 6c 61 29 3b 70 28 22
                                                                                                                                                  Data Ascii: ||c[1].s||(c[1].s=!0,sa(2,a),c[1].url&&ra(c[1].url,a),c[1].libs&&C&&C(c[1].libs))},ta=function(a){A("gc",a)},ua=null,va=function(a){ua=a},sa=function(a,b,c){if(ua){a={t:a,b:b};if(c)for(var d in c)a[d]=c[d];try{ua(a)}catch(f){}}};p("mdc",v);p("mdi",la);p("
                                                                                                                                                  2021-10-19 14:29:27 UTC23INData Raw: 2e 67 6c 3d 45 61 3b 77 61 3f 41 61 2e 6c 6f 61 64 7c 7c 70 28 22 6c 6f 61 64 22 2c 42 61 2c 41 61 29 3a 70 28 22 6c 6f 61 64 22 2c 42 61 2c 41 61 29 3b 70 28 22 64 67 6c 22 2c 42 61 29 3b 70 28 22 61 67 6c 22 2c 44 61 29 3b 68 2e 6f 3d 78 61 7d 3b 76 61 72 20 46 61 3d 68 2e 62 28 22 30 2e 31 22 2c 2e 30 30 31 29 2c 47 61 3d 30 3b 0a 66 75 6e 63 74 69 6f 6e 20 5f 6d 6c 54 6f 6b 65 6e 28 61 2c 62 29 7b 74 72 79 7b 69 66 28 31 3e 47 61 29 7b 47 61 2b 2b 3b 76 61 72 20 63 3d 61 3b 62 3d 62 7c 7c 7b 7d 3b 76 61 72 20 64 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 2c 66 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 28 29
                                                                                                                                                  Data Ascii: .gl=Ea;wa?Aa.load||p("load",Ba,Aa):p("load",Ba,Aa);p("dgl",Ba);p("agl",Da);h.o=xa};var Fa=h.b("0.1",.001),Ga=0;function _mlToken(a,b){try{if(1>Ga){Ga++;var c=a;b=b||{};var d=encodeURIComponent,f=["//www.google.com/gen_204?atyp=i&zx=",(new Date).getTime()
                                                                                                                                                  2021-10-19 14:29:27 UTC24INData Raw: 2c 62 29 7d 2c 4d 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 5b 62 5d 3d 66 75 6e 63 74 69 6f 6e 28 63 29 7b 76 61 72 20 64 3d 61 72 67 75 6d 65 6e 74 73 3b 67 2e 71 6d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 61 5b 62 5d 2e 61 70 70 6c 79 28 74 68 69 73 2c 64 29 7d 29 7d 7d 2c 4e 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 5b 22 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 2c 22 2f 6f 67 2f 5f 2f 6a 73 2f 64 3d 31 2f 6b 3d 22 2c 0a 22 6f 67 2e 6f 67 32 2e 65 6e 5f 55 53 2e 51 65 34 73 69 6d 6b 51 6c 74 6f 2e 4f 22 2c 22 2f 72 74 3d 6a 2f 6d 3d 22 2c 61 2c 22 2f 72 73 3d 22 2c 22 41 41 32 59 72 54 74 35 65 69 52 4d 5f 66 4e 33 54 49 44 68 48 32 4a 34 5f 5f 43 47 37 4f 4c 51 66 51 22 5d 3b 4b 61 26 26 61 2e 70 75 73 68 28 22 3f 68 6f 73 74
                                                                                                                                                  Data Ascii: ,b)},Ma=function(a,b){a[b]=function(c){var d=arguments;g.qm(function(){a[b].apply(this,d)})}},Na=function(a){a=["//www.gstatic.com","/og/_/js/d=1/k=","og.og2.en_US.Qe4simkQlto.O","/rt=j/m=",a,"/rs=","AA2YrTt5eiRM_fN3TIDhH2J4__CG7OLQfQ"];Ka&&a.push("?host
                                                                                                                                                  2021-10-19 14:29:27 UTC26INData Raw: 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 64 29 3b 69 66 28 66 29 7b 76 61 72 20 6b 3d 62 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 69 66 28 4f 3d 3d 64 29 4f 3d 76 6f 69 64 20 30 2c 0a 4b 28 6b 2c 22 67 62 74 6f 22 29 3b 65 6c 73 65 7b 69 66 28 4f 29 7b 76 61 72 20 6d 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 4f 29 3b 69 66 28 6d 26 26 6d 2e 67 65 74 41 74 74 72 69 62 75 74 65 29 7b 76 61 72 20 6e 3d 6d 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 61 72 69 61 2d 6f 77 6e 65 72 22 29 3b 69 66 28 6e 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 6c 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 6e 29 3b 6c 26 26 6c 2e 70 61 72 65 6e 74 4e 6f 64 65 26 26 4b 28 6c 2e 70 61 72 65 6e
                                                                                                                                                  Data Ascii: document.getElementById(d);if(f){var k=b.parentNode;if(O==d)O=void 0,K(k,"gbto");else{if(O){var m=document.getElementById(O);if(m&&m.getAttribute){var n=m.getAttribute("aria-owner");if(n.length){var l=document.getElementById(n);l&&l.parentNode&&K(l.paren
                                                                                                                                                  2021-10-19 14:29:27 UTC27INData Raw: 3c 3d 6c 29 7b 76 61 72 20 79 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 6c 69 22 29 2c 7a 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 3b 79 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 67 62 6d 74 63 22 3b 7a 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 67 62 6d 74 20 67 62 6d 68 22 3b 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 7a 29 3b 6b 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 79 2c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 6c 5d 29 7d 67 2e 61 64 64 48 6f 76 65 72 26 26 67 2e 61 64 64 48 6f 76 65 72 28 61 29 7d 65 6c 73 65 20 6b 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 29 7d 7d 63 61 74 63 68 28 44 62 29 7b 72 28 44 62 2c 22 73 62 22 2c 22 61 6c 22 29 7d 7d 2c 65 62 3d 66 75 6e 63 74 69 6f 6e
                                                                                                                                                  Data Ascii: <=l){var y=document.createElement("li"),z=document.createElement("div");y.className="gbmtc";z.className="gbmt gbmh";y.appendChild(z);k.insertBefore(y,k.childNodes[l])}g.addHover&&g.addHover(a)}else k.appendChild(m)}}catch(Db){r(Db,"sb","al")}},eb=function
                                                                                                                                                  2021-10-19 14:29:27 UTC28INData Raw: 66 3d 62 5b 63 5d 3b 63 2b 2b 29 7b 76 61 72 20 6b 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 3b 0a 6b 2e 69 6e 6e 65 72 48 54 4d 4c 3d 66 3b 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6b 29 7d 7d 65 6c 73 65 20 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 62 3b 51 28 61 2c 21 30 29 7d 7d 7d 2c 51 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 28 62 3d 76 6f 69 64 20 30 21 3d 3d 62 3f 62 3a 21 30 29 3f 4a 28 61 2c 22 67 62 6d 73 67 6f 22 29 3a 4b 28 61 2c 22 67 62 6d 73 67 6f 22 29 7d 2c 5a 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 30 2c 63 3b 63 3d 61 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 62 5d 3b 62 2b 2b 29 69 66 28 48 28 63 2c 22 67 62 6d 73 67 22 29 29 72 65 74 75 72 6e 20 63 7d 2c 50 3d
                                                                                                                                                  Data Ascii: f=b[c];c++){var k=document.createElement("div");k.innerHTML=f;d.appendChild(k)}}else d.innerHTML=b;Q(a,!0)}}},Q=function(a,b){(b=void 0!==b?b:!0)?J(a,"gbmsgo"):K(a,"gbmsgo")},Za=function(a){for(var b=0,c;c=a.childNodes[b];b++)if(H(c,"gbmsg"))return c},P=
                                                                                                                                                  2021-10-19 14:29:27 UTC29INData Raw: 73 2e 63 6c 69 65 6e 74 3a 67 61 70 69 2e 69 66 72 61 6d 65 73 22 7d 5d 29 3b 76 61 72 20 41 62 3d 7b 76 65 72 73 69 6f 6e 3a 22 67 63 69 5f 39 31 66 33 30 37 35 35 64 36 61 36 62 37 38 37 64 63 63 32 61 34 30 36 32 65 36 65 39 38 32 34 2e 6a 73 22 2c 69 6e 64 65 78 3a 22 22 2c 6c 61 6e 67 3a 22 66 72 22 7d 3b 76 2e 67 63 3d 41 62 3b 76 61 72 20 42 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 61 70 69 73 26 26 77 69 6e 64 6f 77 2e 69 66 72 61 6d 65 73 3f 61 26 26 61 28 29 3a 28 61 26 26 74 61 28 61 29 2c 44 28 22 67 63 22 29 29 7d 3b 70 28 22 6c 47 43 22 2c 42 62 29 3b 68 2e 61 28 22 31 22 29 26 26 70 28 22 6c 50 57 46 22 2c 42 62 29 7d 3b 77 69 6e 64 6f 77 2e 5f 5f 50 56 54 3d 22 22 3b 69 66 28 68 2e 61 28 22 31 22 29
                                                                                                                                                  Data Ascii: s.client:gapi.iframes"}]);var Ab={version:"gci_91f30755d6a6b787dcc2a4062e6e9824.js",index:"",lang:"fr"};v.gc=Ab;var Bb=function(a){window.googleapis&&window.iframes?a&&a():(a&&ta(a),D("gc"))};p("lGC",Bb);h.a("1")&&p("lPWF",Bb)};window.__PVT="";if(h.a("1")
                                                                                                                                                  2021-10-19 14:29:27 UTC31INData Raw: 28 29 3b 6b 3d 64 28 22 32 38 38 33 34 22 29 3b 6d 3d 64 28 22 52 39 5a 75 59 66 5f 30 4a 49 4f 35 67 77 65 50 69 71 38 6f 22 29 3b 76 61 72 20 6c 3d 67 2e 62 76 2e 66 2c 71 3d 64 28 22 31 22 29 3b 6e 3d 64 28 6e 29 3b 63 3d 4d 61 74 68 2e 72 6f 75 6e 64 28 31 2f 63 29 3b 76 61 72 20 45 3d 64 28 22 34 30 32 31 38 32 32 33 37 2e 30 22 29 2c 55 3d 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 31 31 30 30 34 2e 30 5f 70 30 22 29 2c 49 3d 64 28 22 63 6f 6d 22 29 2c 56 3d 64 28 22 66 72 22 29 2c 57 3d 0a 64 28 22 46 52 41 22 29 3b 76 61 72 20 79 3d 30 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 31 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 32 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 34 29 3b 61 3d 5b 22 2f 2f 77 77
                                                                                                                                                  Data Ascii: ();k=d("28834");m=d("R9ZuYf_0JIO5gwePiq8o");var l=g.bv.f,q=d("1");n=d(n);c=Math.round(1/c);var E=d("402182237.0"),U="&oggv="+d("es_plusone_gc_20211004.0_p0"),I=d("com"),V=d("fr"),W=d("FRA");var y=0;h.a("")&&(y|=1);h.a("")&&(y|=2);h.a("")&&(y|=4);a=["//ww
                                                                                                                                                  2021-10-19 14:29:27 UTC32INData Raw: 69 6f 6e 28 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 73 70 64 28 29 7d 29 7d 3b 70 28 22 73 70 6e 22 2c 55 62 29 3b 70 28 22 73 70 70 22 2c 57 62 29 3b 70 28 22 73 70 73 22 2c 56 62 29 3b 70 28 22 73 70 64 22 2c 5a 62 29 3b 70 28 22 70 61 61 22 2c 53 62 29 3b 70 28 22 70 72 6d 22 2c 54 62 29 3b 6c 62 28 22 67 62 64 34 22 2c 54 62 29 3b 0a 69 66 28 68 2e 61 28 22 22 29 29 7b 76 61 72 20 24 62 3d 7b 64 3a 68 2e 61 28 22 22 29 2c 65 3a 22 22 2c 73 61 6e 77 3a 68 2e 61 28 22 22 29 2c 70 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 39 36 22 2c 63 70 3a 22 31 22 2c 78 70 3a 68 2e 61 28 22 31 22 29 2c 6d 67 3a 22 25 31 24 73 20 28 64 e9
                                                                                                                                                  Data Ascii: ion(){B(function(){g.spd()})};p("spn",Ub);p("spp",Wb);p("sps",Vb);p("spd",Zb);p("paa",Sb);p("prm",Tb);lb("gbd4",Tb);if(h.a("")){var $b={d:h.a(""),e:"",sanw:h.a(""),p:"https://lh3.googleusercontent.com/ogw/default-user=s96",cp:"1",xp:h.a("1"),mg:"%1$s (d
                                                                                                                                                  2021-10-19 14:29:27 UTC33INData Raw: 63 6f 6f 6b 69 65 26 26 61 2e 63 6f 6f 6b 69 65 2e 6d 61 74 63 68 28 22 50 52 45 46 22 29 7d 63 61 74 63 68 28 63 29 7b 7d 72 65 74 75 72 6e 21 62 7d 2c 6a 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 21 21 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 7d 63 61 74 63 68 28 61 29 7b 72 65 74 75 72 6e 21 31 7d 7d 2c 6b 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 26 26 61 2e 73 74 79 6c 65 26 26 61 2e 73 74 79 6c 65 2e 62 65 68 61 76 69 6f 72 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 61 2e 6c 6f 61 64 7d 2c 6c 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 29 7b 74 72 79 7b 69 63 28 64 6f
                                                                                                                                                  Data Ascii: cookie&&a.cookie.match("PREF")}catch(c){}return!b},jc=function(){try{return!!e.localStorage&&"object"==typeof e.localStorage}catch(a){return!1}},kc=function(a){return a&&a.style&&a.style.behavior&&"undefined"!=typeof a.load},lc=function(a,b,c,d){try{ic(do
                                                                                                                                                  2021-10-19 14:29:27 UTC35INData Raw: 28 67 2e 75 70 2c 22 73 70 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 64 70 63 22 29 3b 5a 28 67 2e 75 70 2c 22 69 69 63 22 29 3b 67 2e 6d 63 66 28 22 75 70 22 2c 7b 73 70 3a 68 2e 62 28 22 30 2e 30 31 22 2c 31 29 2c 74 6c 64 3a 22 66 72 22 2c 70 72 69 64 3a 22 31 22 7d 29 3b 66 75 6e 63 74 69 6f 6e 20 71 63 28 29 7b 66 75 6e 63 74 69 6f 6e 20 61 28 29 7b 66 6f 72 28 76 61 72 20 6c 3b 28 6c 3d 6b 5b 6d 2b 2b 5d 29 26 26 22 6d 22 21 3d 6c 5b 30 5d 26 26 21 6c 5b 31 5d 2e 61 75 74 6f 3b 29 3b 6c 26 26 28 73 61 28 32 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 75 72 6c 26 26 72 61 28 6c 5b 31 5d 2e 75 72 6c 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 6c 5b 31 5d 2e 6c 69 62 73 29 29 3b 6d 3c 6b 2e 6c 65 6e 67 74 68 26 26 73 65 74 54 69 6d 65 6f 75
                                                                                                                                                  Data Ascii: (g.up,"spl");Z(g.up,"dpc");Z(g.up,"iic");g.mcf("up",{sp:h.b("0.01",1),tld:"fr",prid:"1"});function qc(){function a(){for(var l;(l=k[m++])&&"m"!=l[0]&&!l[1].auto;);l&&(sa(2,l[0]),l[1].url&&ra(l[1].url,l[0]),l[1].libs&&C&&C(l[1].libs));m<k.length&&setTimeou
                                                                                                                                                  2021-10-19 14:29:27 UTC36INData Raw: 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 64 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 65 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 76 61 72 20 66 3d 65 2e 69 3b 76 61 72 20 67 3d 66 2e 63 28 22 31 22 2c 30 29 2c 68 3d 2f 5c 62 67 62 6d 74 5c 62 2f 2c 6b 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 22 2b 67 29 2c 63 3d 64 6f 63 75 6d
                                                                                                                                                  Data Ascii: "});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var d=window.gbar.i.i;var e=window.gbar;var f=e.i;var g=f.c("1",0),h=/\bgbmt\b/,k=function(a){try{var b=document.getElementById("gb_"+g),c=docum
                                                                                                                                                  2021-10-19 14:29:27 UTC37INData Raw: 22 29 2c 76 66 3a 22 2e 36 36 2e 22 7d 2c 67 3d 66 2c 68 3d 5b 22 62 6e 64 63 66 67 22 5d 2c 6b 3d 61 3b 68 5b 30 5d 69 6e 20 6b 7c 7c 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 6b 2e 65 78 65 63 53 63 72 69 70 74 7c 7c 6b 2e 65 78 65 63 53 63 72 69 70 74 28 22 76 61 72 20 22 2b 68 5b 30 5d 29 3b 66 6f 72 28 76 61 72 20 6c 3b 68 2e 6c 65 6e 67 74 68 26 26 28 6c 3d 68 2e 73 68 69 66 74 28 29 29 3b 29 68 2e 6c 65 6e 67 74 68 7c 7c 76 6f 69 64 20 30 3d 3d 3d 67 3f 6b 3d 6b 5b 6c 5d 26 26 6b 5b 6c 5d 21 3d 3d 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 5b 6c 5d 3f 6b 5b 6c 5d 3a 6b 5b 6c 5d 3d 7b 7d 3a 6b 5b 6c 5d 3d 67 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61
                                                                                                                                                  Data Ascii: "),vf:".66."},g=f,h=["bndcfg"],k=a;h[0]in k||"undefined"==typeof k.execScript||k.execScript("var "+h[0]);for(var l;h.length&&(l=h.shift());)h.length||void 0===g?k=k[l]&&k[l]!==Object.prototype[l]?k[l]:k[l]={}:k[l]=g;}catch(e){window.gbar&&gbar.logger&&gba
                                                                                                                                                  2021-10-19 14:29:27 UTC38INData Raw: 73 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 70 73 2e 67 6f 6f 67 6c 65 2e 66 72 2f 6d 61 70 73 3f 68 6c 3d 66 72 26 74 61 62 3d 77 6c 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 4d 61 70 73 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 37 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3f 68 6c 3d 66 72 26 74 61 62 3d 77 38 22 3e 3c 73 70 61 6e 20 63 6c 61 73
                                                                                                                                                  Data Ascii: s</span></a></li><li class=gbt><a class=gbzt id=gb_8 href="https://maps.google.fr/maps?hl=fr&tab=wl"><span class=gbtb2></span><span class=gbts>Maps</span></a></li><li class=gbt><a class=gbzt id=gb_78 href="https://play.google.com/?hl=fr&tab=w8"><span clas
                                                                                                                                                  2021-10-19 14:29:27 UTC40INData Raw: 73 3d 67 62 6d 20 69 64 3d 67 62 64 20 61 72 69 61 2d 6f 77 6e 65 72 3d 67 62 7a 74 6d 3e 3c 64 69 76 20 69 64 3d 67 62 6d 6d 62 20 63 6c 61 73 73 3d 22 67 62 6d 63 20 67 62 73 62 20 67 62 73 62 69 73 22 3e 3c 6f 6c 20 69 64 3d 67 62 6d 6d 20 63 6c 61 73 73 3d 22 67 62 6d 63 63 20 67 62 73 62 69 63 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 32 34 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 61 6c 65 6e 64 61 72 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 63 61 6c 65 6e 64 61 72 3f 74 61 62 3d 77 63 22 3e 41 67 65 6e 64 61 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 35 31 20 68 72 65 66 3d 22 68 74 74
                                                                                                                                                  Data Ascii: s=gbm id=gbd aria-owner=gbztm><div id=gbmmb class="gbmc gbsb gbsbis"><ol id=gbmm class="gbmcc gbsbic"><li class=gbmtc><a class=gbmt id=gb_24 href="https://calendar.google.com/calendar?tab=wc">Agenda</a></li><li class=gbmtc><a class=gbmt id=gb_51 href="htt
                                                                                                                                                  2021-10-19 14:29:27 UTC41INData Raw: 20 63 6c 61 73 73 3d 67 62 73 62 62 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 67 3e 3c 68 32 20 63 6c 61 73 73 3d 67 62 78 78 3e 41 63 63 6f 75 6e 74 20 4f 70 74 69 6f 6e 73 3c 2f 68 32 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 63 62 3e 3c 2f 73 70 61 6e 3e 3c 6f 6c 20 63 6c 61 73 73 3d 67 62 74 63 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 74 61 72 67 65 74 3d 5f 74 6f 70 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 63 63 6f 75 6e 74 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 53 65 72 76 69 63 65 4c 6f 67 69 6e 3f 68 6c 3d 66 72 26 70 61 73 73 69 76 65 3d 74 72 75 65 26 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c
                                                                                                                                                  Data Ascii: class=gbsbb></div></div></div></li></ol></div><div id=gbg><h2 class=gbxx>Account Options</h2><span class=gbtcb></span><ol class=gbtc><li class=gbt><a target=_top href="https://accounts.google.com/ServiceLogin?hl=fr&passive=true&continue=https://www.googl
                                                                                                                                                  2021-10-19 14:29:27 UTC42INData Raw: 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 65 6c 70 26 26 67 62 61 72 2e 65 6c 70 28 29 3c 2f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 63 65 6e 74 65 72 3e 3c 62 72 20 63 6c 65 61 72 3d 22 61 6c 6c 22 20 69 64 3d 22 6c 67 70 64 22 3e 3c 64 69 76 20 69 64 3d 22 6c 67 61 22 3e 3c 69 6d 67 20 61 6c 74 3d 22 47 6f 6f 67 6c 65 22 20 68 65 69 67 68 74 3d 22 39 32 22 20 73 72 63 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 77 68 69 74 65 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 63 6f 6c 6f 72 5f 32 37 32 78 39 32 64 70 2e 70 6e 67 22 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 38 70 78 20 30 20 31 34 70 78 22 20 77 69 64 74 68 3d 22 32 37 32 22 20
                                                                                                                                                  Data Ascii: indow.gbar&&gbar.elp&&gbar.elp()</script></div></div><center><br clear="all" id="lgpd"><div id="lga"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png" style="padding:28px 0 14px" width="272"
                                                                                                                                                  2021-10-19 14:29:27 UTC43INData Raw: 68 69 73 2e 66 6f 72 6d 2e 69 66 6c 73 69 67 2e 64 69 73 61 62 6c 65 64 20 3d 20 66 61 6c 73 65 3b 7d 0a 65 6c 73 65 20 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 27 2f 64 6f 6f 64 6c 65 73 2f 27 3b 7d 3b 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 69 6e 70 75 74 20 76 61 6c 75 65 3d 22 41 4c 73 2d 77 41 4d 41 41 41 41 41 59 57 37 6b 56 30 5f 4c 53 6b 62 78 73 58 65 4e 68 5a 46 51 43 49 34 4a 4e 6a 63 50 70 32 68 76 22 20 6e 61 6d 65 3d 22 69 66 6c 73 69 67 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 74 64 3e 3c 74 64 20 63 6c 61 73 73 3d 22 66 6c 20 73 62 6c 63 22 20 61 6c 69 67 6e 3d 22 6c 65 66 74 22 20 6e 6f 77 72 61 70 3d 22 22 20 77 69 64 74 68 3d 22 32 35 25 22 3e 3c 61 20 68 72 65 66 3d 22 2f 61 64
                                                                                                                                                  Data Ascii: his.form.iflsig.disabled = false;}else top.location='/doodles/';};})();</script><input value="ALs-wAMAAAAAYW7kV0_LSkbxsXeNhZFQCI4JNjcPp2hv" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/ad
                                                                                                                                                  2021-10-19 14:29:27 UTC45INData Raw: 69 67 3d 4b 5f 34 62 64 36 34 61 52 68 55 34 66 74 4b 6c 68 36 53 54 67 4c 30 4b 73 44 34 67 30 25 33 44 22 3e 47 6f 6f 67 6c 65 2e 66 72 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 38 70 74 3b 63 6f 6c 6f 72 3a 23 37 30 37 35 37 61 22 3e 26 63 6f 70 79 3b 20 32 30 32 31 20 2d 20 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 66 72 2f 70 6f 6c 69 63 69 65 73 2f 70 72 69 76 61 63 79 2f 22 3e 43 6f 6e 66 69 64 65 6e 74 69 61 6c 69 74 e9 3c 2f 61 3e 20 2d 20 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 66 72 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 43 6f 6e 64 69 74 69 6f 6e 73 3c 2f 61 3e 3c 2f 70 3e 3c 2f 73 70 61 6e 3e 3c 2f 63 65 6e 74 65 72 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63
                                                                                                                                                  Data Ascii: ig=K_4bd64aRhU4ftKlh6STgL0KsD4g0%3D">Google.fr</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2021 - <a href="/intl/fr/policies/privacy/">Confidentialit</a> - <a href="/intl/fr/policies/terms/">Conditions</a></p></span></center><script nonc
                                                                                                                                                  2021-10-19 14:29:27 UTC46INData Raw: 72 20 63 3d 22 53 43 52 49 50 54 22 3b 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 22 3d 3d 3d 62 2e 63 6f 6e 74 65 6e 74 54 79 70 65 26 26 28 63 3d 63 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 29 3b 63 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 63 29 3b 69 66 28 76 6f 69 64 20 30 3d 3d 3d 67 29 7b 62 3d 6e 75 6c 6c 3b 76 61 72 20 6b 3d 65 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 69 66 28 6b 26 26 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 29 7b 74 72 79 7b 62 3d 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 28 22 67 6f 6f 67 23 68 74 6d 6c 22 2c 7b 63 72 65 61 74 65 48 54 4d 4c 3a 66 2c 63 72 65 61 74 65 53 63 72 69 70 74 3a 66 2c 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 3a 66 7d 29 7d 63 61 74 63 68 28 70 29 7b 65 2e 63 6f
                                                                                                                                                  Data Ascii: r c="SCRIPT";"application/xhtml+xml"===b.contentType&&(c=c.toLowerCase());c=b.createElement(c);if(void 0===g){b=null;var k=e.trustedTypes;if(k&&k.createPolicy){try{b=k.createPolicy("goog#html",{createHTML:f,createScript:f,createScriptURL:f})}catch(p){e.co
                                                                                                                                                  2021-10-19 14:29:27 UTC47INData Raw: 5c 78 32 32 66 6c 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 68 6f 73 74 5c 78 32 32 3a 5c 78 32 32 67 6f 6f 67 6c 65 2e 63 6f 6d 5c 78 32 32 2c 5c 78 32 32 69 73 62 68 5c 78 32 32 3a 32 38 2c 5c 78 32 32 6a 73 6f 6e 70 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 6c 6d 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 6d 73 67 73 5c 78 32 32 3a 7b 5c 78 32 32 63 69 62 6c 5c 78 32 32 3a 5c 78 32 32 45 66 66 61 63 65 72 20 6c 61 20 72 65 63 68 65 72 63 68 65 5c 78 32 32 2c 5c 78 32 32 64 79 6d 5c 78 32 32 3a 5c 78 32 32 45 73 73 61 79 65 7a 20 61 76 65 63 20 63 65 74 74 65 20 6f 72 74 68 6f 67 72 61 70 68 65 20 3a 5c 78 32 32 2c 5c 78 32 32 6c 63 6b 79 5c 78 32 32 3a 5c 78 32 32 4a 5c 5c 75 30 30 32 36 23 33 39 3b 61 69 20 64 65 20 6c 61 20 63 68 61 6e 63 65 5c 78 32
                                                                                                                                                  Data Ascii: \x22fl\x22:true,\x22host\x22:\x22google.com\x22,\x22isbh\x22:28,\x22jsonp\x22:true,\x22lm\x22:true,\x22msgs\x22:{\x22cibl\x22:\x22Effacer la recherche\x22,\x22dym\x22:\x22Essayez avec cette orthographe :\x22,\x22lcky\x22:\x22J\\u0026#39;ai de la chance\x2
                                                                                                                                                  2021-10-19 14:29:27 UTC48INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  SMTP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                                  Oct 19, 2021 16:31:10.883949995 CEST58749836173.231.223.186192.168.2.3220-server.oishi7.com ESMTP Exim 4.94.2 #2 Tue, 19 Oct 2021 07:31:10 -0700
                                                                                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                                                  220 and/or bulk e-mail.
                                                                                                                                                  Oct 19, 2021 16:31:10.884293079 CEST49836587192.168.2.3173.231.223.186EHLO 305090
                                                                                                                                                  Oct 19, 2021 16:31:11.016813040 CEST58749836173.231.223.186192.168.2.3250-server.oishi7.com Hello 305090 [102.129.143.33]
                                                                                                                                                  250-SIZE 52428800
                                                                                                                                                  250-8BITMIME
                                                                                                                                                  250-PIPELINING
                                                                                                                                                  250-PIPE_CONNECT
                                                                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                                                                  250-STARTTLS
                                                                                                                                                  250 HELP
                                                                                                                                                  Oct 19, 2021 16:31:11.017040968 CEST49836587192.168.2.3173.231.223.186STARTTLS
                                                                                                                                                  Oct 19, 2021 16:31:11.151046038 CEST58749836173.231.223.186192.168.2.3220 TLS go ahead

                                                                                                                                                  Code Manipulations

                                                                                                                                                  Statistics

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  Analysis Process: 987421.exe PID: 4344 Parent PID: 2220

                                                                                                                                                  General

                                                                                                                                                  Start time:16:29:24
                                                                                                                                                  Start date:19/10/2021
                                                                                                                                                  Path:C:\Users\user\Desktop\987421.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Users\user\Desktop\987421.exe'
                                                                                                                                                  Imagebase:0xf90000
                                                                                                                                                  File size:1335296 bytes
                                                                                                                                                  MD5 hash:75E71BA1842DC3F63198386ADB92716F
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.443975090.000000000446D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.444506297.0000000004633000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  Reputation:low

                                                                                                                                                  Analysis Process: InstallUtil.exe PID: 6920 Parent PID: 4344

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:20
                                                                                                                                                  Start date:19/10/2021
                                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                                  Imagebase:0x390000
                                                                                                                                                  File size:41064 bytes
                                                                                                                                                  MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000002.557838555.0000000000762000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000002.563407277.0000000007B80000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000002.563118770.00000000074D0000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000002.560993203.00000000037F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.560993203.00000000037F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000002.560027305.00000000027F1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  Antivirus matches:
                                                                                                                                                  • Detection: 0%, Metadefender, Browse
                                                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                                                  Reputation:moderate

                                                                                                                                                  Analysis Process: vbc.exe PID: 7160 Parent PID: 6920

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:58
                                                                                                                                                  Start date:19/10/2021
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1171592 bytes
                                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000002.500947062.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:high

                                                                                                                                                  Analysis Process: vbc.exe PID: 6412 Parent PID: 6920

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:58
                                                                                                                                                  Start date:19/10/2021
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1171592 bytes
                                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.491382176.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:high

                                                                                                                                                  Disassembly

                                                                                                                                                  Code Analysis

                                                                                                                                                  Reset < >