Windows Analysis Report
LMSetup.exe

Overview

General Information

Sample Name: LMSetup.exe
Analysis ID: 562516
MD5: c915a8370a016f079adfea57cc00b46f
SHA1: 07b31c5bcad7bc0e9da24a46f180001709e1dbe5
SHA256: 315d36c57e181df7ee2730361847fb4311eef889df19c2ba8bd00759c46465e5
Infos:

Detection

Score: 10
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Drops files with a non-matching file extension (content does not match file extension)
Searches for the Microsoft Outlook file path
PE file contains strange resources
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Cryptography
barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008DA0BB DecryptFileW, 0_2_008DA0BB
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008FFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 0_2_008FFA62
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008D9E9E DecryptFileW,DecryptFileW, 0_2_008D9E9E

Compliance
barindex
Uses 32bit PE files
Source: LMSetup.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\cs\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\da\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\de-de\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\el\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\en-gb\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\en-us\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\es-es\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\fi\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\fr-fr\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\hu\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\it-it\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\ja\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\nl-nl\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\no-no\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\pl\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\pt-br\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\pt-pt\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\ru\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\sv-se\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\tr-tr\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\zh-cn\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\zh-tw\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\cs\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\da\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\de-de\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\en-gb\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\en-us\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\es-es\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\fi\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\fr-fr\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\hu\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\it-it\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\ja\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\nl-nl\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\no-no\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\pl\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\pt-br\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\pt-pt\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\ru\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\sv-se\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\tr-tr\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\zh-cn\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\zh-tw\readme.txt Jump to behavior
Source: LMSetup.exe Static PE information: certificate valid
Source: LMSetup.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\DependencyExtension\WixDependencyExtension.pdb source: dark.exe, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: LMSetup.exe
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUtilExtension\WixUtilExtension.pdb| source: dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixIIsExtension\WixIIsExtension.pdb source: dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixVSExtension\WixVSExtension.pdb source: dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixGamingExtension\WixGamingExtension.pdb source: dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: pdbaMicrosoft.Tools.WindowsInstallerXml.Xsd.pdbs.xsdUhttp://schemas.microsoft.com/wix/2006/pdbs source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_Resolver\vs12\bin\Release\Win32\JBM_Resolver_vs12.pdb,, source: JBM_Resolver_vs12.dll.5.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUIExtension\WixUIExtension.pdbL source: dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixGamingExtension\WixGamingExtension.pdb( source: dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\dark\dark.pdb source: dark.exe, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: Microsoft.Tools.WindowsInstallerXml.Xsd.pdbs.xsd source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixNetfxExtension\WixNetFxExtension.pdb source: dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixHttpExtension\WixHttpExtension.pdb source: dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, WixHttpExtension.dll.5.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\wix\wix.pdb source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixIIsExtension\WixIIsExtension.pdbt source: dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixDifxAppExtension\WixDifxAppExtension.pdb source: dark.exe, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\Installer\FWWindowNative\bin\Release\Win32\FWWindowNative.pdb source: FWWindowNative.dll.5.dr
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_User\vs12\bin\Release\Win32\JBM_User_vs12.pdb source: u20.24.dr, JBM_User_vs12.dll.5.dr
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_SNMP\vs12\bin\Release\Win32\JBM_SNMP_vs12.pdb source: JBM_SNMP_vs12.dll.5.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixFirewallExtension\WixFirewallExtension.pdb source: dark.exe, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, WixFirewallExtension.dll.5.dr, u36.24.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixDirectXExtension\WixDirectXExtension.pdb source: dark.exe, u35.24.dr
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_Resolver\vs12\bin\Release\Win32\JBM_Resolver_vs12.pdb source: JBM_Resolver_vs12.dll.5.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixSqlExtension\WixSqlExtension.pdb source: dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\winterop.pdb source: dark.exe, 00000018.00000002.559615278.000000006FF45000.00000002.00000001.01000000.0000002B.sdmp, winterop.dll.5.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUtilExtension\WixUtilExtension.pdb source: dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_SNMP\vs12\bin\Release\Win32\JBM_SNMP_vs12.pdbSS source: JBM_SNMP_vs12.dll.5.dr
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\Installer\vs\JBM_RAF_Static\bin\Release\Win32\JBM_RAF_Static.pdb source: JBM_RAF_Static.dll.5.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\wix\wix.pdbh source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUIExtension\WixUIExtension.pdb source: dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_00904440 FindFirstFileW,FindClose, 0_2_00904440
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008F7B87 FindFirstFileExW, 0_2_008F7B87
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008D9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 0_2_008D9B43
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008C3CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 0_2_008C3CC4
Source: LMSetup.exe String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: LMSetup.exe String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp String found in binary or memory: http://appsyndication.org/schemas/appsyn5rss/channel/as:applicationKDid
Source: LMSetup.exe, 00000005.00000003.406860034.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.407217388.000000000A46F000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.407122395.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.407017293.000000000A46F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://en.wikipqxg
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: dark.exe String found in binary or memory: http://schemas.m
Source: dark.exe String found in binary or memory: http://schemas.micro
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: dark.exe String found in binary or memory: http://wixtoolset.org
Source: dark.exe String found in binary or memory: http://wixtoolset.org/
Source: dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp, dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp, dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp, dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp, dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp, dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp, dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp, WixHttpExtension.dll.5.dr, WixFirewallExtension.dll.5.dr, u36.24.dr, u35.24.dr String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: u32.24.dr String found in binary or memory: http://wixtoolset.org/documentation/error217/
Source: dark.exe, dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp, dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp, dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp, dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp, dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp, dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp, dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp, WixHttpExtension.dll.5.dr, WixFirewallExtension.dll.5.dr, u36.24.dr, u35.24.dr, u32.24.dr String found in binary or memory: http://wixtoolset.org/news/
Source: dark.exe, dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp, dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp, dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp, WixFirewallExtension.dll.5.dr, u36.24.dr, u35.24.dr String found in binary or memory: http://wixtoolset.org/releases/
Source: dark.exe String found in binary or memory: http://wixtoolset.org/releases/feed/v3.11
Source: dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp String found in binary or memory: http://wixtoolset.org/releases/sMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.vs.xsd
Source: dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp String found in binary or memory: http://wixtoolset.org/releases/uMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.iis.xsd
Source: dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp String found in binary or memory: http://wixtoolset.org/releases/uMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.sql.xsd
Source: dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, WixHttpExtension.dll.5.dr String found in binary or memory: http://wixtoolset.org/releases/wMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.http.xsd
Source: dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp String found in binary or memory: http://wixtoolset.org/releases/yMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.netfx.xsd
Source: dark.exe String found in binary or memory: http://wixtoolset.org/telemetry/v
Source: LMSetup.exe, 00000005.00000003.410864207.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: LMSetup.exe, 00000005.00000003.429990990.0000000005323000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: LMSetup.exe, 00000005.00000003.425385234.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.431133719.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446818415.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.430983857.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446748903.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.431274097.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446576344.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.430825935.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.424486510.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446492562.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.425763015.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446371295.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.426162319.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446234440.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.425962737.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: LMSetup.exe, 00000005.00000003.425570469.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.426981530.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers)
Source: LMSetup.exe, 00000005.00000003.424339254.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.424486510.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: LMSetup.exe, 00000005.00000003.428860600.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: LMSetup.exe, 00000005.00000003.429383019.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.428860600.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.429182478.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.429027170.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlD
Source: LMSetup.exe, 00000005.00000003.426859603.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.426981530.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.427118337.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmloW~
Source: LMSetup.exe, 00000005.00000003.429383019.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers2
Source: LMSetup.exe, 00000005.00000003.429567950.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers:
Source: LMSetup.exe, 00000005.00000003.430983857.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.430825935.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: LMSetup.exe, 00000005.00000003.431133719.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersA
Source: LMSetup.exe, 00000005.00000003.424621358.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersDC
Source: LMSetup.exe, 00000005.00000003.429567950.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersJ
Source: LMSetup.exe, 00000005.00000003.446371295.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersS
Source: LMSetup.exe, 00000005.00000003.446234440.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersUK
Source: LMSetup.exe, 00000005.00000003.431133719.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.431274097.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersb
Source: LMSetup.exe, 00000005.00000003.424621358.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.424738869.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.424486510.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersd
Source: LMSetup.exe, 00000005.00000003.425763015.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.426162319.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.425962737.000000000A46B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersl1
Source: LMSetup.exe, 00000005.00000003.429990990.0000000005323000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comalsFT
Source: LMSetup.exe, 00000005.00000003.429990990.0000000005323000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comitudi
Source: LMSetup.exe, 00000005.00000003.428643198.0000000005323000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comp
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: dark.exe, 00000018.00000002.555816779.000000000129B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Uses 32bit PE files
Source: LMSetup.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Creates files inside the system directory
Source: C:\Users\user\Desktop\LMSetup.exe File created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\ Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008F001D 0_2_008F001D
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008E41EA 0_2_008E41EA
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008C62AA 0_2_008C62AA
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008F03D5 0_2_008F03D5
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008EC332 0_2_008EC332
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008FA560 0_2_008FA560
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008F07AA 0_2_008F07AA
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008CA8F1 0_2_008CA8F1
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008FAA0E 0_2_008FAA0E
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008EFB89 0_2_008EFB89
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008F0B6F 0_2_008F0B6F
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008F2C18 0_2_008F2C18
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008F2E47 0_2_008F2E47
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008FEE7C 0_2_008FEE7C
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A2FF437 5_3_0A2FF437
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A302A12 5_3_0A302A12
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A2FBC12 5_3_0A2FBC12
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A301070 5_3_0A301070
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A302C7A 5_3_0A302C7A
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A308455 5_3_0A308455
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A2FF2B7 5_3_0A2FF2B7
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A305493 5_3_0A305493
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A305CD3 5_3_0A305CD3
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A308537 5_3_0A308537
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A2FA93B 5_3_0A2FA93B
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A2FE173 5_3_0A2FE173
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A300FBA 5_3_0A300FBA
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A2FFFBB 5_3_0A2FFFBB
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A2F3186 5_3_0A2F3186
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A30239A 5_3_0A30239A
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A2FD1FA 5_3_0A2FD1FA
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A3033D7 5_3_0A3033D7
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A303FC1 5_3_0A303FC1
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A303A24 5_3_0A303A24
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A2FED17 5_3_0A2FED17
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A2FD05A 5_3_0A2FD05A
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Code function: 24_2_02EF407F 24_2_02EF407F
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Code function: 24_2_02EF42F6 24_2_02EF42F6
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\LMSetup.exe Code function: String function: 008C1F13 appears 54 times
Source: C:\Users\user\Desktop\LMSetup.exe Code function: String function: 00900237 appears 683 times
Source: C:\Users\user\Desktop\LMSetup.exe Code function: String function: 008C3821 appears 501 times
Source: C:\Users\user\Desktop\LMSetup.exe Code function: String function: 00900726 appears 34 times
Source: C:\Users\user\Desktop\LMSetup.exe Code function: String function: 009032F3 appears 83 times
Abnormal high CPU Usage
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process Stats: CPU usage > 98%
Searches for the Microsoft Outlook file path
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
PE file contains strange resources
Source: LMSetup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LMSetup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LMSetup.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LMSetup.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WixDependencyExtension.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WixDirectXExtension.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WixFirewallExtension.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WixGamingExtension.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WixHttpExtension.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WixSqlExtension.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LMSetup.exe File read: C:\Users\user\Desktop\LMSetup.exe Jump to behavior
Source: LMSetup.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LMSetup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LMSetup.exe "C:\Users\user\Desktop\LMSetup.exe"
Source: C:\Users\user\Desktop\LMSetup.exe Process created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe "C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe" -burn.clean.room="C:\Users\user\Desktop\LMSetup.exe" -burn.filehandle.attached=556 -burn.filehandle.self=576
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba"
Source: C:\Users\user\Desktop\LMSetup.exe Process created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe "C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe" -burn.clean.room="C:\Users\user\Desktop\LMSetup.exe" -burn.filehandle.attached=556 -burn.filehandle.self=576 Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba" Jump to behavior
Source: C:\Users\user\Desktop\LMSetup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008C45EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 0_2_008C45EE
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Users\user\AppData\Local\Lenovo\ Jump to behavior
Source: C:\Users\user\Desktop\LMSetup.exe File created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\ Jump to behavior
Source: classification engine Classification label: clean10.evad.winEXE@8/221@0/0
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_0090304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess, 0_2_0090304F
Source: WixUtilExtension.dll.5.dr, Microsoft.Tools.WindowsInstallerXml/Extensions/PayloadHarvester.cs Suspicious method names: Microsoft.Tools.WindowsInstallerXml.Serialize.Fragment[] Microsoft.Tools.WindowsInstallerXml.Extensions.PayloadHarvester::Harvest(System.String)
Source: WixUtilExtension.dll.5.dr, Microsoft.Tools.WindowsInstallerXml/Extensions/PayloadHarvester.cs Suspicious method names: System.Void Microsoft.Tools.WindowsInstallerXml.Extensions.PayloadHarvester::.ctor()
Source: WixUtilExtension.dll.5.dr, Microsoft.Tools.WindowsInstallerXml/Extensions/PayloadHarvester.cs Suspicious method names: System.Void Microsoft.Tools.WindowsInstallerXml.Extensions.PayloadHarvester::set_SetUniqueIdentifiers(System.Boolean)
Source: WixUtilExtension.dll.5.dr, Microsoft.Tools.WindowsInstallerXml/Extensions/PayloadHarvester.cs Suspicious method names: System.Boolean Microsoft.Tools.WindowsInstallerXml.Extensions.PayloadHarvester::get_SetUniqueIdentifiers()
Source: WixUtilExtension.dll.5.dr, Microsoft.Tools.WindowsInstallerXml/Extensions/PayloadHarvester.cs Suspicious method names: Microsoft.Tools.WindowsInstallerXml.Serialize.RemotePayload Microsoft.Tools.WindowsInstallerXml.Extensions.PayloadHarvester::HarvestRemotePayload(System.String)
Source: WixVSExtension.dll.5.dr, Microsoft.Tools.WindowsInstallerXml/Extensions/VSProjectHarvester.cs Suspicious method names: System.Void Microsoft.Tools.WindowsInstallerXml.Extensions.VSProjectHarvester::HarvestProjectOutputGroupPayloadFile(System.String,System.String,System.String,System.String,System.String,System.String,System.String,Microsoft.Tools.WindowsInstallerXml.Serialize.IParentElement,Microsoft.Tools.WindowsInstallerXml.Serialize.Payload,System.Collections.Generic.Dictionary`2<System.String,System.Boolean>)
Source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr Binary or memory string: SELECT `Component_` FROM `FeatureComponents` WHERE `Feature_` = ?iSELECT `FileSize` FROM `File` WHERE `Component_` = ?/SELECT * FROM `Feature`;SELECT `Cabinet` FROM `Media`
Source: WixGamingExtension.dll.5.dr, Tools.WindowsInstallerXml/Extensions/GamingCompiler.cs Task registration methods: 'CreateTaskDirectoryRow', 'CreateTaskRootDirectoryCustomActions'
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008FFE21 FormatMessageW,GetLastError,LocalFree, 0_2_008FFE21
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008E6B88 ChangeServiceConfigW,GetLastError, 0_2_008E6B88
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_01
Source: C:\Users\user\Desktop\LMSetup.exe Command line argument: cabinet.dll 0_2_008C1070
Source: C:\Users\user\Desktop\LMSetup.exe Command line argument: msi.dll 0_2_008C1070
Source: C:\Users\user\Desktop\LMSetup.exe Command line argument: version.dll 0_2_008C1070
Source: C:\Users\user\Desktop\LMSetup.exe Command line argument: wininet.dll 0_2_008C1070
Source: C:\Users\user\Desktop\LMSetup.exe Command line argument: comres.dll 0_2_008C1070
Source: C:\Users\user\Desktop\LMSetup.exe Command line argument: clbcatq.dll 0_2_008C1070
Source: C:\Users\user\Desktop\LMSetup.exe Command line argument: msasn1.dll 0_2_008C1070
Source: C:\Users\user\Desktop\LMSetup.exe Command line argument: crypt32.dll 0_2_008C1070
Source: C:\Users\user\Desktop\LMSetup.exe Command line argument: feclient.dll 0_2_008C1070
Source: C:\Users\user\Desktop\LMSetup.exe Command line argument: cabinet.dll 0_2_008C1070
Source: LMSetup.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: dark.exe String found in binary or memory: ath> -xo output wixout instead of WiX source code (mandatory for transforms and patches) -? | -help this help information Environment variables: WIX_TEMP overrides the temporary directory used for cab extraction, binary e
Source: dark.exe String found in binary or memory: b\DependencyExtension_x86.wxs*7"><field>WixAction</field><field>InstallExecuteSequence/InstallInitialize</field></row><row sourceLineNumber="C:\agent\_work\8\s\src\ext\DependencyExtension\wixlib\DependencyExtension_Platform.wxi*20|C:\agent\_work\8\s\src\ext\De
Source: dark.exe String found in binary or memory: lib\DirectXExtension.wxs*17"><field>CustomAction</field><field>WixQueryDirectXCaps</field></row><row sourceLineNumber="C:\agent\_work\8\s\src\ext\DirectXExtension\wixlib\DirectXExtension.wxs*17"><field>WixAction</field><field>InstallUISequence/LaunchConditions
Source: dark.exe String found in binary or memory: xtension.wxs*21"><field>WixAction</field><field>InstallExecuteSequence/LaunchConditions</field></row></table></section><section type="fragment" xmlns="http://schemas.microsoft.com/wix/2006/objects"><table name="Property"><row sourceLineNumber="C:\agent\_work\8
Source: LMSetup.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: LMSetup.exe String found in binary or memory: InstallerPackages/installer/installer.zipd
Source: LMSetup.exe String found in binary or memory: )InstallerPackages/installer/installer.zipd
Source: LMSetup.exe Static file information: File size 49224728 > 1048576
Source: LMSetup.exe Static PE information: certificate valid
Source: LMSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LMSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LMSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LMSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LMSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LMSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: LMSetup.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: LMSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\DependencyExtension\WixDependencyExtension.pdb source: dark.exe, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: LMSetup.exe
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUtilExtension\WixUtilExtension.pdb| source: dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixIIsExtension\WixIIsExtension.pdb source: dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixVSExtension\WixVSExtension.pdb source: dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixGamingExtension\WixGamingExtension.pdb source: dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: pdbaMicrosoft.Tools.WindowsInstallerXml.Xsd.pdbs.xsdUhttp://schemas.microsoft.com/wix/2006/pdbs source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_Resolver\vs12\bin\Release\Win32\JBM_Resolver_vs12.pdb,, source: JBM_Resolver_vs12.dll.5.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUIExtension\WixUIExtension.pdbL source: dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixGamingExtension\WixGamingExtension.pdb( source: dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\dark\dark.pdb source: dark.exe, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: Microsoft.Tools.WindowsInstallerXml.Xsd.pdbs.xsd source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixNetfxExtension\WixNetFxExtension.pdb source: dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixHttpExtension\WixHttpExtension.pdb source: dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, WixHttpExtension.dll.5.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\wix\wix.pdb source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixIIsExtension\WixIIsExtension.pdbt source: dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixDifxAppExtension\WixDifxAppExtension.pdb source: dark.exe, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\Installer\FWWindowNative\bin\Release\Win32\FWWindowNative.pdb source: FWWindowNative.dll.5.dr
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_User\vs12\bin\Release\Win32\JBM_User_vs12.pdb source: u20.24.dr, JBM_User_vs12.dll.5.dr
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_SNMP\vs12\bin\Release\Win32\JBM_SNMP_vs12.pdb source: JBM_SNMP_vs12.dll.5.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixFirewallExtension\WixFirewallExtension.pdb source: dark.exe, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, WixFirewallExtension.dll.5.dr, u36.24.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixDirectXExtension\WixDirectXExtension.pdb source: dark.exe, u35.24.dr
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_Resolver\vs12\bin\Release\Win32\JBM_Resolver_vs12.pdb source: JBM_Resolver_vs12.dll.5.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixSqlExtension\WixSqlExtension.pdb source: dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\winterop.pdb source: dark.exe, 00000018.00000002.559615278.000000006FF45000.00000002.00000001.01000000.0000002B.sdmp, winterop.dll.5.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUtilExtension\WixUtilExtension.pdb source: dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_SNMP\vs12\bin\Release\Win32\JBM_SNMP_vs12.pdbSS source: JBM_SNMP_vs12.dll.5.dr
Source: Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\Installer\vs\JBM_RAF_Static\bin\Release\Win32\JBM_RAF_Static.pdb source: JBM_RAF_Static.dll.5.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\wix\wix.pdbh source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUIExtension\WixUIExtension.pdb source: dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp
Source: LMSetup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LMSetup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LMSetup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LMSetup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LMSetup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008EEAD6 push ecx; ret 0_2_008EEAE9
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Code function: 5_3_0A2F9002 push eax; ret 5_3_0A2F9011
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Code function: 24_2_02EA5360 push ecx; iretd 24_2_02EA5369
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Code function: 24_2_02F0A4A3 push esi; ret 24_2_02F0A4A5
PE file contains sections with non-standard names
Source: LMSetup.exe Static PE information: section name: .wixburn
Source: LMSetup.exe.0.dr Static PE information: section name: .wixburn
Source: vccorlib110.dll.5.dr Static PE information: section name: minATL
Source: initial sample Static PE information: section name: .text entropy: 6.92420163356
Source: initial sample Static PE information: section name: .text entropy: 7.38047865037
Source: initial sample Static PE information: section name: .text entropy: 7.81678730261
Source: initial sample Static PE information: section name: .text entropy: 7.52939429346
Source: initial sample Static PE information: section name: .text entropy: 7.60824281471
Source: initial sample Static PE information: section name: .text entropy: 7.58506941708
Source: initial sample Static PE information: section name: .text entropy: 7.49615358644
Source: initial sample Static PE information: section name: .text entropy: 7.83645052643
Source: initial sample Static PE information: section name: .text entropy: 7.44554243282
Source: initial sample Static PE information: section name: .text entropy: 7.59436656349

Persistence and Installation Behavior
barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u17 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u18 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u19 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u20 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u21 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u22 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u23 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u28 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u30 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u31 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u32 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u33 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u34 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u35 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u36 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u37 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u38 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u39 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u40 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u41 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u42 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u43 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u44 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u0 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u2 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u5 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u6 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u7 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u9 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u10 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u11 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u12 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u13 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u14 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u15 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u16 Jump to dropped file
Drops PE files
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u36 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u37 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u7 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u38 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u6 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\FWWindowNative.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u39 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u5 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u32 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u33 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_StateMachine_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u34 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u2 Jump to dropped file
Source: C:\Users\user\Desktop\LMSetup.exe File created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDifxAppExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u35 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_InstallerUtils_Static.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u9 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_AppConfig_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_User_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\FW5FWSDK_Net45_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Resolver_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_PluginCache_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u30 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u31 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUtilExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixFirewallExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u28 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u21 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u22 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u23 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_SNMP_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDirectXExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\msvcr110.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\msvcp110.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixIIsExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\vccorlib110.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDependencyExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u20 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_System_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u14 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_RAF_Static.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u15 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u16 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixGamingExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u17 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u10 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u11 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u12 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u13 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u18 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\wix.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u19 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\TAPToaster.exe Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixVSExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixSqlExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\winterop.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Propertybag_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixHttpExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Encryption_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUIExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Locale_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixNetFxExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u43 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u44 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\TAPInstallerNative.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\FW5JCore_vs12_x86.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_WixInstaller_Static.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u0 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u40 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u41 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u42 Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u36 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u37 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u7 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u38 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u6 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\FWWindowNative.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u39 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u5 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u32 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u33 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_StateMachine_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u34 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u2 Jump to dropped file
Source: C:\Users\user\Desktop\LMSetup.exe File created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDifxAppExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u35 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_InstallerUtils_Static.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u9 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_AppConfig_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_User_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\FW5FWSDK_Net45_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Resolver_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_PluginCache_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u30 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u31 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUtilExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixFirewallExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u28 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u21 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u22 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u23 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_SNMP_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDirectXExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\msvcr110.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\msvcp110.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixIIsExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\vccorlib110.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDependencyExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u20 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_System_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u14 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_RAF_Static.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u15 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u16 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixGamingExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u17 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u10 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u11 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u12 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u13 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u18 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\wix.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u19 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\TAPToaster.exe Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixVSExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixSqlExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\winterop.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Propertybag_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixHttpExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Encryption_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUIExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Locale_vs12.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixNetFxExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u43 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u44 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\TAPInstallerNative.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\FW5JCore_vs12_x86.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_WixInstaller_Static.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u0 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u40 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u41 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u42 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\cs\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\da\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\de-de\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\el\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\en-gb\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\en-us\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\es-es\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\fi\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\fr-fr\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\hu\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\it-it\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\ja\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\nl-nl\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\no-no\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\pl\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\pt-br\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\pt-pt\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\ru\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\sv-se\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\tr-tr\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\zh-cn\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\zh-tw\license.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\cs\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\da\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\de-de\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\en-gb\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\en-us\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\es-es\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\fi\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\fr-fr\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\hu\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\it-it\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\ja\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\nl-nl\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\no-no\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\pl\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\pt-br\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\pt-pt\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\ru\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\sv-se\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\tr-tr\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\zh-cn\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\zh-tw\readme.txt Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u36 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u37 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u7 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u38 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u6 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u39 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u5 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u32 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u33 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u34 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u35 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDifxAppExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u9 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u30 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u31 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUtilExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixFirewallExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u28 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u21 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u22 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u23 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDirectXExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixIIsExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\vccorlib110.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u20 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDependencyExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u14 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u15 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u16 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixGamingExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u17 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u10 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u11 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u12 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u13 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u18 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\wix.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u19 Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\TAPToaster.exe Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixVSExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixSqlExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixHttpExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUIExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixNetFxExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u43 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u44 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u0 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u40 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u41 Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u42 Jump to dropped file
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008FFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 008FFF61h 0_2_008FFEC6
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008FFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 008FFF5Ah 0_2_008FFEC6
Is looking for software installed on the system
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Memory allocated: 4750000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Memory allocated: 3B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Memory allocated: 53D0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Memory allocated: 5550000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Memory allocated: 5570000 memory commit | memory reserve | memory write watch Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\LMSetup.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\LMSetup.exe API coverage: 10.0 %
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_009097A5 VirtualQuery,GetSystemInfo, 0_2_009097A5
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_00904440 FindFirstFileW,FindClose, 0_2_00904440
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008F7B87 FindFirstFileExW, 0_2_008F7B87
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008D9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 0_2_008D9B43
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008C3CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 0_2_008C3CC4
Source: C:\Users\user\Desktop\LMSetup.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008EE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_008EE88A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008C394F GetProcessHeap,RtlAllocateHeap, 0_2_008C394F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008F48D8 mov eax, dword ptr fs:[00000030h] 0_2_008F48D8
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008EE9DC SetUnhandledExceptionFilter, 0_2_008EE9DC
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008EE3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_008EE3D8
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008EE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_008EE88A
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008F3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_008F3C76

HIPS / PFW / Operating System Protection Evasion
barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LMSetup.exe Process created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe "C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe" -burn.clean.room="C:\Users\user\Desktop\LMSetup.exe" -burn.filehandle.attached=556 -burn.filehandle.self=576 Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba" Jump to behavior
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_00901719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree, 0_2_00901719
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_00903A5F AllocateAndInitializeSid,CheckTokenMembership, 0_2_00903A5F

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\wix.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDifxAppExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDependencyExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDirectXExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixFirewallExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixGamingExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixHttpExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixIIsExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixNetFxExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixSqlExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUIExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUtilExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixVSExtension.dll VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008EEC07 cpuid 0_2_008EEC07
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008D4EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree, 0_2_008D4EDF
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008C6037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError, 0_2_008C6037
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_0090887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime, 0_2_0090887B
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008C5195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize, 0_2_008C5195
Source: C:\Users\user\Desktop\LMSetup.exe Code function: 0_2_008C61DF GetUserNameW,GetLastError, 0_2_008C61DF
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 562516 Sample: LMSetup.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 10 7 LMSetup.exe 3 2->7         started        file3 20 C:\Windows\Temp\...\LMSetup.exe, PE32 7->20 dropped 10 LMSetup.exe 5 311 7->10         started        process4 file5 22 C:\Windows\Temp\...\wix.dll, PE32 10->22 dropped 24 C:\Windows\Temp\...\winterop.dll, PE32 10->24 dropped 26 C:\Windows\Temp\...\vccorlib110.dll, PE32 10->26 dropped 28 33 other files (none is malicious) 10->28 dropped 13 cmd.exe 1 10->13         started        process6 process7 15 dark.exe 92 13->15         started        18 conhost.exe 13->18         started        file8 30 C:\Windows\Temp\...\u9, PE32 15->30 dropped 32 C:\Windows\Temp\...\u7, PE32 15->32 dropped 34 C:\Windows\Temp\...\u6, PE32 15->34 dropped 36 33 other files (none is malicious) 15->36 dropped
No contacted IP infos