Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 201021.exe

Overview

General Information

Sample Name:201021.exe
Analysis ID:506137
MD5:ff59b59d6fb138bd3a588d89ea0fa1d7
SHA1:fad22ded5983e8d5a9bffa398c3281670e496f46
SHA256:8e1c67e8ed76591ed779773be365b2b66440d958f1bf3556d4512f71836c3d2f
Tags:exehawkeye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Detected HawkEye Rat
Sample uses process hollowing technique
Installs a global keyboard hook
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Tries to steal Mail credentials (via file registry)
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • 201021.exe (PID: 2168 cmdline: 'C:\Users\user\Desktop\201021.exe' MD5: FF59B59D6FB138BD3A588D89EA0FA1D7)
    • InstallUtil.exe (PID: 6672 cmdline: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • vbc.exe (PID: 7120 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7128 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • WerFault.exe (PID: 2212 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1932 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.406134139.0000000007D10000.00000004.00020000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x25d0:$hawkstr1: HawkEye Keylogger
    • 0x2088:$hawkstr2: Dear HawkEye Customers!
    • 0x21b6:$hawkstr3: HawkEye Logger Details:
    0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b6ba:$key: HawkEyeKeylogger
    • 0x7d8c8:$salt: 099u787978786
    • 0x7bce3:$string1: HawkEye_Keylogger
    • 0x7cb36:$string1: HawkEye_Keylogger
    • 0x7d828:$string1: HawkEye_Keylogger
    • 0x7c0cc:$string2: holdermail.txt
    • 0x7c0ec:$string2: holdermail.txt
    • 0x7c00e:$string3: wallet.dat
    • 0x7c026:$string3: wallet.dat
    • 0x7c03c:$string3: wallet.dat
    • 0x7d40a:$string4: Keylog Records
    • 0x7d722:$string4: Keylog Records
    • 0x7d920:$string5: do not script -->
    • 0x7b6a2:$string6: \pidloc.txt
    • 0x7b718:$string7: BSPLIT
    • 0x7b728:$string7: BSPLIT
    0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Click to see the 53 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.0.InstallUtil.exe.3b39930.8.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        10.0.InstallUtil.exe.3b39930.8.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          10.2.InstallUtil.exe.409c0d.2.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            10.0.InstallUtil.exe.7ca0000.19.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
            • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
            10.2.InstallUtil.exe.7ca0000.9.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
            • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
            Click to see the 140 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\Desktop\201021.exe' , ParentImage: C:\Users\user\Desktop\201021.exe, ParentProcessId: 2168, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6672

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: 201021.exeReversingLabs: Detection: 40%
            Machine Learning detection for sampleShow sources
            Source: 201021.exeJoe Sandbox ML: detected
            Source: 10.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 10.2.InstallUtil.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 10.0.InstallUtil.exe.400000.11.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 10.0.InstallUtil.exe.400000.11.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 10.0.InstallUtil.exe.400000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 10.0.InstallUtil.exe.400000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 1.2.201021.exe.39bac82.3.unpackAvira: Label: TR/Inject.vcoldi
            Source: 201021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.7:49746 version: TLS 1.0
            Source: 201021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.372347216.0000000005617000.00000004.00000001.sdmp
            Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.354853328.0000000003143000.00000004.00000001.sdmp
            Source: Binary string: System.Runtime.Remoting.pdbqk source: WERC408.tmp.dmp.18.dr
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: nsi.pdb{q6 source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
            Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: System.Windows.Forms.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.353326488.0000000003137000.00000004.00000001.sdmp
            Source: Binary string: System.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: nlaapi.pdbUl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdb[y>!- source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: ml.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: winnsi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: ility.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdbyq7 source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: System.Configuration.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.353950302.0000000003149000.00000004.00000001.sdmp
            Source: Binary string: anagement.pdb" source: WerFault.exe, 00000012.00000003.372347216.0000000005617000.00000004.00000001.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.406134139.0000000007D10000.00000004.00020000.sdmp
            Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: 201021.exe, 00000001.00000002.307784889.00000000063D0000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000000.338774279.0000000000882000.00000002.00020000.sdmp, InstallUtil.exe.1.dr
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: mscorlib.pdbdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: System.Configuration.pdbHH source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: DWrite.pdbml source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: k0C:\Windows\mscorlib.pdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: System.Core.ni.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: wintrust.pdbkl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: symbols\dll\mscorlib.pdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: dnsapi.pdbl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: nsi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: comctl32v582.pdb{x6 source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
            Source: Binary string: CMemoryExecute.pdb" source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp
            Source: Binary string: rasadhlp.pdbYl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERC408.tmp.dmp.18.dr
            Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: msasn1.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdb source: InstallUtil.exe, 0000000A.00000002.405748695.00000000073BB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: DWrite.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.354853328.0000000003143000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERC408.tmp.dmp.18.dr
            Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS source: WERC408.tmp.dmp.18.dr
            Source: Binary string: InstallUtil.PDB source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Core.ni.pdbRSDSD source: WERC408.tmp.dmp.18.dr
            Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: rawing.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: InstallUtil.pdb source: 201021.exe, 00000001.00000002.307784889.00000000063D0000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.1.dr
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb9lf source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: wmiutils.pdb3ll source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: wbemprox.pdbgl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.353326488.0000000003137000.00000004.00000001.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: WLDP.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WERC408.tmp.dmp.18.dr
            Source: Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Core.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: dhcpcsvc6.pdbOl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: winrnr.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: version.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: wintrust.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: System.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: ore.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: CMemoryExecute.pdbMZ source: WERC408.tmp.dmp.18.dr
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: dhcpcsvc.pdbSl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: rawing.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.353950302.0000000003149000.00000004.00000001.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
            Source: Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: System.pdb4: source: WERC408.tmp.dmp.18.dr
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: b.pdb00CE6}IgQ source: InstallUtil.exe, 0000000A.00000000.339327398.0000000000FA0000.00000004.00000020.sdmp
            Source: Binary string: winnsi.pdbAl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: .pdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: crypt32.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.7:49746 version: TLS 1.0
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000F.00000002.351623076.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000F.00000002.351623076.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-AAAAid7__f_
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://amplify-imp.outbrain.com/pixel?p=nlV1YHXXXKgnJTkmjxGkpD86h377hQIinq23IJiX9nqxEkupAtbFH4fSP0Iz
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://b1-use2.zemanta.com/bidder/win/outbrainrtb/c333bcb0-98dc-11e9-8919-320929a4a620/0.564833/3F66
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://b1t-use2.zemanta.com/t/imp/impression/FZV2QWU7KWGCXF6REQZNFCRJIZ4GXAXBRWOOIKPCGXHSIEOKHUJBTWL
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://cdn.adnxs.com/v/s/169/trk.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://cdn.taboola.com/TaboolaCookieSyncScript.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://cm.adform.net/pixel?adform_pid=16&adform_pc=3011883223893104794
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
            Source: vbc.exe, 0000000F.00000003.349336779.0000000000C6C000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=true0&twa=1&s
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl.globalsign.com/root.crl0V
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g5.crl0/
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g5.crl0L
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=148&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fs
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://e1.emxdgt.com/cs?d=d1&uid=3011883223893104794
            Source: InstallUtil.exe, 0000000A.00000003.303485054.0000000005C72000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipg
            Source: InstallUtil.exe, 0000000A.00000003.304199848.0000000005CAE000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: vbc.exe, 0000000F.00000003.349148362.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: http://ib.adnxs.com/async_usersync_file
            Source: vbc.exe, 0000000F.00000003.349148362.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: http://ib.adnxs.com/getuid?http://s.amazon-adsystem.com/ecm3?id=$UID&ex=appnexus.com
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwN
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmM
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjM1OWYyYmUyYWEzNmM5ZGIxOWNkODJhMjgxMTNiZjk2MDliN
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU1YWFlM2E2Yzk0NjI5ZTJjNzIwNTg1NTAyOWJhYWYwZmIxM
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVlOTU1MDFkNzMwNDkzY2MzOWM0MzkzNmI4MTUzMTlhYTQ2O
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImE2Y2FkYjk5YjFhZTM3OGRiYjNlYjY3YzUxMTk0YzRkM2ViZ
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZ
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsWyr?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuMD0?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBGjoVB?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbOGs?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBSDdmG?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVBUge?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: 201021.exe, 00000001.00000003.270974975.0000000006ADB000.00000004.00000001.sdmp, 201021.exe, 00000001.00000003.298024945.0000000006AE1000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.comodoca.com09
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0:
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0B
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0E
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0F
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0K
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0M
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0R
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.msocsp.com0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://ocsp2.globalsign.com/cloudsslsha2g30V
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/r20190624/r20190131/show_ads_impl.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&euconsent=BOi01ZPOi01ZPAcABBENB4-AAA
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-
            Source: vbc.exe, 0000000F.00000003.349148362.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: http://s.amazon-adsystem.com/v3/pr?exlist=an&fv=1.0&a=cm&cm3ppd=1
            Source: vbc.exe, 0000000F.00000003.349148362.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: http://s.amazon-adsystem.com/x/da2e6c890e6e3636
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://sb.scorecardresearch.com/beacon.js
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
            Source: 201021.exe, 00000001.00000002.299444027.0000000002941000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
            Source: WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://secure.globalsign.com/cacert/cloudsslsha2g3.crt06
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/8c/865070.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/95/8bd8bf.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsWyr.img?h=75&w=100&
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuMD0.img?h=333&w=311
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=75&w=100&
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=75&w=100&
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBGjoVB.img?h=50&w=50&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbOGs.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPRPvf.img?h=50&w=50&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBSDdmG.img?h=50&w=50&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBTrj40.img?h=50&w=50&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://t.wayfair.com/a/vendor_sync/user?vendor_id=1&uid=3011883223893104794&t=1
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://trc.taboola.com/p3p.xml
            Source: Amcache.hve.18.drString found in binary or memory: http://upx.sf.net
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: InstallUtil.exe, 0000000A.00000003.310947599.0000000005C7A000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: InstallUtil.exe, 0000000A.00000003.309171852.0000000005C72000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: InstallUtil.exe, 0000000A.00000003.313892692.0000000005C7E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: InstallUtil.exe, 0000000A.00000003.313438755.0000000005C7A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersL
            Source: InstallUtil.exe, 0000000A.00000003.313195886.0000000005C78000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: InstallUtil.exe, 0000000A.00000003.313892692.0000000005C7E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF/V
            Source: InstallUtil.exe, 0000000A.00000003.312452193.0000000005C7A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFQU
            Source: InstallUtil.exe, 0000000A.00000003.314544444.0000000005C7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
            Source: InstallUtil.exe, 0000000A.00000003.314544444.0000000005C7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: InstallUtil.exe, 0000000A.00000003.314544444.0000000005C7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd$V
            Source: InstallUtil.exe, 0000000A.00000003.314544444.0000000005C7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdfetXU
            Source: InstallUtil.exe, 0000000A.00000000.335330228.0000000005C70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldv
            Source: InstallUtil.exe, 0000000A.00000003.313195886.0000000005C78000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comn
            Source: InstallUtil.exe, 0000000A.00000003.312452193.0000000005C7A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000000.335330228.0000000005C70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
            Source: InstallUtil.exe, 0000000A.00000003.313892692.0000000005C7E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comony
            Source: InstallUtil.exe, 0000000A.00000003.314544444.0000000005C7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coms
            Source: InstallUtil.exe, 0000000A.00000003.314904895.0000000005C7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiefd
            Source: InstallUtil.exe, 0000000A.00000003.312539841.0000000005C7A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsivauUs
            Source: InstallUtil.exe, 0000000A.00000003.314544444.0000000005C7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueed
            Source: InstallUtil.exe, 0000000A.00000003.303791795.000000000117B000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: InstallUtil.exe, 0000000A.00000003.303791795.000000000117B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comj
            Source: InstallUtil.exe, 0000000A.00000003.306333247.0000000005C81000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: InstallUtil.exe, 0000000A.00000003.306333247.0000000005C81000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnCP
            Source: InstallUtil.exe, 0000000A.00000003.306365686.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnht
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://www.googleadservices.com/pagead/p3p.xml
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: InstallUtil.exe, 0000000A.00000003.309507974.0000000005C77000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$V
            Source: InstallUtil.exe, 0000000A.00000003.309507974.0000000005C77000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Curs
            Source: InstallUtil.exe, 0000000A.00000003.309507974.0000000005C77000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/FU
            Source: InstallUtil.exe, 0000000A.00000003.309507974.0000000005C77000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Stan
            Source: InstallUtil.exe, 0000000A.00000003.309507974.0000000005C77000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
            Source: InstallUtil.exe, 0000000A.00000003.310696053.0000000005C7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
            Source: InstallUtil.exe, 0000000A.00000003.310947599.0000000005C7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: InstallUtil.exe, 0000000A.00000003.309507974.0000000005C77000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s_tr
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://www.msn.com
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://www.msn.com/
            Source: vbc.exe, 0000000F.00000003.348895291.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
            Source: bhv8BC6.tmp.15.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
            Source: vbc.exe, vbc.exe, 00000010.00000002.341034426.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: InstallUtil.exe, 0000000A.00000003.303013093.0000000005CAE000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: InstallUtil.exe, 0000000A.00000003.303013093.0000000005CAE000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com.
            Source: InstallUtil.exe, 0000000A.00000003.303013093.0000000005CAE000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com9
            Source: InstallUtil.exe, 0000000A.00000003.303013093.0000000005CAE000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comdK
            Source: InstallUtil.exe, 0000000A.00000003.302539187.000000000117B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coml
            Source: InstallUtil.exe, 0000000A.00000003.303013093.0000000005CAE000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comx
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: InstallUtil.exe, 0000000A.00000003.310696053.0000000005C7A000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-g
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: InstallUtil.exe, 0000000A.00000000.333704966.0000000002B9B000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: InstallUtil.exe, 0000000A.00000003.309171852.0000000005C72000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comw
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
            Source: vbc.exe, 0000000F.00000003.348895291.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
            Source: vbc.exe, 0000000F.00000003.348895291.0000000002A2E000.00000004.00000001.sdmp, vbc.exe, 0000000F.00000003.349336779.0000000000C6C000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt
            Source: vbc.exe, 0000000F.00000003.348895291.0000000002A2E000.00000004.00000001.sdmp, vbc.exe, 0000000F.00000003.348944353.0000000002A39000.00000004.00000001.sdmp, vbc.exe, 0000000F.00000002.352211892.0000000002A43000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://api.taboola.com/1.2/json/taboola-usersync/user.sync?app.type=desktop&app.apikey=e60e3b54fc66
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://contextual.media.net/
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://cvision.media.net/new/286x175/2/79/227/59/931bcbc9-c308-445b-ac87-70a69b051455.jpg?v=9
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://cvision.media.net/new/300x194/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://cvision.media.net/new/300x300/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBEB4CB72
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:300
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmEU9fBBc-.woff
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmSU5fBBc-.woff
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOmCnqEu92Fr1Mu4mxM.woff
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7064439419818173&output=html&h=250&twa=
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/adview?ai=C4ZZc-r8UXcilEM6E-gaA-YLQCODD_YZVtLCoh4gJ8ui0tf
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.html
            Source: vbc.exe, 0000000F.00000003.350371868.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.htmlB4-AAAAid7__f__3_
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: vbc.exe, 0000000F.00000003.348895291.0000000002A2E000.00000004.00000001.sdmp, vbc.exe, 0000000F.00000003.348944353.0000000002A39000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wre
            Source: vbc.exe, 0000000F.00000003.349148362.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1561640951&rver=7.0.6730.0&wp=l
            Source: vbc.exe, 0000000F.00000003.348895291.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: vbc.exe, 0000000F.00000003.348895291.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: vbc.exe, 0000000F.00000003.348895291.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: vbc.exe, 0000000F.00000003.348895291.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
            Source: vbc.exe, 0000000F.00000003.349122141.0000000000C6D000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeyy
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=c21d6fc334f1b2ec2cf4d2cbc4199764_4535_1561640954843
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=cadd7d1b12e34ff71b0237f3627e8ef3_4535_1561640955067
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=e2c41a910c7be90243b349629cd840b2_4535_1561640955327
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://p.rfihub.com/cm?in=1&pub=345&userid=3011883223893104794
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://pagead2.googlesyndication.com/pub-config/r20160913/ca-pub-7064439419818173.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://pki.goog/repository/0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://pr-bh.ybp.yahoo.com/sync/msn/0D4108E9D28A6B29364F0561D37B6A29
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://secure.comodo.com/CPS0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=9a5be529d6034927bda092231704a93b&c=MSN&d=http%3A%2F%2Fwww.msn
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://sync.outbrain.com/cookie-sync?p=medianet&uid=2046425540973639000V10
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/abg_lite.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/m_js_controller.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/qs_click_protection.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/window_focus.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://tpc.googlesyndication.com/simgad/1034445299425550758?w=300&h=300
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://widgets.outbrain.com/
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSync.html
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=892565928.1601478348
            Source: 201021.exe, 00000001.00000002.299444027.0000000002941000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
            Source: 201021.exe, 00000001.00000002.299444027.0000000002941000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
            Source: vbc.exe, 0000000F.00000003.349148362.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drString found in binary or memory: https://www.google.com/pagead/drt/ui
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js?cb=%2Fr20100101
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd_listener.js?cache=r20110914
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
            Source: bhv8BC6.tmp.15.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
            Source: unknownDNS traffic detected: queries for: www.google.com
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 10.0.InstallUtil.exe.400000.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.408208.13.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.2b5b360.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39bac82.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.45fa72.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39c2a8f.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39bac82.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c5fec2.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c08658.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39c108a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c0a05d.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.341956541.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.334072591.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.341915829.0000000002DCA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 201021.exe PID: 2168, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6672, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 2212, type: MEMORYSTR
            Installs a global keyboard hookShow sources
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindows user hook set: 0 keyboard low level C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 10.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
            Source: 10.0.InstallUtil.exe.400000.11.unpack, Form1.cs.Net Code: HookKeyboard
            Source: 10.0.InstallUtil.exe.400000.1.unpack, Form1.cs.Net Code: HookKeyboard
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 10.0.InstallUtil.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.0.InstallUtil.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.0.InstallUtil.exe.408208.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.0.InstallUtil.exe.408208.13.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.0.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.0.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.InstallUtil.exe.2b5b360.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.201021.exe.39bac82.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.201021.exe.39bac82.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.0.InstallUtil.exe.45fa72.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.0.InstallUtil.exe.45fa72.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.0.InstallUtil.exe.45fa72.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.0.InstallUtil.exe.45fa72.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.0.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.0.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.0.InstallUtil.exe.409c0d.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.0.InstallUtil.exe.409c0d.12.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.201021.exe.39c2a8f.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.201021.exe.39c2a8f.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.201021.exe.39bac82.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.201021.exe.39bac82.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.201021.exe.3c5fec2.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.201021.exe.3c5fec2.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.201021.exe.3c08658.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.201021.exe.3c08658.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.201021.exe.39c108a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.201021.exe.39c108a.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.201021.exe.3c0a05d.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.201021.exe.3c0a05d.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000000.341915829.0000000002DCA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large array initializationsShow sources
            Source: 201021.exe, Ne5k/Wf23.csLarge array initialization: .cctor: array initializer size 3834
            Source: 201021.exe, Yn9/n8R.csLarge array initialization: .cctor: array initializer size 4656
            Source: 201021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 10.0.InstallUtil.exe.7ca0000.19.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.2.InstallUtil.exe.7ca0000.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.0.InstallUtil.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.0.InstallUtil.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.0.InstallUtil.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.0.InstallUtil.exe.408208.13.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.0.InstallUtil.exe.408208.13.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.0.InstallUtil.exe.408208.13.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.0.InstallUtil.exe.2b8d4c0.16.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.0.InstallUtil.exe.7ca0000.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.0.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.0.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.0.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.0.InstallUtil.exe.7d10000.20.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.2.InstallUtil.exe.2b5b360.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.2.InstallUtil.exe.2b5b360.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.201021.exe.39bac82.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.201021.exe.39bac82.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.201021.exe.39bac82.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.0.InstallUtil.exe.2b8d4c0.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.2.InstallUtil.exe.7d10000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.0.InstallUtil.exe.7d10000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.0.InstallUtil.exe.45fa72.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.0.InstallUtil.exe.45fa72.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.0.InstallUtil.exe.45fa72.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.0.InstallUtil.exe.45fa72.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.0.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.0.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 10.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.0.InstallUtil.exe.409c0d.12.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.0.InstallUtil.exe.409c0d.12.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.201021.exe.39c2a8f.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.201021.exe.39c2a8f.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.201021.exe.39c2a8f.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.201021.exe.39bac82.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.201021.exe.39bac82.3.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.201021.exe.39bac82.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.201021.exe.3c5fec2.8.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.201021.exe.3c5fec2.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.201021.exe.3c5fec2.8.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.201021.exe.3c08658.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.201021.exe.3c08658.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.201021.exe.3c08658.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.201021.exe.39c108a.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.201021.exe.39c108a.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.201021.exe.39c108a.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.201021.exe.3c0a05d.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.201021.exe.3c0a05d.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.201021.exe.3c0a05d.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.InstallUtil.exe.2b7109c.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0000000A.00000002.406134139.0000000007D10000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000000.337600996.0000000007D10000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0000000A.00000000.337446969.0000000007CA0000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0000000A.00000000.347217323.0000000007D10000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000000.347141160.0000000007CA0000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0000000A.00000002.406066723.0000000007CA0000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000000.341915829.0000000002DCA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1932
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_008820B0
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_02AFB29C
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_02AFC310
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_02AFB290
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_02AFB1F2
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_02AF99D0
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_02AFDFD0
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_0737B4E0
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_0737EEC8
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_0737BDB0
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_0737B4D5
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_0737B198
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_07370006
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_07376FA0
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_07376FE4
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_0737FCB8
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_081E0040
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00405CF6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404419
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404516
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00413538
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004145A1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040E639
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004337AF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004399B1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0043DAE7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00403F85
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00411F99
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404DDB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040BD8A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404E4C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404EBD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404F4E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_081E0CB0 NtSetContextThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_081E0A98 NtResumeThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_081E0BF8 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_081E0CAB NtSetContextThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_081E0BF3 NtWriteVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: 201021.exeBinary or memory string: OriginalFilename vs 201021.exe
            Source: 201021.exe, 00000001.00000002.298194628.00000000003C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesis.exe" vs 201021.exe
            Source: 201021.exe, 00000001.00000002.308492623.0000000006870000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs 201021.exe
            Source: 201021.exe, 00000001.00000002.304273312.0000000002F05000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 201021.exe
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 201021.exe
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 201021.exe
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 201021.exe
            Source: 201021.exe, 00000001.00000002.305782929.0000000003948000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs 201021.exe
            Source: 201021.exe, 00000001.00000002.307784889.00000000063D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstallUtil.exeT vs 201021.exe
            Source: 201021.exeBinary or memory string: OriginalFilenamesis.exe" vs 201021.exe
            Source: 201021.exeReversingLabs: Detection: 40%
            Source: 201021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\201021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\201021.exe 'C:\Users\user\Desktop\201021.exe'
            Source: C:\Users\user\Desktop\201021.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1932
            Source: C:\Users\user\Desktop\201021.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
            Source: C:\Users\user\Desktop\201021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\201021.exe.logJump to behavior
            Source: C:\Users\user\Desktop\201021.exeFile created: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exeJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@8/12@2/2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000F.00000002.351623076.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
            Source: C:\Users\user\Desktop\201021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
            Source: 10.2.InstallUtil.exe.400000.0.unpack, Form1.csBase64 encoded string: 'jwpdbTVcqJzxvfBDtW68q7oRfljM8b8abw7DEV5/tgiR5+6Av2KoKY3S9Gf8JxQe', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: 10.0.InstallUtil.exe.400000.11.unpack, Form1.csBase64 encoded string: 'jwpdbTVcqJzxvfBDtW68q7oRfljM8b8abw7DEV5/tgiR5+6Av2KoKY3S9Gf8JxQe', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: 10.0.InstallUtil.exe.400000.1.unpack, Form1.csBase64 encoded string: 'jwpdbTVcqJzxvfBDtW68q7oRfljM8b8abw7DEV5/tgiR5+6Av2KoKY3S9Gf8JxQe', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6672
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,
            Source: 10.2.InstallUtil.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 10.2.InstallUtil.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 10.2.InstallUtil.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 10.2.InstallUtil.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: 10.0.InstallUtil.exe.400000.11.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 10.0.InstallUtil.exe.400000.11.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 10.0.InstallUtil.exe.400000.11.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 10.0.InstallUtil.exe.400000.11.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: C:\Users\user\Desktop\201021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\201021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\201021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\201021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: 201021.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: 201021.exeStatic file information: File size 1327104 > 1048576
            Source: 201021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 201021.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x143600
            Source: 201021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.372347216.0000000005617000.00000004.00000001.sdmp
            Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.354853328.0000000003143000.00000004.00000001.sdmp
            Source: Binary string: System.Runtime.Remoting.pdbqk source: WERC408.tmp.dmp.18.dr
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: nsi.pdb{q6 source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
            Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: System.Windows.Forms.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.353326488.0000000003137000.00000004.00000001.sdmp
            Source: Binary string: System.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: nlaapi.pdbUl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdb[y>!- source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: ml.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: winnsi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: ility.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdbyq7 source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: System.Configuration.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.353950302.0000000003149000.00000004.00000001.sdmp
            Source: Binary string: anagement.pdb" source: WerFault.exe, 00000012.00000003.372347216.0000000005617000.00000004.00000001.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.406134139.0000000007D10000.00000004.00020000.sdmp
            Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: 201021.exe, 00000001.00000002.307784889.00000000063D0000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000000.338774279.0000000000882000.00000002.00020000.sdmp, InstallUtil.exe.1.dr
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: mscorlib.pdbdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: System.Configuration.pdbHH source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: DWrite.pdbml source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: k0C:\Windows\mscorlib.pdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: System.Core.ni.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: wintrust.pdbkl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: symbols\dll\mscorlib.pdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: dnsapi.pdbl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: nsi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: comctl32v582.pdb{x6 source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
            Source: Binary string: CMemoryExecute.pdb" source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp
            Source: Binary string: rasadhlp.pdbYl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERC408.tmp.dmp.18.dr
            Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: msasn1.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdb source: InstallUtil.exe, 0000000A.00000002.405748695.00000000073BB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: DWrite.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.354853328.0000000003143000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERC408.tmp.dmp.18.dr
            Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS source: WERC408.tmp.dmp.18.dr
            Source: Binary string: InstallUtil.PDB source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Core.ni.pdbRSDSD source: WERC408.tmp.dmp.18.dr
            Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: rawing.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: InstallUtil.pdb source: 201021.exe, 00000001.00000002.307784889.00000000063D0000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.1.dr
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb9lf source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: wmiutils.pdb3ll source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: wbemprox.pdbgl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.353326488.0000000003137000.00000004.00000001.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: WLDP.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WERC408.tmp.dmp.18.dr
            Source: Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Core.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: dhcpcsvc6.pdbOl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: winrnr.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: version.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: wintrust.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: System.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: ore.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: CMemoryExecute.pdbMZ source: WERC408.tmp.dmp.18.dr
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: dhcpcsvc.pdbSl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: rawing.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.353950302.0000000003149000.00000004.00000001.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
            Source: Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: System.pdb4: source: WERC408.tmp.dmp.18.dr
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: b.pdb00CE6}IgQ source: InstallUtil.exe, 0000000A.00000000.339327398.0000000000FA0000.00000004.00000020.sdmp
            Source: Binary string: winnsi.pdbAl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: .pdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: crypt32.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: 10.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.0.InstallUtil.exe.400000.11.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.0.InstallUtil.exe.400000.11.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.0.InstallUtil.exe.400000.11.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.0.InstallUtil.exe.400000.11.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.0.InstallUtil.exe.400000.1.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.0.InstallUtil.exe.400000.1.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.0.InstallUtil.exe.400000.1.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.0.InstallUtil.exe.400000.1.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\201021.exeCode function: 1_2_003C4F7C push esi; iretd
            Source: C:\Users\user\Desktop\201021.exeCode function: 1_2_003C4F66 push esi; iretd
            Source: C:\Users\user\Desktop\201021.exeCode function: 1_2_003C4163 push ds; iretd
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 10_2_02AFE672 push esp; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00442871 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00442A90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00442A90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00446E54 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00411879 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004118A0 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004118A0 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: 201021.exe, s0E4/y4L2.csHigh entropy of concatenated method names: '.ctor', 'Pq0n', 'Dg7w', 'Ai6k', 'Ga43', 'Ci9w', 'p3ET', 'Jb03', 'n1W2', 'Xf2y'
            Source: C:\Users\user\Desktop\201021.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Changes the view of files in windows explorer (hidden files and folders)Show sources
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\201021.exeFile opened: C:\Users\user\Desktop\201021.exe\:Zone.Identifier read attributes | delete
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\201021.exe TID: 6568Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Users\user\Desktop\201021.exe TID: 6652Thread sleep count: 165 > 30
            Source: C:\Users\user\Desktop\201021.exe TID: 2284Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\Desktop\201021.exe TID: 2832Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6764Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7024Thread sleep time: -120000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7028Thread sleep time: -140000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7036Thread sleep time: -300000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6168Thread sleep time: -180000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: C:\Users\user\Desktop\201021.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\201021.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 300000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 180000
            Source: C:\Users\user\Desktop\201021.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004161B0 memset,GetSystemInfo,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Users\user\Desktop\201021.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\201021.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 120000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 140000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 300000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 180000
            Source: Amcache.hve.18.drBinary or memory string: VMware
            Source: Amcache.hve.18.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
            Source: WerFault.exe, 00000012.00000002.397598612.0000000004E70000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWx
            Source: Amcache.hve.18.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
            Source: Amcache.hve.18.drBinary or memory string: VMware Virtual USB Mouse
            Source: 201021.exeBinary or memory string: IHGFSD
            Source: Amcache.hve.18.drBinary or memory string: VMware, Inc.
            Source: bhv8BC6.tmp.15.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:EE4890C5-90AE-59E2-5AC5-C20AA6654592&ctry=US&time=20211020T175915Z&lc=en-US&pl=en-US&idtp=mid&uid=d9fcfe42-b5d5-4629-ac66-c2605ea824c4&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=ab01de4f31394836bbe449e99249472f&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1218113&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1218113&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
            Source: Amcache.hve.18.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
            Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.18.drBinary or memory string: VMware7,1
            Source: Amcache.hve.18.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.18.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.18.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: WerFault.exe, 00000012.00000002.397927801.0000000005011000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.18.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.18.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.18.drBinary or memory string: VMware, Inc.me
            Source: Amcache.hve.18.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
            Source: Amcache.hve.18.drBinary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
            Source: InstallUtil.exe, 0000000A.00000000.339215590.0000000000F24000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: Amcache.hve.18.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\201021.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\201021.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\201021.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
            Source: C:\Users\user\Desktop\201021.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
            Source: C:\Users\user\Desktop\201021.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 482000
            Source: C:\Users\user\Desktop\201021.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 486000
            Source: C:\Users\user\Desktop\201021.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: B9A008
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
            .NET source code references suspicious native API functionsShow sources
            Source: 10.2.InstallUtil.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 10.2.InstallUtil.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
            Source: 10.0.InstallUtil.exe.400000.11.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 10.0.InstallUtil.exe.400000.11.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
            Source: 10.0.InstallUtil.exe.400000.1.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 10.0.InstallUtil.exe.400000.1.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\201021.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\201021.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: InstallUtil.exe, 0000000A.00000000.333452383.0000000001550000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
            Source: InstallUtil.exe, 0000000A.00000000.333452383.0000000001550000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: InstallUtil.exe, 0000000A.00000000.333452383.0000000001550000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: InstallUtil.exe, 0000000A.00000000.333452383.0000000001550000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\201021.exeQueries volume information: C:\Users\user\Desktop\201021.exe VolumeInformation
            Source: C:\Users\user\Desktop\201021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\201021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\201021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\201021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\201021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\201021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\201021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
            Source: C:\Users\user\Desktop\201021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\201021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\201021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00407674 GetVersionExW,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
            Source: Amcache.hve.18.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: InstallUtil.exe, 0000000A.00000000.339327398.0000000000FA0000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: InstallUtil.exe, 0000000A.00000000.339327398.0000000000FA0000.00000004.00000020.sdmpBinary or memory string: Defender\MsMpeng.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 10.0.InstallUtil.exe.3b39930.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.3b39930.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c5fec2.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.45fa72.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.400000.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.408208.13.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.45fa72.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.3b39930.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.3b39930.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.45fa72.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.3b39930.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39bac82.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.3b39930.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.45fa72.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39c2a8f.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39bac82.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c5fec2.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c08658.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39c108a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c0a05d.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.334186783.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.344058983.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.401344855.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.341034426.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 201021.exe PID: 2168, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6672, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7128, type: MEMORYSTR
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 10.0.InstallUtil.exe.400000.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.408208.13.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.2b5b360.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39bac82.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.45fa72.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39c2a8f.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39bac82.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c5fec2.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c08658.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39c108a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c0a05d.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.341956541.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.334072591.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.341915829.0000000002DCA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 201021.exe PID: 2168, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6672, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 2212, type: MEMORYSTR
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 10.0.InstallUtil.exe.3b39930.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.409c0d.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.400000.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.3b51b50.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.408208.13.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.409c0d.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.3b39930.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.3b51b50.17.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c0a05d.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39c2a8f.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.3b51b50.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.3b39930.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.3b51b50.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.409c0d.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39bac82.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.3b51b50.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.3b51b50.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39c2a8f.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39bac82.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c5fec2.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c08658.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39c108a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c0a05d.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.334186783.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.344058983.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.401344855.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.351623076.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 201021.exe PID: 2168, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6672, type: MEMORYSTR
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

            Remote Access Functionality:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 10.0.InstallUtil.exe.400000.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.408208.13.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.2b5b360.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39bac82.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.45fa72.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.InstallUtil.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39c2a8f.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39bac82.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c5fec2.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c08658.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.39c108a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.201021.exe.3c0a05d.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.341956541.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.334072591.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.341915829.0000000002DCA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 201021.exe PID: 2168, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6672, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 2212, type: MEMORYSTR
            Detected HawkEye RatShow sources
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: InstallUtil.exe, 0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmpString found in binary or memory: m&HawkEye_Keylogger_Execution_Confirmed_
            Source: InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: InstallUtil.exe, 0000000A.00000000.333704966.0000000002B9B000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
            Source: InstallUtil.exe, 0000000A.00000002.400306360.0000000002B6E000.00000004.00000001.sdmpString found in binary or memory: m"HawkEye_Keylogger_Stealer_Records_
            Source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Replication Through Removable Media1Windows Management Instrumentation1Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API11Boot or Logon Initialization ScriptsProcess Injection312Deobfuscate/Decode Files or Information11Input Capture21Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information31Credentials in Registry2Account Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing11Credentials In Files1File and Directory Discovery1Distributed Component Object ModelInput Capture21Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSystem Information Discovery18SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection312DCSyncSecurity Software Discovery41Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories2Proc FilesystemVirtualization/Sandbox Evasion31Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowProcess Discovery4Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 506137 Sample: 201021.exe Startdate: 20/10/2021 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Detected HawkEye Rat 2->45 47 8 other signatures 2->47 7 201021.exe 15 4 2->7         started        process3 dnsIp4 27 www.google.com 142.250.203.100, 443, 49746 GOOGLEUS United States 7->27 23 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\...\201021.exe.log, ASCII 7->25 dropped 49 Writes to foreign memory regions 7->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->51 53 Injects a PE file into a foreign processes 7->53 12 InstallUtil.exe 4 7->12         started        file5 signatures6 process7 dnsIp8 29 192.168.2.1 unknown unknown 12->29 31 114.82.9.0.in-addr.arpa 12->31 55 Changes the view of files in windows explorer (hidden files and folders) 12->55 57 Writes to foreign memory regions 12->57 59 Sample uses process hollowing technique 12->59 61 2 other signatures 12->61 16 vbc.exe 2 12->16         started        19 vbc.exe 1 12->19         started        21 WerFault.exe 23 9 12->21         started        signatures9 process10 signatures11 33 Tries to steal Mail credentials (via file registry) 16->33 35 Tries to harvest and steal browser information (history, passwords, etc) 16->35 37 Tries to steal Instant Messenger accounts or passwords 19->37 39 Tries to steal Mail credentials (via file access) 19->39

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            201021.exe41%ReversingLabsWin32.Trojan.AgentTesla
            201021.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            10.2.InstallUtil.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
            10.2.InstallUtil.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
            10.0.InstallUtil.exe.400000.11.unpack100%AviraTR/AD.MExecute.lzracDownload File
            10.0.InstallUtil.exe.400000.11.unpack100%AviraSPR/Tool.MailPassView.473Download File
            10.0.InstallUtil.exe.400000.1.unpack100%AviraTR/AD.MExecute.lzracDownload File
            10.0.InstallUtil.exe.400000.1.unpack100%AviraSPR/Tool.MailPassView.473Download File
            1.2.201021.exe.39bac82.3.unpack100%AviraTR/Inject.vcoldiDownload File
            15.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.jiyu-kobo.co.jp/a-e0%URL Reputationsafe
            https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
            https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
            http://www.founder.com.cn/cnht0%URL Reputationsafe
            http://www.fontbureau.comdfetXU0%Avira URL Cloudsafe
            http://www.fontbureau.comldv0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Stan0%Avira URL Cloudsafe
            http://www.sajatypeworks.comdK0%Avira URL Cloudsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.fontbureau.comals0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
            http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwN0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            https://aefd.nelreports.net/api/report?cat=bingth0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.fontbureau.comony0%Avira URL Cloudsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmM0%Avira URL Cloudsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.fontbureau.comueed0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZ0%Avira URL Cloudsafe
            http://www.fontbureau.comd$V0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/FU0%Avira URL Cloudsafe
            http://en.wikipg0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.google.com
            		142.250.203.100
            		truefalse
              		high
              114.82.9.0.in-addr.arpa
              		unknown
              		unknownfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpfalse
                  		high
                  https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.htmlbhv8BC6.tmp.15.drfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpfalse
                      		high
                      http://www.jiyu-kobo.co.jp/a-eInstallUtil.exe, 0000000A.00000003.309507974.0000000005C77000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9bhv8BC6.tmp.15.drfalse
                        		high
                        https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.htmlB4-AAAAid7__f__3_vbc.exe, 0000000F.00000003.350371868.00000000028C1000.00000004.00000001.sdmpfalse
                          		high
                          http://www.msn.combhv8BC6.tmp.15.drfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersInstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpfalse
                                		high
                                https://deff.nelreports.net/api/report?cat=msnbhv8BC6.tmp.15.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://contextual.media.net/__media__/js/util/nrrV9140.jsbhv8BC6.tmp.15.drfalse
                                  		high
                                  https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692vbc.exe, 0000000F.00000003.348895291.0000000002A2E000.00000004.00000001.sdmp, vbc.exe, 0000000F.00000003.349336779.0000000000C6C000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drfalse
                                    		high
                                    https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhv8BC6.tmp.15.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhv8BC6.tmp.15.drfalse
                                      		high
                                      https://www.google.com/chrome/bhv8BC6.tmp.15.drfalse
                                        		high
                                        http://www.founder.com.cn/cnhtInstallUtil.exe, 0000000A.00000003.306365686.0000000005C73000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comdfetXUInstallUtil.exe, 0000000A.00000003.314544444.0000000005C7D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1bhv8BC6.tmp.15.drfalse
                                            		high
                                            https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gbhv8BC6.tmp.15.drfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpfalse
                                                		high
                                                https://cvision.media.net/new/286x175/2/79/227/59/931bcbc9-c308-445b-ac87-70a69b051455.jpg?v=9bhv8BC6.tmp.15.drfalse
                                                  		high
                                                  http://www.fontbureau.comldvInstallUtil.exe, 0000000A.00000000.335330228.0000000005C70000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://whatismyipaddress.com/-201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.galapagosdesign.com/DPleaseInstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.site.com/logs.phpInstallUtil.exe, 0000000A.00000000.333704966.0000000002B9B000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.zhongyicts.com.cnInstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name201021.exe, 00000001.00000002.299444027.0000000002941000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://login.microsoftonline.com/common/oauth2/authorizeyyvbc.exe, 0000000F.00000003.349122141.0000000000C6D000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://www.google.com/chrome/static/images/fallback/icon-file-download.jpgbhv8BC6.tmp.15.drfalse
                                                              		high
                                                              http://cdn.adnxs.com/v/s/169/trk.jsbhv8BC6.tmp.15.drfalse
                                                                		high
                                                                http://s.amazon-adsystem.com/v3/pr?exlist=an&fv=1.0&a=cm&cm3ppd=1vbc.exe, 0000000F.00000003.349148362.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drfalse
                                                                  		high
                                                                  https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhv8BC6.tmp.15.drfalse
                                                                    		high
                                                                    http://www.jiyu-kobo.co.jp/StanInstallUtil.exe, 0000000A.00000003.309507974.0000000005C77000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.sajatypeworks.comdKInstallUtil.exe, 0000000A.00000003.303013093.0000000005CAE000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.cbhv8BC6.tmp.15.drfalse
                                                                      		high
                                                                      https://p.rfihub.com/cm?in=1&pub=345&userid=3011883223893104794bhv8BC6.tmp.15.drfalse
                                                                        		high
                                                                        https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhv8BC6.tmp.15.drfalse
                                                                          		high
                                                                          https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhv8BC6.tmp.15.drfalse
                                                                            		high
                                                                            https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookiebhv8BC6.tmp.15.drfalse
                                                                              		high
                                                                              https://pki.goog/repository/0bhv8BC6.tmp.15.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhv8BC6.tmp.15.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://cm.adform.net/pixel?adform_pid=16&adform_pc=3011883223893104794bhv8BC6.tmp.15.drfalse
                                                                                		high
                                                                                http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhv8BC6.tmp.15.drfalse
                                                                                  		high
                                                                                  http://cdn.taboola.com/TaboolaCookieSyncScript.jsbhv8BC6.tmp.15.drfalse
                                                                                    		high
                                                                                    http://www.carterandcone.comlInstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.msn.com/bhv8BC6.tmp.15.drfalse
                                                                                      		high
                                                                                      https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhv8BC6.tmp.15.drfalse
                                                                                        		high
                                                                                        https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhv8BC6.tmp.15.drfalse
                                                                                          		high
                                                                                          https://www.google.com/accounts/serviceloginvbc.exefalse
                                                                                            		high
                                                                                            http://trc.taboola.com/p3p.xmlbhv8BC6.tmp.15.drfalse
                                                                                              		high
                                                                                              http://www.fontbureau.comalsInstallUtil.exe, 0000000A.00000003.314544444.0000000005C7D000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://crl.pki.goog/gsr2/gsr2.crl0?bhv8BC6.tmp.15.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://www.jiyu-kobo.co.jp/dInstallUtil.exe, 0000000A.00000003.310696053.0000000005C7A000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://pki.goog/gsr2/GTSGIAG3.crt0)bhv8BC6.tmp.15.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhv8BC6.tmp.15.drfalse
                                                                                                		high
                                                                                                http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwNbhv8BC6.tmp.15.drfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.founder.com.cn/cn/bTheInstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://aefd.nelreports.net/api/report?cat=bingthbhv8BC6.tmp.15.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://www.google.com/chrome/static/images/homepage/google-canary.pngbhv8BC6.tmp.15.drfalse
                                                                                                  		high
                                                                                                  http://ib.adnxs.com/getuid?http://s.amazon-adsystem.com/ecm3?id=$UID&ex=appnexus.comvbc.exe, 0000000F.00000003.349148362.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drfalse
                                                                                                    		high
                                                                                                    https://sync.outbrain.com/cookie-sync?p=medianet&uid=2046425540973639000V10bhv8BC6.tmp.15.drfalse
                                                                                                      		high
                                                                                                      https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.pngbhv8BC6.tmp.15.drfalse
                                                                                                        		high
                                                                                                        https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhv8BC6.tmp.15.drfalse
                                                                                                          		high
                                                                                                          https://www.google.com/chrome/static/js/main.v2.min.jsbhv8BC6.tmp.15.drfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpgbhv8BC6.tmp.15.drfalse
                                                                                                                		high
                                                                                                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhv8BC6.tmp.15.drfalse
                                                                                                                  		high
                                                                                                                  https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215vbc.exe, 0000000F.00000003.348895291.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drfalse
                                                                                                                    		high
                                                                                                                    http://www.typography.netDInstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://www.fontbureau.comonyInstallUtil.exe, 0000000A.00000003.313892692.0000000005C7E000.00000004.00000001.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://fontfabrik.comInstallUtil.exe, 0000000A.00000003.304199848.0000000005CAE000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhv8BC6.tmp.15.drfalse
                                                                                                                      		high
                                                                                                                      https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhv8BC6.tmp.15.drfalse
                                                                                                                        		high
                                                                                                                        http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmMbhv8BC6.tmp.15.drfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkMbhv8BC6.tmp.15.drfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.fonts.comInstallUtil.exe, 0000000A.00000003.303791795.000000000117B000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.sandoll.co.krInstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0bhv8BC6.tmp.15.drfalse
                                                                                                                            		high
                                                                                                                            http://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-AAAAid7__f_bhv8BC6.tmp.15.drfalse
                                                                                                                              		high
                                                                                                                              http://www.fontbureau.comueedInstallUtil.exe, 0000000A.00000003.314544444.0000000005C7D000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&euconsent=BOi01ZPOi01ZPAcABBENB4-AAAbhv8BC6.tmp.15.drfalse
                                                                                                                                		high
                                                                                                                                http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-bhv8BC6.tmp.15.drfalse
                                                                                                                                  		high
                                                                                                                                  https://www.google.com/pagead/drt/uivbc.exe, 0000000F.00000003.349148362.0000000002A2E000.00000004.00000001.sdmp, bhv8BC6.tmp.15.drfalse
                                                                                                                                    		high
                                                                                                                                    http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZbhv8BC6.tmp.15.drfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://widgets.outbrain.com/widgetOBUserSync/obUserSync.htmlbhv8BC6.tmp.15.drfalse
                                                                                                                                      		high
                                                                                                                                      http://www.fontbureau.comd$VInstallUtil.exe, 0000000A.00000003.314544444.0000000005C7D000.00000004.00000001.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		low
                                                                                                                                      https://www.google.com/chrome/static/js/installer.min.jsbhv8BC6.tmp.15.drfalse
                                                                                                                                        		high
                                                                                                                                        http://www.jiyu-kobo.co.jp/FUInstallUtil.exe, 0000000A.00000003.309507974.0000000005C77000.00000004.00000001.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://www.google.com/chrome/static/images/download-browser/pixel_tablet.pngbhv8BC6.tmp.15.drfalse
                                                                                                                                          		high
                                                                                                                                          https://cvision.media.net/new/300x194/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9bhv8BC6.tmp.15.drfalse
                                                                                                                                            		high
                                                                                                                                            http://en.wikipgInstallUtil.exe, 0000000A.00000003.303485054.0000000005C72000.00000004.00000001.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://www.jiyu-kobo.co.jp/jp/InstallUtil.exe, 0000000A.00000003.310947599.0000000005C7A000.00000004.00000001.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000012.00000003.365286808.0000000005B30000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv8BC6.tmp.15.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://www.google.com/chrome/static/images/homepage/google-beta.pngbhv8BC6.tmp.15.drfalse
                                                                                                                                                		high
                                                                                                                                                http://www.msn.com/de-ch/?ocid=iehpbhv8BC6.tmp.15.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.google.com/chrome/static/images/icon-file-download.svgbhv8BC6.tmp.15.drfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.fontbureau.com/designers/cabarga.htmlNInstallUtil.exe, 0000000A.00000000.346221635.0000000006F02000.00000004.00000001.sdmpfalse
                                                                                                                                                      		high

                                                                                                                                                      Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      142.250.203.100
                                                                                                                                                      		www.google.comUnited States
                                                                                                                                                      		15169GOOGLEUSfalse

                                                                                                                                                      Private

                                                                                                                                                      IP
                                                                                                                                                      192.168.2.1

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                      Analysis ID:506137
                                                                                                                                                      Start date:20.10.2021
                                                                                                                                                      Start time:10:58:25
                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 13m 34s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:light
                                                                                                                                                      Sample file name:201021.exe
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                      Number of analysed new started processes analysed:27
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • HDC enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.phis.troj.spyw.evad.winEXE@8/12@2/2
                                                                                                                                                      EGA Information:Failed
                                                                                                                                                      HDC Information:
                                                                                                                                                      • Successful, ratio: 4.5% (good quality ratio 4.2%)
                                                                                                                                                      • Quality average: 78.5%
                                                                                                                                                      • Quality standard deviation: 31.1%
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 99%
                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Adjust boot time
                                                                                                                                                      • Enable AMSI
                                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                                      Warnings:
                                                                                                                                                      Show All
                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 131.253.33.200, 13.107.22.200, 20.82.210.154, 173.222.108.210, 173.222.108.226, 20.54.110.249, 40.112.88.60, 20.189.173.21, 80.67.82.235, 80.67.82.211, 40.91.112.76
                                                                                                                                                      • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wus2-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, onedsblobprdwus16.westus.cloudapp.azure.com, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, download.windowsupdate.com.edgesuite.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      TimeTypeDescription
                                                                                                                                                      10:59:51API Interceptor1x Sleep call for process: 201021.exe modified
                                                                                                                                                      11:00:05API Interceptor6x Sleep call for process: InstallUtil.exe modified
                                                                                                                                                      11:00:35API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      No context

                                                                                                                                                      Domains

                                                                                                                                                      No context

                                                                                                                                                      ASN

                                                                                                                                                      No context

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_InstallUtil.exe_d8e3f1155ff363d9e41bfd4c6f0ee237dfce67a_cfdb8703_09ff7d08\Report.wer
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):65536
                                                                                                                                                      Entropy (8bit):1.245931576206268
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:11AB2jojxNVHBUZMXJKJaPXUlXK8zIUGye/u7s9S274Ithp:AsjojxPBUZMXCasVe/u7s9X4Itv
                                                                                                                                                      MD5:6F18E757022020685FFD7FFB865A6ABE
                                                                                                                                                      SHA1:10D8813BC7601326E377519B1F96B9942EBC967D
                                                                                                                                                      SHA-256:06591BECB7045A9D7CC3DD718B03215B106E6BC98048195DB14ED7DB5A23BDF7
                                                                                                                                                      SHA-512:B6F975773AB176CE585A2D2D181ECE724B2E9A92F5D196D8686A664E40E7DEC17F17C809599243F2E7F6583ACEF77F25AFEC1B5CA998DF648DC67B8465E6BD7C
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.2.2.6.4.1.8.2.3.5.4.5.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.2.2.6.4.3.3.8.7.6.0.3.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.3.3.b.2.b.d.-.1.6.8.6.-.4.9.e.2.-.8.8.e.8.-.7.2.0.c.1.2.3.c.a.a.3.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.1.6.2.e.f.3.-.d.d.5.7.-.4.6.c.6.-.b.c.9.8.-.7.9.0.a.8.5.e.2.a.3.9.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.n.s.t.a.l.l.U.t.i.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.n.s.t.a.l.l.U.t.i.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.1.0.-.0.0.0.1.-.0.0.1.7.-.b.f.f.9.-.0.a.4.5.d.c.c.5.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.f.d.5.e.1.2.8.2.3.d.6.b.d.e.a.c.7.2.a.5.5.8.e.7.d.d.e.9.2.2.4.0.0.0.0.0.9.0.4.!.0.0.0.0.c.8.7.5.9.0.8.a.c.b.a.5.c.a.c.1.e.0.b.4.0.f.0.6.a.8.3.f.0.f.1.5.
                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC408.tmp.dmp
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Wed Oct 20 18:00:24 2021, 0x1205a4 type
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):378559
                                                                                                                                                      Entropy (8bit):3.894961819131287
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3072:H2Fl23oe5WEX8jd+pze0Q2t6g1Sgpe9gIOgF5JDRw0WRUCgUA2cmu75Cf7:WFq357pC0HZU9RpDJDmjTjfcmu7w7
                                                                                                                                                      MD5:3049839533485810D14465E4726DA33C
                                                                                                                                                      SHA1:915757C9945CB5937923850C162C490ADB0D653B
                                                                                                                                                      SHA-256:AE528163A538406D3B8F31B8A688E0D1A6A205454BFEFC749D56197502276BCE
                                                                                                                                                      SHA-512:4AB637E62A54D0C601A7E87EAF54872F3D8B795942939219B9E8527C09ED52AB01C9CDAAA10E0BB91AB4EDDE57B8A715BD88DA34A4BD8C6D873C7FA5B823F96F
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview: MDMP....... .......8Ypa......................... ...........8...b..........T.......8...........T............H...~..........\*..........H,...................................................................U...........B.......,......GenuineIntelW...........T............Ypa.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2AD.tmp.WERInternalMetadata.xml
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):8356
                                                                                                                                                      Entropy (8bit):3.689534326349387
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:Rrl7r3GLNihr6q6Yfu60KgmfZl8SRCprk89bNRsfVPm:RrlsNid6q6YG6xgmf78SINKfQ
                                                                                                                                                      MD5:A62893E0C1AADD1CCCADA28DC158301C
                                                                                                                                                      SHA1:F82745B334170EB154F95EF56CFD672BCBF5BD69
                                                                                                                                                      SHA-256:2BE0C37158DFDE82D0A72E280196F0DDAA91C12E09FEC1D7F6A78736119F786F
                                                                                                                                                      SHA-512:46B235B271821FC08446DFCE06AD0C886BF063DB09E3738AB8DDD3E8F317314FD0038E91229ECB056011057D1CB807A0B6DDD47898C4594781A449D20B1BCEB5
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.7.2.<./.P.i.d.>.......
                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE790.tmp.xml
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4745
                                                                                                                                                      Entropy (8bit):4.453210211258587
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:cvIwSD8zswJgtWI9HqzIWSC8B7Ob8fm8M4JrBWXF3B+q8vUBW/j4irx0d:uITf2RlSNFOYJeBKVj4iV0d
                                                                                                                                                      MD5:9546B13D12F020AB9DB7A4F32429C82D
                                                                                                                                                      SHA1:9E07E90C25E18F606F3CD53D8D1887D79C28C1E1
                                                                                                                                                      SHA-256:24A5BBA7E5D9F40F49EB751986495AEA0C84C373AB70C16EE8E64F316F2BADFE
                                                                                                                                                      SHA-512:CD306041DAD1225141561EEAA8158260DEFF3900BEA122775F64C9812C614EB759D114F21C4E1C38D6CA1C9ECF69E06D5AAEA0BD40EB3ED3517E02399653D18E
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1218431" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\201021.exe.log
                                                                                                                                                      Process:C:\Users\user\Desktop\201021.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):1506
                                                                                                                                                      Entropy (8bit):5.3384904795508215
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoyE4G:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnom
                                                                                                                                                      MD5:30A3EDDAC9D4A76145FB4759D8AF82DC
                                                                                                                                                      SHA1:185A249C50AE1EE0B486B87808D4FCFEB35E5D97
                                                                                                                                                      SHA-256:34782E9A1557B8BEAA860DD2C4F2888DB2C196D358763F8FF8B58E2C2B77D7AB
                                                                                                                                                      SHA-512:B6EF44B2AA6388C6A09B7F762627309C6CCCB8849D0C97BB0E8C27E1F3D6F6F56C13FC0DBBBE3447BFC317A2D5FC2692232002C62FB9953DE144F01722076487
                                                                                                                                                      Malicious:true
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                                      Process:C:\Users\user\Desktop\201021.exe
                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):41064
                                                                                                                                                      Entropy (8bit):6.164873449128079
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                                                                                      MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                                                                      SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                                                                                      SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                                                                                      SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                                                                                      Malicious:true
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\bhv8BC6.tmp
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x8ca58600, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):26738688
                                                                                                                                                      Entropy (8bit):1.0837801247897962
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24576:RrqhtSFKmLqcmDPf6r0i1cREikolT3YEgIFDFh:gsLqcU6r4nDFh
                                                                                                                                                      MD5:AFD0CF6DFD336118F6BDC18F0DC18BEB
                                                                                                                                                      SHA1:1E8624C1057E28592E0BDA679608A376CE1F588B
                                                                                                                                                      SHA-256:43A4EA08F13C26F203BDB79F6AEAB52241D7FF4218EC24B73F6352163458D2C4
                                                                                                                                                      SHA-512:AD76B8842AFB992F4A0DFE4A23A3FEE3D067E8713D3CE1486052B963EAA4376831B0D348C7D4E49FC9474DFFC2511AF7AE555410FA8AD185D6AC9E82A59C2B5D
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview: ....... ........9......p*.~.....w7..............................;...y-..;...y..h...........................z........w..............................................................................................`............B.................................................................................................................. ....... ;...yk.....................................................................................................................................................................................................................................@........y..........................y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):2
                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Qn:Qn
                                                                                                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview: ..
                                                                                                                                                      C:\Users\user\AppData\Roaming\pid.txt
                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4
                                                                                                                                                      Entropy (8bit):1.5
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:8n:8n
                                                                                                                                                      MD5:B9B852AC7BD1776BC5AC5CE3B41D8AF7
                                                                                                                                                      SHA1:995F4B9052D1B243AA970FF748C313834A3C43BF
                                                                                                                                                      SHA-256:C9147CDA01F0E59BB238D3BABBF1548D0B770BC61275117FE04A10A11AAE3702
                                                                                                                                                      SHA-512:34BE264A31A22B25A2D545E50B96E36DDE62FD569C6FCB0E8F00E60455833CC30B5EFCFC7F2DAE6C9DB8544E862BEAB378718B7DDF292C00AFCEDE45346EEF01
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview: 6672
                                                                                                                                                      C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):52
                                                                                                                                                      Entropy (8bit):4.550931304471529
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:oNerbJSRE2J5xAIOWRxRI0dAn:oNe0i23f5RndA
                                                                                                                                                      MD5:EE2FF13DCB0400BD0C8F8B9F434890A7
                                                                                                                                                      SHA1:782042FABD092450638703DFA7838AB9BF82F25C
                                                                                                                                                      SHA-256:F40CFEFCF8C88CA4C9C824867DC81AF96F611382623DC5992BA38614B34BAF32
                                                                                                                                                      SHA-512:D8D11FEC86CC5FD591BBA0C4FA150AF6500063222E0D1F9DAE09C12A11072630BBAD330EFF535134BD7FA8B4CA5463091BCA4D7AEAE7919CCB6EFFA66DA58CF8
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1572864
                                                                                                                                                      Entropy (8bit):4.2805852640888435
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12288:739u7n0qwTcE4aU5ofSQpMTZbozRufS6+VpNJ40yfBWdZAM+dfI:56n0qwTcE4aU5opQaR6
                                                                                                                                                      MD5:45562AEF865533706F5A50DC4518196A
                                                                                                                                                      SHA1:DD6066ACA18A49F9180C93C364E8341133886987
                                                                                                                                                      SHA-256:0FEF41F75114F15E77DF5A834078E696FC3F584F5E3FAF96AF60D65D748E2B65
                                                                                                                                                      SHA-512:16B5403EFE0AEA03B33C83470E899D43251CBDDA9CC2C474C05E3D37E15EE7CE61151B3C3D183B0B5D0385117E6C93FB55F1BDE1DD620CC672BB2EF0EB7EC18D
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview: regfW...W...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...V................................................................................................................................................................................................................................................................................................................................................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):28672
                                                                                                                                                      Entropy (8bit):3.665969330049969
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:768:xzOWvwqXguB3lxkbu3NYYrSaP/pafYZwyAGfjMQO7XadWgZ4:xOWvwqXB5lua3CDZW
                                                                                                                                                      MD5:98B72E560C1D288CAB119BB7A0BD559A
                                                                                                                                                      SHA1:1DBE5BEF00051DD9F4DBD590925185E3C025E2FF
                                                                                                                                                      SHA-256:473125F770CA894F7D66DCD5F1437CD74A98EDF268F72AC4005C040A46264A99
                                                                                                                                                      SHA-512:89C2C18179403C33C15FAA26D0BE61BF1BAB7DD287CA2426122E4B4BB042CB53193DEC345423C80042E1C330E3C8A592B1416E904C3FDF229E99BA8CE778AA68
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview: regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...V................................................................................................................................................................................................................................................................................................................................................8...HvLE.n......V............!&..y/.. ?.^_..................0................... ..hbin................p.\..,..........nk,..+"V.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..+"V........ ...........8~.............. .......Z.......................Root........lf......Root....nk ..+"V................................... ...............*...............DeviceCensus.......................vk..................WritePermissions

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Entropy (8bit):6.484008409032284
                                                                                                                                                      TrID:
                                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                      File name:201021.exe
                                                                                                                                                      File size:1327104
                                                                                                                                                      MD5:ff59b59d6fb138bd3a588d89ea0fa1d7
                                                                                                                                                      SHA1:fad22ded5983e8d5a9bffa398c3281670e496f46
                                                                                                                                                      SHA256:8e1c67e8ed76591ed779773be365b2b66440d958f1bf3556d4512f71836c3d2f
                                                                                                                                                      SHA512:7c3017e263d812bac1ad57bf4ed4371fe7414cbde8af077e507811a9ce538d1fdbbb5d396f355792dae67cdf9c25e3b0128a036816d74a48ad68c62e5109054e
                                                                                                                                                      SSDEEP:24576:x6qt46zuDJ+ssHguZbtg2aLJ5eKSKmR9Fmt5J2NY9/:xZqARsV5VmFmzJ2M/
                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......D.................6..........>T... ...`....@.. ....................................`................................

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:00828e8e8686b000

                                                                                                                                                      Static PE Info

                                                                                                                                                      General

                                                                                                                                                      Entrypoint:0x54543e
                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                      Digitally signed:false
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                                                                      Time Stamp:0x44BFB5F9 [Thu Jul 20 16:57:29 2006 UTC]
                                                                                                                                                      TLS Callbacks:
                                                                                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                                                                                      OS Version Major:4
                                                                                                                                                      OS Version Minor:0
                                                                                                                                                      File Version Major:4
                                                                                                                                                      File Version Minor:0
                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                      Entrypoint Preview

                                                                                                                                                      Instruction
                                                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                      Data Directories

                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1453e80x53.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1460000x57e.rsrc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1480000xc.reloc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                      Sections

                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                      .text0x20000x1434440x143600False0.594549520439data6.48837275355IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                      .rsrc0x1460000x57e0x600False0.413411458333data4.06590744193IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .reloc0x1480000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                      Resources

                                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                                      RT_VERSION0x1460a00x2f2data
                                                                                                                                                      RT_MANIFEST0x1463940x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                                      Imports

                                                                                                                                                      DLLImport
                                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                                      Version Infos

                                                                                                                                                      DescriptionData
                                                                                                                                                      Translation0x0000 0x04b0
                                                                                                                                                      LegalCopyright
                                                                                                                                                      Assembly Version1.0.7962.23557
                                                                                                                                                      InternalNamesis.exe
                                                                                                                                                      FileVersion1.0.7962.23557
                                                                                                                                                      CompanyName
                                                                                                                                                      LegalTrademarks
                                                                                                                                                      Comments
                                                                                                                                                      ProductName
                                                                                                                                                      ProductVersion1.0.7962.23557
                                                                                                                                                      FileDescription
                                                                                                                                                      OriginalFilenamesis.exe

                                                                                                                                                      Network Behavior

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      TCP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Oct 20, 2021 10:59:36.561734915 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:36.561784029 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:36.561933994 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:36.630861998 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:36.630888939 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:36.687437057 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:36.687546968 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:36.690485954 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:36.690505981 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:36.690864086 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:36.854231119 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:36.978523970 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.019149065 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.150197029 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.150317907 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.150386095 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.151308060 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.151329994 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.151345015 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.151349068 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.151390076 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.151406050 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.151518106 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.166913033 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.167011976 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.167037964 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.167334080 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.167412996 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.167433023 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.168657064 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.168740988 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.168759108 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.169742107 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.169898033 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.169912100 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.170942068 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.171015024 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.171025038 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.172091007 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.172171116 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.172180891 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.173233032 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.173306942 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.173319101 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.174330950 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.174401999 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.174412966 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.175529003 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.175637007 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.175649881 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.177524090 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.177668095 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.177687883 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.178020954 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.178093910 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.178107977 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.179058075 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.179160118 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.179183006 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.180326939 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.180372953 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.180413008 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.180429935 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.180469036 CEST44349746142.250.203.100192.168.2.7
                                                                                                                                                      Oct 20, 2021 10:59:37.180493116 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.180567980 CEST49746443192.168.2.7142.250.203.100
                                                                                                                                                      Oct 20, 2021 10:59:37.738090992 CEST49746443192.168.2.7142.250.203.100

                                                                                                                                                      UDP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Oct 20, 2021 10:59:36.521547079 CEST5377553192.168.2.78.8.8.8
                                                                                                                                                      Oct 20, 2021 10:59:36.537841082 CEST53537758.8.8.8192.168.2.7
                                                                                                                                                      Oct 20, 2021 11:00:04.501712084 CEST5464053192.168.2.78.8.8.8
                                                                                                                                                      Oct 20, 2021 11:00:04.520045996 CEST53546408.8.8.8192.168.2.7

                                                                                                                                                      DNS Queries

                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                      Oct 20, 2021 10:59:36.521547079 CEST192.168.2.78.8.8.80xec50Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                                                                                                                      Oct 20, 2021 11:00:04.501712084 CEST192.168.2.78.8.8.80x9dcdStandard query (0)114.82.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)

                                                                                                                                                      DNS Answers

                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                      Oct 20, 2021 10:59:36.537841082 CEST8.8.8.8192.168.2.70xec50No error (0)www.google.com142.250.203.100A (IP address)IN (0x0001)
                                                                                                                                                      Oct 20, 2021 11:00:04.520045996 CEST8.8.8.8192.168.2.70x9dcdName error (3)114.82.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)

                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                      • www.google.com

                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                      0192.168.2.749746142.250.203.100443C:\Users\user\Desktop\201021.exe
                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                      2021-10-20 08:59:36 UTC0OUTGET / HTTP/1.1
                                                                                                                                                      Host: www.google.com
                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                      2021-10-20 08:59:37 UTC0INHTTP/1.1 200 OK
                                                                                                                                                      Date: Wed, 20 Oct 2021 08:59:37 GMT
                                                                                                                                                      Expires: -1
                                                                                                                                                      Cache-Control: private, max-age=0
                                                                                                                                                      Content-Type: text/html; charset=ISO-8859-1
                                                                                                                                                      P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                                                      Server: gws
                                                                                                                                                      X-XSS-Protection: 0
                                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                                      Set-Cookie: CONSENT=PENDING+698; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
                                                                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                                                                      Accept-Ranges: none
                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                      Connection: close
                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                      2021-10-20 08:59:37 UTC0INData Raw: 34 66 62 63 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 66 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c
                                                                                                                                                      Data Ascii: 4fbc<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="fr"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><
                                                                                                                                                      2021-10-20 08:59:37 UTC1INData Raw: 32 33 2c 31 37 37 37 2c 35 32 30 2c 31 34 36 37 30 2c 33 32 32 37 2c 34 31 39 2c 32 34 32 36 2c 39 2c 34 37 37 31 2c 37 35 38 31 2c 35 30 39 36 2c 31 36 33 32 30 2c 39 30 38 2c 32 2c 33 35 35 35 2c 33 37 38 34 2c 39 33 35 38 2c 33 2c 33 34 36 2c 32 33 30 2c 36 34 35 39 2c 31 34 39 2c 31 33 39 37 35 2c 31 2c 31 2c 32 2c 31 35 32 38 2c 32 33 30 34 2c 31 32 33 36 2c 35 32 32 36 2c 35 37 37 2c 34 36 38 33 2c 32 30 31 35 2c 31 31 35 30 31 2c 32 31 31 30 2c 31 37 31 34 2c 31 30 31 32 2c 32 30 33 38 2c 32 36 35 38 2c 37 33 35 36 2c 33 31 2c 35 36 31 36 2c 35 37 39 37 2c 32 32 31 35 2c 32 33 30 35 2c 36 33 39 2c 31 34 39 33 2c 31 36 37 38 36 2c 36 35 32 2c 35 31 37 35 2c 32 35 33 30 2c 39 39 32 2c 33 31 30 32 2c 31 37 2c 33 31 32 31 2c 36 2c 39 30 38 2c 33 2c 33
                                                                                                                                                      Data Ascii: 23,1777,520,14670,3227,419,2426,9,4771,7581,5096,16320,908,2,3555,3784,9358,3,346,230,6459,149,13975,1,1,2,1528,2304,1236,5226,577,4683,2015,11501,2110,1714,1012,2038,2658,7356,31,5616,5797,2215,2305,639,1493,16786,652,5175,2530,992,3102,17,3121,6,908,3,3
                                                                                                                                                      2021-10-20 08:59:37 UTC2INData Raw: 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69 6f 6e 20 6c 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c 68 7d 66 75 6e 63 74 69 6f 6e 20 6d 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 6e 75 6c 6c 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 6c 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7d 0a 66 75 6e 63 74 69 6f 6e 20 6e 28 61 2c
                                                                                                                                                      Data Ascii: tion(){var f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||h}function m(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b}function n(a,
                                                                                                                                                      2021-10-20 08:59:37 UTC3INData Raw: 6e 28 29 7b 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 73 75 62 6d 69 74 66 61 6c 73 65 22 29 3b 61 3d 22 31 22 3d 3d 3d 63 7c 7c 22 71 22 3d 3d 3d 63 26 26 21 61 2e 65 6c 65 6d 65 6e 74 73 2e 71 2e 76 61 6c 75 65 3f 21 30 3a 21 31 7d 65 6c 73 65 20 61 3d 21 31 3b 61 26 26 28 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 2c 62 2e 73 74 6f 70
                                                                                                                                                      Data Ascii: n(){};}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-submitfalse");a="1"===c||"q"===c&&!a.elements.q.value?!0:!1}else a=!1;a&&(b.preventDefault(),b.stop
                                                                                                                                                      2021-10-20 08:59:37 UTC5INData Raw: 67 20 2e 67 62 74 63 62 7b 6c 65 66 74 3a 30 7d 2e 67 62 78 78 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 78 6f 7b 6f 70 61 63 69 74 79 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 2d 31 70 78 20 31 70 78 20 31
                                                                                                                                                      Data Ascii: g .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibility:hidden;text-align:left;border:1px solid #bebebe;background:#fff;-moz-box-shadow:-1px 1px 1
                                                                                                                                                      2021-10-20 08:59:37 UTC6INData Raw: 6e 64 65 78 3a 32 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 67 62 74 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 74 6f 7b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70
                                                                                                                                                      Data Ascii: ndex:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*display:inline}.gbto{box-shadow:0 2px 4px rgba(0,0,0,.2);-moz-box-shadow:0 2px 4px rgba(0,0,0,.2);-webkit-box-shadow:0 2p
                                                                                                                                                      2021-10-20 08:59:37 UTC7INData Raw: 30 32 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 6a 73 20 2e 67 62 74 6f 20 2e 67 62 6d 7b 6d 69 6e 2d 77 69 64 74 68 3a 39 39 25 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 64 64 34 62 33 39 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 34 73 2c 23 67 62 69 34 73 31 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 23 67 62 67 36 2e 67 62 67 74 2d 68 76 72 2c 23 67 62 67 36 2e 67 62 67 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 61 63
                                                                                                                                                      Data Ascii: 02px;background-repeat:repeat-x;outline:none;text-decoration:none !important}.gbpdjs .gbto .gbm{min-width:99%}.gbz0l .gbtb2{border-top-color:#dd4b39!important}#gbi4s,#gbi4s1{font-weight:bold}#gbg6.gbgt-hvr,#gbg6.gbgt:focus{background-color:transparent;bac
                                                                                                                                                      2021-10-20 08:59:37 UTC8INData Raw: 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 39 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a
                                                                                                                                                      Data Ascii: :visited{color:#900 !important}.gbmt,.gbml1,.gbmlb,.gbmt:visited,.gbml1:visited,.gbmlb:visited{color:#36c !important;text-decoration:none !important}.gbmt,.gbmt:visited{display:block}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{display:inline-block;margin:
                                                                                                                                                      2021-10-20 08:59:37 UTC10INData Raw: 63 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 23 67 62 6d 70 73 7b 2a 7a 6f 6f 6d 3a 31 7d 23 67 62 64 34 20 2e 67 62 70 63 2c 23 67 62 6d 70 61 73 20 2e 67 62 6d 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 37 70 78 7d 23 67 62 64 34 20 2e 67 62 70 67 73 20 2e 67 62 6d 74 63 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 23 67 62 64 34 20 2e 67 62 6d 74 63 7b 62 6f 72 64 65 72 2d 62 6f
                                                                                                                                                      Data Ascii: c{padding:0;margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gbpc,#gbmpas .gbmt{line-height:17px}#gbd4 .gbpgs .gbmtc{line-height:27px}#gbd4 .gbmtc{border-bo
                                                                                                                                                      2021-10-20 08:59:37 UTC11INData Raw: 68 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 72 69 67 68 74 7d 23 67 62 6d 70 61 73 62 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 23 67 62 6d 70 61 6c 20 2e 67 62 71 66 62 62 7b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 2e 67 62 70 30 20 2e 67 62 70 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 61 2e 67 62 69 62 61 7b 6d 61 72 67 69 6e 3a 38 70 78 20 32 30 70 78 20 31 30 70 78 7d 2e 67 62 6d 70 69 61 77 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 31 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 36 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 7d 2e 67 62 78 76 7b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 2e 67 62 6d 70 69 61 61 7b 64 69 73 70
                                                                                                                                                      Data Ascii: ht:0;text-align:right}#gbmpasb .gbps{color:#000}#gbmpal .gbqfbb{margin:0 20px}.gbp0 .gbps{*display:inline}a.gbiba{margin:8px 20px 10px}.gbmpiaw{display:inline-block;padding-right:10px;margin-bottom:6px;margin-top:10px}.gbxv{visibility:hidden}.gbmpiaa{disp
                                                                                                                                                      2021-10-20 08:59:37 UTC12INData Raw: 68 61 64 6f 77 3a 6e 6f 6e 65 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 2d 68 76 72 2c 2e 67 62 71 66 62 61 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 2e 67 62 71 66 62 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 2e 67 62 71 66 62 61 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 2e 67 62 71 66 62 62 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69
                                                                                                                                                      Data Ascii: hadow:none;box-shadow:none}.gbqfb-hvr,.gbqfba-hvr,.gbqfbb-hvr{-webkit-box-shadow:0 1px 1px rgba(0,0,0,.1);-moz-box-shadow:0 1px 1px rgba(0,0,0,.1);box-shadow:0 1px 1px rgba(0,0,0,.1)}.gbqfb::-moz-focus-inner,.gbqfba::-moz-focus-inner,.gbqfbb::-moz-focus-i
                                                                                                                                                      2021-10-20 08:59:37 UTC14INData Raw: 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 7d 2e 67 62 71 66 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 33 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20
                                                                                                                                                      Data Ascii: dient(top,#4d90fe,#357ae8);background-image:-o-linear-gradient(top,#4d90fe,#357ae8);background-image:linear-gradient(top,#4d90fe,#357ae8)}.gbqfb:active{background-color:inherit;-webkit-box-shadow:inset 0 1px 2px rgba(0, 0, 0, 0.3);-moz-box-shadow:inset 0
                                                                                                                                                      2021-10-20 08:59:37 UTC15INData Raw: 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 38 66 38 66 38 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 31 66 31 66 31 27 29 7d 2e 67 62 71 66 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66 66 66 29 2c 74 6f 28 23 66 62 66 62 66 62 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 66 66 2c 23 66 62 66 62 66 62 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67
                                                                                                                                                      Data Ascii: icrosoft.gradient(startColorStr='#f8f8f8',EndColorStr='#f1f1f1')}.gbqfbb{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(#fff),to(#fbfbfb));background-image:-webkit-linear-gradient(top,#fff,#fbfbfb);background-imag
                                                                                                                                                      2021-10-20 08:59:37 UTC16INData Raw: 2c 2e 67 62 71 66 62 62 3a 61 63 74 69 76 65 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 0a 23 67 62 6d 70 61 73 7b 6d 61 78 2d 68 65 69 67 68 74 3a 32 32 30 70 78 7d 23 67 62 6d 6d 7b 6d 61 78 2d 68 65 69 67 68 74 3a 35 33 30 70 78 7d 2e 67 62 73 62 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 70
                                                                                                                                                      Data Ascii: ,.gbqfbb:active{-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}#gbmpas{max-height:220px}#gbmm{max-height:530px}.gbsb{-webkit-box-sizing:border-box;display:block;p
                                                                                                                                                      2021-10-20 08:59:37 UTC17INData Raw: 72 2d 73 74 6f 70 28 30 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 6c 65 66 74 20 74 6f 70 2c 66 72 6f 6d 28 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 29 2c 74 6f 28 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c
                                                                                                                                                      Data Ascii: r-stop(0,rgba(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));background:-webkit-gradient(linear,left bottom,left top,from(rgba(0,0,0,.2)),to(rgba(0,0,0,0)));background-image:-webkit-linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,
                                                                                                                                                      2021-10-20 08:59:37 UTC19INData Raw: 63 6b 3b 6d 61 72 67 69 6e 3a 32 70 78 20 30 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 33 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 7d 2e 6c 73 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 66 39 66 61 3b 62 6f 72 64 65 72 3a 73 6f 6c 69 64 20 31 70 78 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 64 61 64 63 65 30 20 23 37 30 37 35 37 61 20 23 37 30 37 35 37 61 20 23 64 61 64 63 65 30 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 2e 6c 73 62 62 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 23 57 71 51 41 4e 62 20 61 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 31 32 70 78 7d 2e 6c 73 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 69 6d 61 67 65 73 2f 6e 61 76 5f 6c 6f 67 6f 32 32 39 2e 70 6e 67
                                                                                                                                                      Data Ascii: ck;margin:2px 0;margin-left:13px;font-size:11px}.lsbb{background:#f8f9fa;border:solid 1px;border-color:#dadce0 #70757a #70757a #dadce0;height:30px}.lsbb{display:block}#WqQANb a{display:inline-block;margin:0 12px}.lsb{background:url(/images/nav_logo229.png
                                                                                                                                                      2021-10-20 08:59:37 UTC20INData Raw: 72 28 30 2c 31 32 32 38 38 29 29 3b 61 3d 63 3b 6d 7c 7c 67 6f 6f 67 6c 65 2e 6c 6f 67 28 30 2c 22 22 2c 61 29 3b 72 65 74 75 72 6e 20 61 7d 3b 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 65 2c 6d 2c 64 29 7b 70 21 3d 3d 61 26 26 67 6f 6f 67 6c 65 2e 6d 6c 28 64 20 69 6e 73 74 61 6e 63 65 6f 66 20 45 72 72 6f 72 3f 64 3a 45 72 72 6f 72 28 61 29 2c 21 31 2c 76 6f 69 64 20 30 2c 21 31 2c 21 64 7c 7c 64 20 69 6e 73 74 61 6e 63 65 6f 66 20 53 79 6e 74 61 78 45 72 72 6f 72 3f 32 3a 30 29 3b 70 3d 6e 75 6c 6c 3b 6c 26 26 6e 3e 3d 6b 26 26 28 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 3d 6e 75 6c 6c 29 7d 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 0d 0a
                                                                                                                                                      Data Ascii: r(0,12288));a=c;m||google.log(0,"",a);return a};window.onerror=function(a,b,e,m,d){p!==a&&google.ml(d instanceof Error?d:Error(a),!1,void 0,!1,!d||d instanceof SyntaxError?2:0);p=null;l&&n>=k&&(window.onerror=null)};})();(function(){t
                                                                                                                                                      2021-10-20 08:59:37 UTC20INData Raw: 61 35 0d 0a 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 65 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 61 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 29 7b 64 3d 64 7c 7c 7b 7d 3b 64 2e 5f 73 6e 3d 5b 22 63 66 67 22 2c 62 2c 63 5d 2e 6a 6f 69 6e 28 22 2e 22 29 3b 0d 0a
                                                                                                                                                      Data Ascii: a5ry{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var e=this||self;var aa=function(a,b,c,d){d=d||{};d._sn=["cfg",b,c].join(".");
                                                                                                                                                      2021-10-20 08:59:37 UTC20INData Raw: 37 32 66 38 0d 0a 77 69 6e 64 6f 77 2e 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 61 2c 64 29 7d 3b 76 61 72 20 67 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3d 77 69 6e 64 6f 77 2e 67 62 61 72 7c 7c 7b 7d 2c 68 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 7c 7c 7b 7d 2c 62 61 3b 66 75 6e 63 74 69 6f 6e 20 5f 74 76 6e 28 61 2c 62 29 7b 61 3d 70 61 72 73 65 49 6e 74 28 61 2c 31 30 29 3b 72 65 74 75 72 6e 20 69 73 4e 61 4e 28 61 29 3f 62 3a 61 7d 66 75 6e 63 74 69 6f 6e 20 5f 74 76 66 28 61 2c 62 29 7b 61 3d 70 61 72 73 65 46 6c 6f 61 74 28 61 29 3b 72 65 74 75 72 6e 20 69 73 4e 61 4e 28 61 29 3f 62 3a 61 7d 66 75 6e 63 74 69 6f 6e 20 5f 74 76 76 28 61 29 7b 72 65 74 75 72 6e 21 21 61 7d 66 75 6e 63 74 69 6f 6e 20 70 28 61
                                                                                                                                                      Data Ascii: 72f8window.gbar.logger.ml(a,d)};var g=window.gbar=window.gbar||{},h=window.gbar.i=window.gbar.i||{},ba;function _tvn(a,b){a=parseInt(a,10);return isNaN(a)?b:a}function _tvf(a,b){a=parseFloat(a);return isNaN(a)?b:a}function _tvv(a){return!!a}function p(a
                                                                                                                                                      2021-10-20 08:59:37 UTC22INData Raw: 74 28 45 72 72 6f 72 28 22 42 75 6e 64 6c 65 20 6c 6f 61 64 20 66 61 69 6c 65 64 3a 20 6e 61 6d 65 3d 22 2b 28 62 7c 7c 22 55 4e 4b 22 29 2b 22 20 75 72 6c 3d 22 2b 61 29 29 7d 29 3b 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 6a 73 63 22 29 7c 7c 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 62 6f 64 79 22 29 5b 30 5d 7c 7c 0a 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 63 29 7d 2c 44 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 30 2c 63 3b 28 63 3d 77 5b 62 5d 29 26 26 63 5b 30 5d 21 3d 61 3b 2b 2b 62 29 3b 21 63 7c 7c 63 5b 31 5d
                                                                                                                                                      Data Ascii: t(Error("Bundle load failed: name="+(b||"UNK")+" url="+a))});(document.getElementById("xjsc")||document.getElementsByTagName("body")[0]||document.getElementsByTagName("head")[0]).appendChild(c)},D=function(a){for(var b=0,c;(c=w[b])&&c[0]!=a;++b);!c||c[1]
                                                                                                                                                      2021-10-20 08:59:37 UTC23INData Raw: 47 6b 2d 73 69 4e 61 49 42 5a 4f 74 63 57 66 58 51 57 4b 64 54 70 51 2f 6d 3d 5f 5f 66 65 61 74 75 72 65 73 5f 5f 22 29 3b 47 2e 6d 73 3d 46 28 47 2e 6d 73 2c 22 68 74 74 70 73 3a 2f 2f 61 70 69 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 29 3b 47 2e 6d 3d 46 28 47 2e 6d 2c 22 22 29 3b 47 2e 6c 3d 46 28 47 2e 6c 2c 5b 5d 29 3b 47 2e 64 70 6f 3d 46 28 47 2e 64 70 6f 2c 22 22 29 3b 78 61 7c 7c 77 2e 70 75 73 68 28 5b 22 67 6c 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 61 62 63 2f 67 6c 6d 5f 65 37 62 62 33 39 61 37 65 31 61 32 34 35 38 31 66 66 34 66 38 64 31 39 39 36 37 38 62 31 62 39 2e 6a 73 22 7d 5d 29 3b 76 61 72 20 45 61 3d 7b 70 75 3a 79 61 2c 73 68 3a 22 22 2c 73 69 3a 7a 61 2c 68 6c 3a 22 66 72 22 7d
                                                                                                                                                      Data Ascii: Gk-siNaIBZOtcWfXQWKdTpQ/m=__features__");G.ms=F(G.ms,"https://apis.google.com");G.m=F(G.m,"");G.l=F(G.l,[]);G.dpo=F(G.dpo,"");xa||w.push(["gl",{url:"//ssl.gstatic.com/gb/js/abc/glm_e7bb39a7e1a24581ff4f8d199678b1b9.js"}]);var Ea={pu:ya,sh:"",si:za,hl:"fr"}
                                                                                                                                                      2021-10-20 08:59:37 UTC24INData Raw: 6c 61 73 73 4e 61 6d 65 2b 3d 28 22 22 21 3d 63 3f 22 20 22 3a 22 22 29 2b 62 29 7d 2c 4b 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 61 2e 63 6c 61 73 73 4e 61 6d 65 3b 62 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 73 3f 5c 5c 62 22 2b 62 2b 22 5c 5c 62 22 29 3b 63 26 26 63 2e 6d 61 74 63 68 28 62 29 26 26 28 61 2e 63 6c 61 73 73 4e 61 6d 65 3d 63 2e 72 65 70 6c 61 63 65 28 62 2c 22 22 29 29 7d 2c 48 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 62 22 2b 62 2b 22 5c 5c 62 22 29 3b 61 3d 61 2e 63 6c 61 73 73 4e 61 6d 65 3b 72 65 74 75 72 6e 21 28 21 61 7c 7c 21 61 2e 6d 61 74 63 68 28 62 29 29 7d 2c 4c 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 48 28 61 2c 62 29 3f 4b 28 61 2c 62 29
                                                                                                                                                      Data Ascii: lassName+=(""!=c?" ":"")+b)},K=function(a,b){var c=a.className;b=new RegExp("\\s?\\b"+b+"\\b");c&&c.match(b)&&(a.className=c.replace(b,""))},H=function(a,b){b=new RegExp("\\b"+b+"\\b");a=a.className;return!(!a||!a.match(b))},La=function(a,b){H(a,b)?K(a,b)
                                                                                                                                                      2021-10-20 08:59:37 UTC25INData Raw: 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 37 30 22 29 7d 2c 4c 3d 7b 7d 2c 4d 3d 7b 7d 2c 58 61 3d 7b 7d 2c 4e 3d 7b 7d 2c 4f 3d 76 6f 69 64 20 30 2c 62 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 74 72 79 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 22 29 3b 4a 28 63 2c 22 67 62 70 64 6a 73 22 29 3b 50 28 29 3b 59 61 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 22 29 29 26 26 4a 28 63 2c 22 67 62 72 74 6c 22 29 3b 69 66 28 62 26 26 62 2e 67 65 74 41 74 74 72 69 62 75 74 65 29 7b 76 61 72 20 64 3d 62 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 61 72 69 61 2d 6f 77 6e 73 22 29 3b 69 66 28 64 2e 6c 65 6e 67 74 68 29 7b 76 61
                                                                                                                                                      Data Ascii: ument.getElementById("gb_70")},L={},M={},Xa={},N={},O=void 0,bb=function(a,b){try{var c=document.getElementById("gb");J(c,"gbpdjs");P();Ya(document.getElementById("gb"))&&J(c,"gbrtl");if(b&&b.getAttribute){var d=b.getAttribute("aria-owns");if(d.length){va
                                                                                                                                                      2021-10-20 08:59:37 UTC27INData Raw: 29 7b 6b 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6d 2c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 5d 7c 7c 0a 6e 75 6c 6c 29 3b 66 3d 21 30 3b 62 72 65 61 6b 7d 7d 69 66 28 66 29 7b 69 66 28 64 2b 31 3c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 56 3d 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 2b 31 5d 3b 48 28 56 2e 66 69 72 73 74 43 68 69 6c 64 2c 22 67 62 6d 68 22 29 7c 7c 65 62 28 56 2c 45 29 7c 7c 28 6c 3d 64 2b 31 29 7d 65 6c 73 65 20 69 66 28 30 3c 3d 64 2d 31 29 7b 76 61 72 20 57 3d 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 2d 31 5d 3b 48 28 57 2e 66 69 72 73 74 43 68 69 6c 64 2c 22 67 62 6d 68 22 29 7c 7c 65 62 28 57 2c 45 29 7c 7c 28 6c 3d 64 29 7d 62 72 65 61 6b 7d 30 3c 64 26 26 64 2b 31 3c 6e 26 26 64 2b 2b 7d
                                                                                                                                                      Data Ascii: ){k.insertBefore(m,k.childNodes[d]||null);f=!0;break}}if(f){if(d+1<k.childNodes.length){var V=k.childNodes[d+1];H(V.firstChild,"gbmh")||eb(V,E)||(l=d+1)}else if(0<=d-1){var W=k.childNodes[d-1];H(W.firstChild,"gbmh")||eb(W,E)||(l=d)}break}0<d&&d+1<n&&d++}
                                                                                                                                                      2021-10-20 08:59:37 UTC28INData Raw: 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 4f 29 3b 62 26 26 28 71 62 28 62 2c 22 43 65 74 74 65 20 66 6f 6e 63 74 69 6f 6e 6e 61 6c 69 74 e9 20 6e 27 65 73 74 20 70 61 73 20 64 69 73 70 6f 6e 69 62 6c 65 20 61 63 74 75 65 6c 6c 65 6d 65 6e 74 2e 25 31 24 73 56 65 75 69 6c 6c 65 7a 20 72 e9 65 73 73 61 79 65 72 20 70 6c 75 73 20 74 61 72 64 2e 22 2c 22 25 31 24 73 22 29 2c 51 28 62 2c 21 30 29 29 7d 63 61 74 63 68 28 63 29 7b 72 28 63 2c 22 73 62 22 2c 22 73 64 68 65 22 29 7d 7d 2c 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 61 26 26 62 29 7b 76 61 72 20 64 3d 5a 61 28 61 29 3b 69 66 28 64 29 7b 69 66 28 63 29 7b 64 2e 74 65 78 74 43 6f 6e 74 65 6e 74 3d 22 22 3b 62 3d 62 2e 73 70 6c 69 74 28 63 29 3b 63 3d 30 3b 66 6f 72 28 76 61
                                                                                                                                                      Data Ascii: getElementById(O);b&&(qb(b,"Cette fonctionnalit n'est pas disponible actuellement.%1$sVeuillez ressayer plus tard.","%1$s"),Q(b,!0))}catch(c){r(c,"sb","sdhe")}},qb=function(a,b,c){if(a&&b){var d=Za(a);if(d){if(c){d.textContent="";b=b.split(c);c=0;for(va
                                                                                                                                                      2021-10-20 08:59:37 UTC29INData Raw: 2c 74 69 65 3a 68 2e 63 28 22 33 30 30 30 30 22 2c 30 29 7d 3b 76 2e 77 67 3d 78 62 3b 76 61 72 20 79 62 3d 7b 74 68 69 3a 68 2e 63 28 22 31 30 30 30 30 22 2c 30 29 2c 74 68 70 3a 68 2e 63 28 22 31 38 30 30 30 30 22 2c 30 29 2c 74 68 6f 3a 68 2e 63 28 22 35 30 30 30 22 2c 30 29 2c 74 65 74 3a 68 2e 62 28 22 30 2e 35 22 2c 30 29 7d 3b 76 2e 77 6d 3d 79 62 3b 69 66 28 68 2e 61 28 22 31 22 29 29 7b 76 61 72 20 7a 62 3d 68 2e 61 28 22 22 29 3b 77 2e 70 75 73 68 28 5b 22 67 63 22 2c 7b 61 75 74 6f 3a 7a 62 2c 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 61 62 63 2f 67 63 69 5f 39 31 66 33 30 37 35 35 64 36 61 36 62 37 38 37 64 63 63 32 61 34 30 36 32 65 36 65 39 38 32 34 2e 6a 73 22 2c 6c 69 62 73 3a 22 67 6f 6f 67 6c
                                                                                                                                                      Data Ascii: ,tie:h.c("30000",0)};v.wg=xb;var yb={thi:h.c("10000",0),thp:h.c("180000",0),tho:h.c("5000",0),tet:h.b("0.5",0)};v.wm=yb;if(h.a("1")){var zb=h.a("");w.push(["gc",{auto:zb,url:"//ssl.gstatic.com/gb/js/abc/gci_91f30755d6a6b787dcc2a4062e6e9824.js",libs:"googl
                                                                                                                                                      2021-10-20 08:59:37 UTC31INData Raw: 4f 62 3c 4b 62 26 26 28 4d 62 3d 21 30 29 3b 4f 62 3c 4c 62 26 26 28 4e 62 3d 21 30 29 7d 76 61 72 20 52 3d 6e 75 6c 6c 3b 0a 66 75 6e 63 74 69 6f 6e 20 50 62 28 61 2c 62 29 7b 76 61 72 20 63 3d 4b 62 2c 64 3d 4d 62 3b 76 61 72 20 66 3d 61 3b 69 66 28 21 52 29 7b 52 3d 7b 7d 3b 66 6f 72 28 76 61 72 20 6b 3d 30 3b 6b 3c 4a 62 2e 6c 65 6e 67 74 68 3b 6b 2b 2b 29 7b 76 61 72 20 6d 3d 4a 62 5b 6b 5d 3b 52 5b 6d 5d 3d 21 30 7d 7d 69 66 28 66 3d 21 21 52 5b 66 5d 29 63 3d 4c 62 2c 64 3d 4e 62 3b 69 66 28 64 29 7b 64 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 3b 69 66 28 67 2e 72 70 29 7b 76 61 72 20 6e 3d 67 2e 72 70 28 29 3b 6e 3d 22 2d 31 22 21 3d 6e 3f 6e 3a 22 22 7d 65 6c 73 65 20 6e 3d 22 22 3b 66 3d 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74
                                                                                                                                                      Data Ascii: Ob<Kb&&(Mb=!0);Ob<Lb&&(Nb=!0)}var R=null;function Pb(a,b){var c=Kb,d=Mb;var f=a;if(!R){R={};for(var k=0;k<Jb.length;k++){var m=Jb[k];R[m]=!0}}if(f=!!R[f])c=Lb,d=Nb;if(d){d=encodeURIComponent;if(g.rp){var n=g.rp();n="-1"!=n?n:""}else n="";f=(new Date).get
                                                                                                                                                      2021-10-20 08:59:37 UTC32INData Raw: 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 32 34 22 2c 22 32 37 22 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 32 34 22 2c 22 32 37 22 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 32 34 22 7d 2c 59 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 28 61 3d 58 62 5b 61 5d 29 7c 7c 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 32 34 22 7d 2c 0a 5a 62
                                                                                                                                                      Data Ascii: sercontent.com/ogw/default-user=s24","27":"https://lh3.googleusercontent.com/ogw/default-user=s24","27":"https://lh3.googleusercontent.com/ogw/default-user=s24"},Yb=function(a){return(a=Xb[a])||"https://lh3.googleusercontent.com/ogw/default-user=s24"},Zb
                                                                                                                                                      2021-10-20 08:59:37 UTC33INData Raw: 63 3d 21 30 3b 66 6f 72 28 76 61 72 20 61 20 69 6e 20 53 29 66 6f 72 28 76 61 72 20 62 3d 53 5b 61 5d 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 74 72 79 7b 62 5b 63 5d 28 64 63 28 61 29 29 7d 63 61 74 63 68 28 64 29 7b 72 28 64 2c 22 75 70 22 2c 22 74 70 22 29 7d 7d 7d 63 61 74 63 68 28 64 29 7b 72 28 64 2c 22 75 70 22 2c 22 6d 74 70 22 29 7d 7d 2c 64 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 59 28 5b 32 5d 2c 22 73 73 70 22 29 29 7b 76 61 72 20 62 3d 21 61 63 5b 61 5d 3b 54 26 26 28 62 3d 62 26 26 21 21 54 5b 61 5d 29 3b 72 65 74 75 72 6e 20 62 7d 7d 3b 62 63 3d 21 31 3b 53 3d 7b 7d 3b 61 63 3d 7b 7d 3b 54 3d 6e 75 6c 6c 3b 58 3d 31 3b 0a 76 61 72 20 69 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 21 31 3b 74 72
                                                                                                                                                      Data Ascii: c=!0;for(var a in S)for(var b=S[a],c=0;c<b.length;c++)try{b[c](dc(a))}catch(d){r(d,"up","tp")}}}catch(d){r(d,"up","mtp")}},dc=function(a){if(Y([2],"ssp")){var b=!ac[a];T&&(b=b&&!!T[a]);return b}};bc=!1;S={};ac={};T=null;X=1;var ic=function(a){var b=!1;tr
                                                                                                                                                      2021-10-20 08:59:37 UTC34INData Raw: 63 6f 64 65 21 3d 44 4f 4d 45 78 63 65 70 74 69 6f 6e 2e 51 55 4f 54 41 5f 45 58 43 45 45 44 45 44 5f 45 52 52 26 26 72 28 66 2c 22 75 70 22 2c 22 67 63 63 22 29 7d 72 65 74 75 72 6e 2d 31 7d 3b 70 28 22 75 70 22 2c 7b 72 3a 65 63 2c 6e 61 70 3a 66 63 2c 61 6f 70 3a 67 63 2c 74 70 3a 68 63 2c 73 73 70 3a 64 63 2c 73 70 64 3a 6c 63 2c 67 70 64 3a 6d 63 2c 61 65 68 3a 6e 63 2c 61 61 6c 3a 6f 63 2c 67 63 63 3a 70 63 7d 29 3b 76 61 72 20 5a 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 5b 62 5d 3d 66 75 6e 63 74 69 6f 6e 28 63 29 7b 76 61 72 20 64 3d 61 72 67 75 6d 65 6e 74 73 3b 67 2e 71 6d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 61 5b 62 5d 2e 61 70 70 6c 79 28 74 68 69 73 2c 64 29 7d 29 7d 7d 3b 5a 28 67 2e 75 70 2c 22 73 6c 22 29 3b 5a 28 67 2e 75 70 2c 22
                                                                                                                                                      Data Ascii: code!=DOMException.QUOTA_EXCEEDED_ERR&&r(f,"up","gcc")}return-1};p("up",{r:ec,nap:fc,aop:gc,tp:hc,ssp:dc,spd:lc,gpd:mc,aeh:nc,aal:oc,gcc:pc});var Z=function(a,b){a[b]=function(c){var d=arguments;g.qm(function(){a[b].apply(this,d)})}};Z(g.up,"sl");Z(g.up,"
                                                                                                                                                      2021-10-20 08:59:37 UTC36INData Raw: 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 61 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 61 2e 6d 63 66 28 22 6d 6d 22 2c 7b 73 3a 22 31 22 7d 29 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66
                                                                                                                                                      Data Ascii: r.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var a=window.gbar;a.mcf("mm",{s:"1"});}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cf
                                                                                                                                                      2021-10-20 08:59:37 UTC37INData Raw: 52 41 22 2c 63 76 3a 22 34 30 33 38 35 38 36 35 37 22 2c 64 62 67 3a 64 28 22 22 29 2c 65 63 76 3a 22 30 22 2c 65 69 3a 65 28 22 65 64 70 76 59 59 43 6d 41 36 4f 7a 67 67 65 2d 6c 6f 61 59 42 77 22 29 2c 65 6c 65 3a 64 28 22 31 22 29 2c 65 73 72 3a 65 28 22 30 2e 31 22 29 2c 65 76 74 73 3a 5b 22 6d 6f 75 73 65 64 6f 77 6e 22 2c 22 74 6f 75 63 68 73 74 61 72 74 22 2c 22 74 6f 75 63 68 6d 6f 76 65 22 2c 22 77 68 65 65 6c 22 2c 22 6b 65 79 64 6f 77 6e 22 5d 2c 67 62 6c 3a 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 31 31 30 30 34 2e 30 5f 70 30 22 2c 68 64 3a 22 63 6f 6d 22 2c 68 6c 3a 22 66 72 22 2c 69 72 70 3a 64 28 22 22 29 2c 70 69 64 3a 65 28 22 31 22 29 2c 0a 73 6e 69 64 3a 65 28 22 32 38 38 33 34 22 29 2c 74 6f 3a 65 28 22 33 30 30 30 30 30
                                                                                                                                                      Data Ascii: RA",cv:"403858657",dbg:d(""),ecv:"0",ei:e("edpvYYCmA6Ozgge-loaYBw"),ele:d("1"),esr:e("0.1"),evts:["mousedown","touchstart","touchmove","wheel","keydown"],gbl:"es_plusone_gc_20211004.0_p0",hd:"com",hl:"fr",irp:d(""),pid:e("1"),snid:e("28834"),to:e("300000
                                                                                                                                                      2021-10-20 08:59:37 UTC38INData Raw: 7a 74 20 67 62 7a 30 6c 20 67 62 70 31 22 20 69 64 3d 67 62 5f 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 66 72 2f 77 65 62 68 70 3f 74 61 62 3d 77 77 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 52 65 63 68 65 72 63 68 65 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 32 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 66 72 2f 69 6d 67 68 70 3f 68 6c 3d 66 72 26 74 61 62 3d 77 69 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62
                                                                                                                                                      Data Ascii: zt gbz0l gbp1" id=gb_1 href="https://www.google.fr/webhp?tab=ww"><span class=gbtb2></span><span class=gbts>Recherche</span></a></li><li class=gbt><a class=gbzt id=gb_2 href="https://www.google.fr/imghp?hl=fr&tab=wi"><span class=gbtb2></span><span class=gb
                                                                                                                                                      2021-10-20 08:59:37 UTC39INData Raw: 61 6e 20 69 64 3d 67 62 7a 74 6d 73 20 63 6c 61 73 73 3d 22 67 62 74 73 20 67 62 74 73 61 22 3e 3c 73 70 61 6e 20 69 64 3d 67 62 7a 74 6d 73 31 3e 50 6c 75 73 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 6d 61 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 53 48 33 65 57 66 53 41 34 42 33 34 67 45 49 72 71 63 61 67 37 67 3d 3d 27 3e 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 67 62 7a 74 6d 27 29 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 20 63 6c 69 63 6b 48 61 6e 64 6c 65 72 28 29 20 7b 20 67 62 61 72 2e 74 67 28 65 76 65 6e 74 2c 74 68 69 73 29 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c
                                                                                                                                                      Data Ascii: an id=gbztms class="gbts gbtsa"><span id=gbztms1>Plus</span><span class=gbma></span></span></a><script nonce='SH3eWfSA4B34gEIrqcag7g=='>document.getElementById('gbztm').addEventListener('click', function clickHandler() { gbar.tg(event,this); });</script><
                                                                                                                                                      2021-10-20 08:59:37 UTC41INData Raw: 62 6f 75 74 2f 70 72 6f 64 75 63 74 73 3f 74 61 62 3d 77 68 22 20 63 6c 61 73 73 3d 67 62 6d 74 3e 45 6e 63 6f 72 65 20 70 6c 75 73 20 26 72 61 71 75 6f 3b 3c 2f 61 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 53 48 33 65 57 66 53 41 34 42 33 34 67 45 49 72 71 63 61 67 37 67 3d 3d 27 3e 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 27 6c 69 20 3e 20 61 2e 67 62 6d 74 27 29 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 20 63 6c 69 63 6b 48 61 6e 64 6c 65 72 28 29 20 7b 20 67 62 61 72 2e 6c 6f 67 67 65 72 2e 69 6c 28 31 2c 7b 74 3a 36 36 7d 29 3b 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 73 62 74 3e 3c 2f
                                                                                                                                                      Data Ascii: bout/products?tab=wh" class=gbmt>Encore plus &raquo;</a><script nonce='SH3eWfSA4B34gEIrqcag7g=='>document.querySelector('li > a.gbmt').addEventListener('click', function clickHandler() { gbar.logger.il(1,{t:66});; });</script></li></ol><div class=gbsbt></
                                                                                                                                                      2021-10-20 08:59:37 UTC42INData Raw: 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 62 6d 74 20 67 62 6d 68 22 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 62 6b 70 20 67 62 6d 74 63 22 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 66 72 2f 68 69 73 74 6f 72 79 2f 6f 70 74 6f 75 74 3f 68 6c 3d 66 72 22 3e 48 69 73 74 6f 72 69 71 75 65 20 57 65 62 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 78 33 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 78 34 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 53 48 33 65 57 66 53 41 34 42 33 34 67 45 49 72 71 63 61
                                                                                                                                                      Data Ascii: ><div class="gbmt gbmh"></div></li><li class="gbkp gbmtc"><a class=gbmt href="http://www.google.fr/history/optout?hl=fr">Historique Web</a></li></ol></div></div></li></ol></div></div><div id=gbx3></div><div id=gbx4></div><script nonce='SH3eWfSA4B34gEIrqca
                                                                                                                                                      2021-10-20 08:59:37 UTC43INData Raw: 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d 22 6c 73 62 22 20 69 64 3d 22 74 73 75 69 64 31 22 20 76 61 6c 75 65 3d 22 4a 27 61 69 20 64 65 20 6c 61 20 63 68 61 6e 63 65 22 20 6e 61 6d 65 3d 22 62 74 6e 49 22 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 53 48 33 65 57 66 53 41 34 42 33 34 67 45 49 72 71 63 61 67 37 67 3d 3d 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 69 64 3d 27 74 73 75 69 64 31 27 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 69 64 29 2e 6f 6e 63 6c 69 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 20 28 74 68 69 73 2e 66 6f 72 6d 2e 71 2e 76 61 6c 75 65 29 7b 74 68 69 73 2e 63 68 65 63 6b 65 64 20 3d 20 31 3b 69 66 20 28 74 68 69 73 2e 66 6f 72 6d 2e
                                                                                                                                                      Data Ascii: <input class="lsb" id="tsuid1" value="J'ai de la chance" name="btnI" type="submit"><script nonce="SH3eWfSA4B34gEIrqcag7g==">(function(){var id='tsuid1';document.getElementById(id).onclick = function(){if (this.form.q.value){this.checked = 1;if (this.form.
                                                                                                                                                      2021-10-20 08:59:37 UTC45INData Raw: 64 6c 65 2d 73 6c 6f 74 2d 70 72 6f 6d 6f 7b 66 6f 6e 74 2d 73 69 7a 65 3a 73 6d 61 6c 6c 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 33 32 70 78 7d 2e 73 7a 70 70 6d 64 62 59 75 74 74 5f 5f 6d 69 64 64 6c 65 2d 73 6c 6f 74 2d 70 72 6f 6d 6f 20 61 2e 5a 49 65 49 6c 62 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 2e 73 7a 70 70 6d 64 62 59 75 74 74 5f 5f 6d 69 64 64 6c 65 2d 73 6c 6f 74 2d 70 72 6f 6d 6f 20 69 6d 67 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 35 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 7d 3c 2f 73 74 79 6c 65 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 7a 70 70 6d 64 62 59 75 74 74 5f 5f 6d 69
                                                                                                                                                      Data Ascii: dle-slot-promo{font-size:small;margin-bottom:32px}.szppmdbYutt__middle-slot-promo a.ZIeIlb{display:inline-block;text-decoration:none}.szppmdbYutt__middle-slot-promo img{border:none;margin-right:5px;vertical-align:middle}</style><div class="szppmdbYutt__mi
                                                                                                                                                      2021-10-20 08:59:37 UTC46INData Raw: 69 61 6c 69 74 e9 3c 2f 61 3e 20 2d 20 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 66 72 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 43 6f 6e 64 69 74 69 6f 6e 73 3c 2f 61 3e 3c 2f 70 3e 3c 2f 73 70 61 6e 3e 3c 2f 63 65 6e 74 65 72 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 53 48 33 65 57 66 53 41 34 42 33 34 67 45 49 72 71 63 61 67 37 67 3d 3d 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 63 64 6f 3d 7b 68 65 69 67 68 74 3a 37 35 37 2c 77 69 64 74 68 3a 31 34 34 30 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 61 3d 77 69 6e 64 6f 77 2e 69 6e 6e 65 72 57 69 64 74 68 2c 62 3d 77 69 6e 64 6f 77 2e 69 6e 6e 65 72 48 65 69 67 68 74 3b 69 66 28 21 61 7c 7c 21 62 29 7b 76 61 72 20 63 3d 77 69 6e
                                                                                                                                                      Data Ascii: ialit</a> - <a href="/intl/fr/policies/terms/">Conditions</a></p></span></center><script nonce="SH3eWfSA4B34gEIrqcag7g==">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=win
                                                                                                                                                      2021-10-20 08:59:37 UTC47INData Raw: 72 79 7b 62 3d 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 28 22 67 6f 6f 67 23 68 74 6d 6c 22 2c 7b 63 72 65 61 74 65 48 54 4d 4c 3a 66 2c 63 72 65 61 74 65 53 63 72 69 70 74 3a 66 2c 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 3a 66 7d 29 7d 63 61 74 63 68 28 70 29 7b 65 2e 63 6f 6e 73 6f 6c 65 26 26 65 2e 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 70 2e 6d 65 73 73 61 67 65 29 7d 67 3d 62 7d 65 6c 73 65 20 67 3d 62 7d 61 3d 28 62 3d 67 29 3f 62 2e 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 28 61 29 3a 61 3b 61 3d 6e 65 77 20 6c 28 61 2c 68 29 3b 63 2e 73 72 63 3d 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 6c 26 26 61 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 3d 6c 3f 61 2e 67 3a 22 74 79 70 65 5f 65 72 72 6f 72 3a 54 72 75 73 74 65 64 52 65 73 6f 75 72 63
                                                                                                                                                      Data Ascii: ry{b=k.createPolicy("goog#html",{createHTML:f,createScript:f,createScriptURL:f})}catch(p){e.console&&e.console.error(p.message)}g=b}else g=b}a=(b=g)?b.createScriptURL(a):a;a=new l(a,h);c.src=a instanceof l&&a.constructor===l?a.g:"type_error:TrustedResourc
                                                                                                                                                      2021-10-20 08:59:37 UTC48INData Raw: 6d 5c 78 32 32 3a 5c 78 32 32 45 73 73 61 79 65 7a 20 61 76 65 63 20 63 65 74 74 65 20 6f 72 74 68 6f 67 72 61 70 68 65 20 3a 5c 78 32 32 2c 5c 78 32 32 6c 63 6b 79 5c 78 32 32 3a 5c 78 32 32 4a 5c 5c 75 30 30 32 36 23 33 39 3b 61 69 20 64 65 20 6c 61 20 63 68 61 6e 63 65 5c 78 32 32 2c 5c 78 32 32 6c 6d 6c 5c 78 32 32 3a 5c 78 32 32 45 6e 20 73 61 76 6f 69 72 20 70 6c 75 73 5c 78 32 32 2c 5c 78 32 32 6f 73 6b 74 5c 78 32 32 3a 5c 78 32 32 4f 75 74 69 6c 73 20 64 65 20 73 61 69 73 69 65 5c 78 32 32 2c 5c 78 32 32 70 73 72 63 5c 78 32 32 3a 5c 78 32 32 43 65 74 74 65 20 73 75 67 67 65 73 74 69 6f 6e 20 61 20 62 69 65 6e 20 e9 74 e9 20 73 75 70 70 72 69 6d e9 65 20 64 65 20 76 6f 74 72 65 20 5c 5c 75 30 30 33 43 61 20 68 72 65 66 5c 78 33 64 5c 5c 5c 78 32
                                                                                                                                                      Data Ascii: m\x22:\x22Essayez avec cette orthographe :\x22,\x22lcky\x22:\x22J\\u0026#39;ai de la chance\x22,\x22lml\x22:\x22En savoir plus\x22,\x22oskt\x22:\x22Outils de saisie\x22,\x22psrc\x22:\x22Cette suggestion a bien t supprime de votre \\u003Ca href\x3d\\\x2
                                                                                                                                                      2021-10-20 08:59:37 UTC49INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                      Data Ascii: 0


                                                                                                                                                      Code Manipulations

                                                                                                                                                      Statistics

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      Analysis Process: 201021.exe PID: 2168 Parent PID: 3600

                                                                                                                                                      General

                                                                                                                                                      Start time:10:59:33
                                                                                                                                                      Start date:20/10/2021
                                                                                                                                                      Path:C:\Users\user\Desktop\201021.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:'C:\Users\user\Desktop\201021.exe'
                                                                                                                                                      Imagebase:0x3c0000
                                                                                                                                                      File size:1327104 bytes
                                                                                                                                                      MD5 hash:FF59B59D6FB138BD3A588D89EA0FA1D7
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Reputation:low

                                                                                                                                                      Analysis Process: InstallUtil.exe PID: 6672 Parent PID: 2168

                                                                                                                                                      General

                                                                                                                                                      Start time:10:59:47
                                                                                                                                                      Start date:20/10/2021
                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                                      Imagebase:0x880000
                                                                                                                                                      File size:41064 bytes
                                                                                                                                                      MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000002.406134139.0000000007D10000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.334186783.0000000003B39000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.334186783.0000000003B39000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000000.337600996.0000000007D10000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000000.337446969.0000000007CA0000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.344058983.0000000003B39000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.344058983.0000000003B39000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.341956541.0000000002DDA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000000.347217323.0000000007D10000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000002.401344855.0000000003B39000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.401344855.0000000003B39000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000000.347141160.0000000007CA0000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000002.406066723.0000000007CA0000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.334072591.0000000002DDA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.341915829.0000000002DCA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.341915829.0000000002DCA000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Antivirus matches:
                                                                                                                                                      • Detection: 0%, Metadefender, Browse
                                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Analysis Process: vbc.exe PID: 7120 Parent PID: 6672

                                                                                                                                                      General

                                                                                                                                                      Start time:11:00:09
                                                                                                                                                      Start date:20/10/2021
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      File size:1171592 bytes
                                                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.351623076.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: vbc.exe PID: 7128 Parent PID: 6672

                                                                                                                                                      General

                                                                                                                                                      Start time:11:00:10
                                                                                                                                                      Start date:20/10/2021
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      File size:1171592 bytes
                                                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.341034426.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: WerFault.exe PID: 2212 Parent PID: 6672

                                                                                                                                                      General

                                                                                                                                                      Start time:11:00:14
                                                                                                                                                      Start date:20/10/2021
                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1932
                                                                                                                                                      Imagebase:0x180000
                                                                                                                                                      File size:434592 bytes
                                                                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Reputation:high

                                                                                                                                                      Disassembly

                                                                                                                                                      Code Analysis

                                                                                                                                                      Reset < >