Windows Analysis Report
B35@6B.exe

Overview

General Information

Sample Name: B35@6B.exe
Analysis ID: 672480
MD5: 6753a24ed2a75dbd488c0a1783f03d05
SHA1: 70c061619c4ebbbb111923257e76cd3cef5b3618
SHA256: a9b46ddb3ed98e2ca5e71253a69f686e1f618f724821eb98b52b812844117f33
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Drops executable to a common third party application directory
Machine Learning detection for sample
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to detect virtual machines (SGDT)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: B35@6B.exe Virustotal: Detection: 45% Perma Link
Source: B35@6B.exe ReversingLabs: Detection: 46%
Machine Learning detection for sample
Source: B35@6B.exe Joe Sandbox ML: detected
Source: 0.2.B35@6B.exe.4be84c2.6.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "logs@multimetals.cfd", "Password": "multimetals.cfd", "Host": "asset@multimetals.cfd"}
Uses 32bit PE files
Source: B35@6B.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 142.250.185.132:443 -> 192.168.2.4:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.132:443 -> 192.168.2.4:49714 version: TLS 1.2
Source: B35@6B.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: Acrobat.exe, 0000000E.00000002.468247784.00000000007C2000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe, 00000010.00000000.481629339.0000000000D02000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe.10.dr
Source: Binary string: InstallUtil.pdb source: Acrobat.exe, 0000000E.00000002.468247784.00000000007C2000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe, 00000010.00000000.481629339.0000000000D02000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe.10.dr
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.185.37.183 192.185.37.183
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://OKJTye.com
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: InstallUtil.exe, 0000000A.00000003.495487980.0000000005BC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: InstallUtil.exe, 0000000A.00000003.495487980.0000000005BC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: InstallUtil.exe, 0000000A.00000003.495487980.0000000005BC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: InstallUtil.exe, 0000000A.00000003.495487980.0000000005BC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: InstallUtil.exe, 0000000A.00000003.495487980.0000000005BC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: InstallUtil.exe, 0000000A.00000003.496726197.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516627598.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: InstallUtil.exe, 0000000A.00000003.496726197.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516627598.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: InstallUtil.exe, 0000000A.00000003.495723205.000000000636F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516809161.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: InstallUtil.exe, 0000000A.00000003.495723205.000000000636F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: B35@6B.exe, 00000000.00000002.288212710.0000000001425000.00000004.00000020.00020000.00000000.sdmp, pot.exe, 00000001.00000002.429076060.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: InstallUtil.exe, 0000000A.00000003.494409848.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496795773.0000000005C38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: InstallUtil.exe, 0000000A.00000003.494788620.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: InstallUtil.exe, 0000000A.00000003.496284015.0000000005B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: InstallUtil.exe, 0000000A.00000003.496284015.0000000005B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/?X
Source: InstallUtil.exe, 0000000A.00000003.495446560.0000000006408000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494710435.0000000006408000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.518304119.000000000640B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496284015.0000000005B94000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494550099.00000000063F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494492294.0000000006417000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabo
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: InstallUtil.exe, 0000000A.00000003.494409848.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496771690.0000000005C3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://multimetals.cfd
Source: pot.exe, 00000001.00000003.427221317.000000000BED0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ns.ado/1
Source: pot.exe, 00000001.00000003.311383323.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411228926.000000000BEA8000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.413434243.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.307834538.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314434884.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309793041.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310985083.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.317213060.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308761023.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314204431.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.319967920.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310639752.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312141601.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.313899652.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312675654.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314567273.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314769045.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308319804.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.311461105.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309511461.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411816052.000000000BEC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ns.ado/1yP
Source: pot.exe, 00000001.00000003.427221317.000000000BED0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: pot.exe, 00000001.00000003.311383323.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411228926.000000000BEA8000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.413434243.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.307834538.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314434884.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309793041.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310985083.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.317213060.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308761023.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314204431.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.319967920.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310639752.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312141601.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.313899652.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312675654.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314567273.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314769045.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308319804.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.311461105.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309511461.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411816052.000000000BEC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.c/gyP
Source: pot.exe, 00000001.00000003.427221317.000000000BED0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: pot.exe, 00000001.00000003.311383323.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411228926.000000000BEA8000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.413434243.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.307834538.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314434884.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309793041.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310985083.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.317213060.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308761023.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314204431.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.319967920.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310639752.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312141601.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.313899652.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312675654.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314567273.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314769045.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308319804.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.311461105.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309511461.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411816052.000000000BEC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.cobjyP
Source: pot.exe, 00000001.00000003.307834538.000000000BECA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ns.d
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: InstallUtil.exe, 0000000A.00000003.496181995.0000000006351000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516809161.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516809161.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.517974136.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: B35@6B.exe, 00000000.00000002.290388561.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000002.432584864.0000000002B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 0000000A.00000003.496161057.000000000637C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: InstallUtil.exe, 0000000A.00000003.496161057.000000000637C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es00
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es
Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: InstallUtil.exe, 0000000A.00000003.496161057.000000000637C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com4
Source: B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comB
Source: B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comZ
Source: B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comes
Source: B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comexc
Source: B35@6B.exe, 00000000.00000003.243686727.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244376914.000000000C59D000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244356588.000000000C5A6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243874994.000000000C598000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243834321.000000000C5A0000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245244855.000000000C5A6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244623217.000000000C59F000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244576344.000000000C59F000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243711214.000000000C5A6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244119845.000000000C59B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comic-
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.como.
Source: B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.compor
Source: B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comypo
Source: InstallUtil.exe, 0000000A.00000003.494409848.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496795773.0000000005C38000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: InstallUtil.exe, 0000000A.00000003.496161057.000000000637C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496626164.000000000637E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: InstallUtil.exe, 0000000A.00000003.495723205.000000000636F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org1
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: InstallUtil.exe, 0000000A.00000003.494788620.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516662324.0000000005BE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495309733.0000000005BE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.defence.gov.au/pki0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: InstallUtil.exe, 0000000A.00000003.494550099.00000000063F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: InstallUtil.exe, 0000000A.00000003.496181995.0000000006351000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494550099.00000000063F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.eme.lv/repository0
Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: B35@6B.exe, 00000000.00000003.245908483.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246675183.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245973902.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246009181.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245546404.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246108229.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: B35@6B.exe, 00000000.00000003.245480056.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245508880.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245546404.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/Y
Source: B35@6B.exe, 00000000.00000003.246772634.000000000C5A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: B35@6B.exe, 00000000.00000003.246719543.000000000C5A9000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246455927.000000000C5A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html/
Source: B35@6B.exe, 00000000.00000003.245546404.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers1
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: B35@6B.exe, 00000000.00000003.246704680.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246762025.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246859296.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246675183.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246905589.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersY
Source: B35@6B.exe, 00000000.00000003.250184391.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designerse
Source: B35@6B.exe, 00000000.00000003.247092349.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246961090.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersn
Source: B35@6B.exe, 00000000.00000003.245508880.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245546404.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersp
Source: B35@6B.exe, 00000000.00000003.245793626.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245728656.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersz
Source: B35@6B.exe, 00000000.00000003.286289999.000000000C590000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.286398571.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000002.308273126.000000000C594000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: B35@6B.exe, 00000000.00000003.242654377.000000000C5BE000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.242690897.000000000C5BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: B35@6B.exe, 00000000.00000003.242545128.000000000C5A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnY
Source: B35@6B.exe, 00000000.00000003.243061112.000000000C593000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnoY
Source: B35@6B.exe, 00000000.00000003.242534194.000000000C5BD000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.242654377.000000000C5BE000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.242521169.000000000C5BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cns-c
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496284015.0000000005B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: InstallUtil.exe, 0000000A.00000003.496284015.0000000005B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oaticerts.com/repository.
Source: InstallUtil.exe, 0000000A.00000003.496181995.0000000006351000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: InstallUtil.exe, 0000000A.00000003.496181995.0000000006351000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.rcsc.lt/repository0
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: InstallUtil.exe, 0000000A.00000003.494788620.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.242941104.000000000C5C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: B35@6B.exe, 00000000.00000003.242941104.000000000C5C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com$
Source: B35@6B.exe, 00000000.00000003.242965123.000000000C5C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comn
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: InstallUtil.exe, 0000000A.00000003.494788620.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.b
Source: InstallUtil.exe, 0000000A.00000003.496181995.0000000006351000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.517974136.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.517974136.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: InstallUtil.exe, 0000000A.00000002.512055045.0000000002948000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511374769.00000000028E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://7lPQxKUhrmku.org
Source: InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%
Source: InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%appdata
Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://eca.hinet.net/repository0
Source: InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/address/)1(0&
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: B35@6B.exe, B35@6B.exe, 00000000.00000002.290388561.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000002.432584864.0000000002B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: B35@6B.exe, 00000000.00000002.290388561.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000002.432584864.0000000002B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: B35@6B.exe String found in binary or memory: https://www.google.com3GetManifestResourceStream
Source: B35@6B.exe, 00000000.00000002.290388561.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000002.432584864.0000000002B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.comT
Source: InstallUtil.exe, 0000000A.00000003.494550099.00000000063F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: unknown DNS traffic detected: queries for: www.google.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.185.132:443 -> 192.168.2.4:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.132:443 -> 192.168.2.4:49714 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: B35@6B.exe, 00000000.00000002.287669560.00000000013A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.B35@6B.exe.4b4aa42.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.B35@6B.exe.4be84c2.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.pot.exe.44cbe62.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.InstallUtil.exe.630000.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.B35@6B.exe.4b16152.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.B35@6B.exe.4b7f322.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.pot.exe.45698e2.5.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.pot.exe.44cbe62.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.pot.exe.459e1b8.4.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.InstallUtil.exe.630000.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.pot.exe.4500742.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.pot.exe.4497572.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.pot.exe.45698e2.5.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.B35@6B.exe.4b4aa42.4.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.pot.exe.4500742.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.B35@6B.exe.4c1cd98.5.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.B35@6B.exe.4b7f322.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.InstallUtil.exe.630000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.pot.exe.459e1b8.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.B35@6B.exe.4c1cd98.5.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.InstallUtil.exe.630000.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.B35@6B.exe.4be84c2.6.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.pot.exe.4497572.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.B35@6B.exe.4b16152.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
.NET source code contains very large array initializations
Source: 10.0.InstallUtil.exe.630000.2.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.cs Large array initialization: .cctor: array initializer size 11626
Source: 10.0.InstallUtil.exe.630000.1.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.cs Large array initialization: .cctor: array initializer size 11626
Source: 10.0.InstallUtil.exe.630000.4.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.cs Large array initialization: .cctor: array initializer size 11626
Source: 10.0.InstallUtil.exe.630000.3.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.cs Large array initialization: .cctor: array initializer size 11626
Source: 10.2.InstallUtil.exe.630000.0.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.cs Large array initialization: .cctor: array initializer size 11626
Source: 10.0.InstallUtil.exe.630000.0.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.cs Large array initialization: .cctor: array initializer size 11626
Uses 32bit PE files
Source: B35@6B.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.B35@6B.exe.4b4aa42.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.B35@6B.exe.4be84c2.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.pot.exe.44cbe62.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.InstallUtil.exe.630000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.B35@6B.exe.4b16152.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.B35@6B.exe.4b7f322.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.pot.exe.45698e2.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.pot.exe.44cbe62.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.pot.exe.459e1b8.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.InstallUtil.exe.630000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.pot.exe.4500742.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.pot.exe.4497572.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.pot.exe.45698e2.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.B35@6B.exe.4b4aa42.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.pot.exe.4500742.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.B35@6B.exe.4c1cd98.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.B35@6B.exe.4b7f322.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.InstallUtil.exe.630000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.pot.exe.459e1b8.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.B35@6B.exe.4c1cd98.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.InstallUtil.exe.630000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.B35@6B.exe.4be84c2.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.pot.exe.4497572.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.B35@6B.exe.4b16152.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Detected potential crypto function
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_01564110 0_2_01564110
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_0156F450 0_2_0156F450
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_01564738 0_2_01564738
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_015697D8 0_2_015697D8
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_0156B6E9 0_2_0156B6E9
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_0156EBE0 0_2_0156EBE0
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_0156DFF0 0_2_0156DFF0
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_01565FF8 0_2_01565FF8
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_01564E18 0_2_01564E18
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_0156F442 0_2_0156F442
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_0156EB4E 0_2_0156EB4E
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_0156EB82 0_2_0156EB82
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_0156EBAA 0_2_0156EBAA
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_0156DFE0 0_2_0156DFE0
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_03195298 0_2_03195298
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_031952A8 0_2_031952A8
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_03193444 0_2_03193444
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B0040 0_2_067B0040
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B41E8 0_2_067B41E8
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B0F20 0_2_067B0F20
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B5D68 0_2_067B5D68
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067BA818 0_2_067BA818
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B3638 0_2_067B3638
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B3628 0_2_067B3628
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B5738 0_2_067B5738
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B5731 0_2_067B5731
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B3470 0_2_067B3470
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B3462 0_2_067B3462
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B3210 0_2_067B3210
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B3201 0_2_067B3201
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B0007 0_2_067B0007
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B4139 0_2_067B4139
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B0E29 0_2_067B0E29
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B2FB8 0_2_067B2FB8
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B2FA8 0_2_067B2FA8
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B2C10 0_2_067B2C10
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B2C00 0_2_067B2C00
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B5D21 0_2_067B5D21
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B1DE0 0_2_067B1DE0
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B1DD1 0_2_067B1DD1
Source: C:\Users\user\Desktop\B35@6B.exe Code function: 0_2_067B0DB3 0_2_067B0DB3
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_054631FC 1_2_054631FC
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_054652A8 1_2_054652A8
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_054652B8 1_2_054652B8
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_061817F0 1_2_061817F0
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_06183430 1_2_06183430
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_06184548 1_2_06184548
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0618CE48 1_2_0618CE48
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_06187C38 1_2_06187C38
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_06183B88 1_2_06183B88
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0618F880 1_2_0618F880
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_061877A0 1_2_061877A0
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_06183413 1_2_06183413
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_06187548 1_2_06187548
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_061862F8 1_2_061862F8
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_06187190 1_2_06187190
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0618ECA0 1_2_0618ECA0
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0618BD48 1_2_0618BD48
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_06187A30 1_2_06187A30
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_06182869 1_2_06182869
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0CED8 1_2_0BE0CED8
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0F748 1_2_0BE0F748
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0C660 1_2_0BE0C660
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0DBA0 1_2_0BE0DBA0
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0DBB0 1_2_0BE0DBB0
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0C940 1_2_0BE0C940
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE03FE8 1_2_0BE03FE8
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0BE68 1_2_0BE0BE68
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0F187 1_2_0BE0F187
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0F198 1_2_0BE0F198
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0D7C0 1_2_0BE0D7C0
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0D7D0 1_2_0BE0D7D0
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0F738 1_2_0BE0F738
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0C64F 1_2_0BE0C64F
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0C500 1_2_0BE0C500
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0C4A9 1_2_0BE0C4A9
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE41388 1_2_0BE41388
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE45A60 1_2_0BE45A60
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE419B8 1_2_0BE419B8
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE4E958 1_2_0BE4E958
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE46090 1_2_0BE46090
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE457C0 1_2_0BE457C0
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE46EE0 1_2_0BE46EE0
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE4A640 1_2_0BE4A640
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE4CE58 1_2_0BE4CE58
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE41379 1_2_0BE41379
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE4F210 1_2_0BE4F210
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE419A8 1_2_0BE419A8
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE42908 1_2_0BE42908
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE42918 1_2_0BE42918
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE457B0 1_2_0BE457B0
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE4EF80 1_2_0BE4EF80
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE41748 1_2_0BE41748
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE4175D 1_2_0BE4175D
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE46ED0 1_2_0BE46ED0
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE416A4 1_2_0BE416A4
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE416B9 1_2_0BE416B9
Sample file is different than original file name gathered from version info
Source: B35@6B.exe, 00000000.00000002.303282970.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRwKntxILzrfTruqKGkLPcmQ.exe4 vs B35@6B.exe
Source: B35@6B.exe, 00000000.00000002.304264302.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRwKntxILzrfTruqKGkLPcmQ.exe4 vs B35@6B.exe
Source: B35@6B.exe, 00000000.00000002.287669560.00000000013A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs B35@6B.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
Source: B35@6B.exe Virustotal: Detection: 45%
Source: B35@6B.exe ReversingLabs: Detection: 46%
Source: B35@6B.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\B35@6B.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\B35@6B.exe "C:\Users\user\Desktop\B35@6B.exe"
Source: C:\Users\user\Desktop\B35@6B.exe Process created: C:\Users\user\AppData\Local\Temp\pot.exe "C:\Users\user\AppData\Local\Temp\pot.exe"
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe "C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe"
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe "C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe"
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\B35@6B.exe Process created: C:\Users\user\AppData\Local\Temp\pot.exe "C:\Users\user\AppData\Local\Temp\pot.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\B35@6B.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\B35@6B.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/8@3/2
Source: C:\Users\user\Desktop\B35@6B.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: B35@6B.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\B35@6B.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01
Source: 10.0.InstallUtil.exe.630000.2.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.InstallUtil.exe.630000.2.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.InstallUtil.exe.630000.1.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.InstallUtil.exe.630000.1.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.InstallUtil.exe.630000.4.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.InstallUtil.exe.630000.4.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\B35@6B.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\pot.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: B35@6B.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: B35@6B.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: Acrobat.exe, 0000000E.00000002.468247784.00000000007C2000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe, 00000010.00000000.481629339.0000000000D02000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe.10.dr
Source: Binary string: InstallUtil.pdb source: Acrobat.exe, 0000000E.00000002.468247784.00000000007C2000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe, 00000010.00000000.481629339.0000000000D02000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe.10.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE0D5E0 push AB0BE0D0h; iretd 1_2_0BE0D5E5
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE04410 pushad ; retf 1_2_0BE04411
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE4A160 push edi; ret 1_2_0BE4A162
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE4A16A push edi; ret 1_2_0BE4A16C
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_0BE49FF9 push ebx; retf 1_2_0BE49FFA
Source: initial sample Static PE information: section name: .text entropy: 6.8368028789554005

Persistence and Installation Behavior
barindex
Drops executable to a common third party application directory
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File written: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Acrobat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Acrobat Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\B35@6B.exe File opened: C:\Users\user\Desktop\B35@6B.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe File opened: C:\Users\user\AppData\Local\Temp\pot.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe:Zone.Identifier read attributes | delete Jump to behavior
Moves itself to temp directory
Source: c:\users\user\desktop\b35@6b.exe File moved: C:\Users\user\AppData\Local\Temp\pot.exe Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\B35@6B.exe TID: 5648 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe TID: 4084 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe TID: 4916 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe TID: 4916 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5524 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5872 Thread sleep count: 9615 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe TID: 1900 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe TID: 4612 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\B35@6B.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\pot.exe Window / User API: threadDelayed 9824 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 9615 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Contains functionality to detect virtual machines (SGDT)
Source: C:\Users\user\AppData\Local\Temp\pot.exe Code function: 1_2_06180B50 sgdt fword ptr [eax] 1_2_06180B50
Source: C:\Users\user\Desktop\B35@6B.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: pot.exe, 00000001.00000002.429076060.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: B35@6B.exe, 00000000.00000002.290634569.00000000031F8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxTray
Source: pot.exe, 00000001.00000002.432957387.0000000002B78000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware VGAuth
Source: pot.exe, 00000001.00000002.432957387.0000000002B78000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: sandboxierpcss#SOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516809161.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.490985919.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.492523884.0000000005C09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: pot.exe, 00000001.00000002.432957387.0000000002B78000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxTraysage@5
Source: B35@6B.exe Binary or memory string: ~LKJKHGFSDCB
Source: B35@6B.exe, 00000000.00000002.287944502.00000000013DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.491405202.0000000005C16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516809161.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.491256208.0000000005C12000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.490985919.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493562354.0000000005C18000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`#
Source: B35@6B.exe, 00000000.00000002.287944502.00000000013DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\B35@6B.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\B35@6B.exe Process created: C:\Users\user\AppData\Local\Temp\pot.exe "C:\Users\user\AppData\Local\Temp\pot.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Users\user\Desktop\B35@6B.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Queries volume information: C:\Users\user\AppData\Local\Temp\pot.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Queries volume information: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Queries volume information: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B35@6B.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.B35@6B.exe.4b4aa42.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4be84c2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.44cbe62.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.InstallUtil.exe.630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4b16152.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4b7f322.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.45698e2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.44cbe62.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.459e1b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.InstallUtil.exe.630000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.4500742.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.4497572.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.45698e2.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4b4aa42.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.4500742.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4c1cd98.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4b7f322.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.InstallUtil.exe.630000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.459e1b8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4c1cd98.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.InstallUtil.exe.630000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4be84c2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.4497572.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4b16152.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.420464455.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.303282970.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.420090127.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.455643526.0000000004462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.500496206.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.304264302.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.454626461.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.420800374.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.457363000.0000000004569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.419618627.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: B35@6B.exe PID: 1724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pot.exe PID: 3224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1448, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1448, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.B35@6B.exe.4b4aa42.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4be84c2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.44cbe62.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.InstallUtil.exe.630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4b16152.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4b7f322.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.45698e2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.44cbe62.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.459e1b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.InstallUtil.exe.630000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.4500742.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.4497572.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.45698e2.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4b4aa42.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.4500742.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4c1cd98.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4b7f322.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.InstallUtil.exe.630000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.459e1b8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4c1cd98.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.InstallUtil.exe.630000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4be84c2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pot.exe.4497572.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.B35@6B.exe.4b16152.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.420464455.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.303282970.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.420090127.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.455643526.0000000004462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.500496206.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.304264302.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.454626461.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.420800374.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.457363000.0000000004569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.419618627.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: B35@6B.exe PID: 1724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pot.exe PID: 3224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1448, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 672480 Sample: B35@6B.exe Startdate: 24/07/2022 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AgentTesla 2->45 47 2 other signatures 2->47 7 B35@6B.exe 15 4 2->7         started        12 Acrobat.exe 4 2->12         started        14 Acrobat.exe 3 2->14         started        process3 dnsIp4 35 www.google.com 142.250.185.132, 443, 49713, 49714 GOOGLEUS United States 7->35 29 C:\Users\user\AppData\...\B35@6B.exe.log, ASCII 7->29 dropped 49 Moves itself to temp directory 7->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->51 16 pot.exe 14 3 7->16         started        20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        file5 signatures6 process7 dnsIp8 33 www.google.com 16->33 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->39 24 InstallUtil.exe 2 4 16->24         started        signatures9 process10 dnsIp11 37 multimetals.cfd 192.185.37.183, 49719, 49722, 587 UNIFIEDLAYER-AS-1US United States 24->37 31 C:\Users\user\AppData\Roaming\...\Acrobat.exe, PE32 24->31 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->55 57 Tries to steal Mail credentials (via file / registry access) 24->57 59 5 other signatures 24->59 file12 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.185.37.183
 multimetals.cfd United States
46606 UNIFIEDLAYER-AS-1US false
142.250.185.132
 www.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
multimetals.cfd 192.185.37.183 true
www.google.com 142.250.185.132 true