Windows Analysis Report
Acrobat_DC_x64_VIP_v10.12.msi

Overview

General Information

Sample name: Acrobat_DC_x64_VIP_v10.12.msi
Analysis ID: 1560658
MD5: b9632555b2c19b9182cab9c098c22d8e
SHA1: 100d612540c51413141f52c3888114cddb76e9a0
SHA256: 1164b944f47a9701ddd682f59c60425faed350647e3f9e562e1abc140a89c7f2
Infos:

Detection

BumbleBee
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
Yara detected BumbleBee
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to determine the online IP of the system
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
BumbleBee This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.
  • EXOTIC LILY
  • GOLD CABIN
  • TA578
  • TA579
 https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee

AV Detection
barindex
Found malware configuration
Source: 3.2.rundll32.exe.22e65fc0000.2.raw.unpack Malware Configuration Extractor: BumbleBee {"C2 url": ["ejz7h2nwpe9p.live", "tok60x6gccij.live", "aummhmvbuvf7.live", "x5a5l51t3vh5.live", "y82gwd3wieon.live", "b8y5k2ri9mez.live", "cc3bxmp3p9ww.live", "zv119x3fg98y.live", "vrsi1nlyz8hp.live", "u8fbv3mj3v2o.live", "iri6971t7ge3.live", "9nrkgb5ymmhx.live", "72sisvsb57q6.live", "nlkef4koisho.live", "n1gd464fiz18.live", "qmgxpjkisusl.live", "vmh0ep7s9854.live", "vo3yj33yyalx.live", "541xdsl3qrmo.live", "h64g4n2r4pio.live", "bdleys30kkz3.live", "2e0ygf9sxa6j.live", "hlhhny6jyz0h.live", "w2pjbfv1lp0s.live", "ituux0ny27ur.live", "it44epclfvn0.live", "w84emvz3j8hk.live", "t6fln95iafzj.live", "jbo4jhymyavk.live", "y0rqp62hxwp0.live", "rzctrohkd26r.live", "q8txsh5ger29.live", "nmmbz5mvu9b6.live", "forned95q3gl.live", "nvzd7pgfgpxt.live", "y3md2wem8eab.live", "sztn5z9mczvv.live", "hfswfaj1th9o.live", "iaqxv2w3o0xc.live", "ugo1867z96wg.live", "sdj52uv9ye3b.live", "wrkxzshr4idg.live", "4xtvsj1w0qwx.live", "gn5827958xrg.live", "x1jlunfqrqtv.live", "hquppb63rgrg.live", "o91173l27glq.live", "3ysjrezb3os9.live", "5nhc44cf83r7.live", "utltlu232nmc.live", "px5wxjvm0958.live", "sip8h0d4tgrf.live", "3ofolpuywddt.live", "ig42hrwh0svv.live", "r4og0ibkr2i1.live", "s542jqly9hk1.live", "6yb78j9xx6kg.live", "67foms8ek35i.live", "a1xbi34msajq.live", "oltfqksrbe1h.live", "olka4w167pg5.live", "cq72kwl2pw8w.live", "em3wdkia152l.live", "4cxyghx0ba1x.live", "99onc4240lhw.live", "are8uz74o21e.live", "7u78fpro0nvy.live", "mak2p2u1p6oc.live", "3l6704byr3c4.live", "ijxbxsajcb1p.live", "qnlqvmlc95m4.live", "dkm740j7a284.live", "j40qreidx6y3.live", "we0f3yexor36.live", "dd5bzcuuvist.live", "eldzk3tkcta3.live", "a6rtdeit0sty.live", "hu3dj149h820.live", "77mk5fucuhe8.live", "437jwomut9vr.live", "eqg3217g92zf.live", "i22gcdhfevxk.live", "xxdueooznk6v.live", "tzcodnn2epik.live", "ejr4r59avayq.live", "0ws4d9s611dt.live", "frsgmv876w5a.live", "ntrzvqm429kj.live", "3l9jbihmbpmk.live", "cbugpmw95dcb.live", "miq50i5wpk85.live", "h8pwl3uhwlfn.live", "qj3zj9oywxx7.live", "zd6j8je6phb4.live", "t6ocigyxberq.live", "pdim2swkrf2v.live", "mppytmrfpgug.live", "i5ke68h24a00.live", "qxul3spnx991.live", "vzrt76g9gk0g.live", "yc6716yc7nf7.live", "87bnnasq71mu.live", "obmwpmuwhfu7.live", "0aw4a73tdsz1.live", "n6nzy4xlso4s.live", "syhmn2nbxrtr.live", "exiarctkfedq.live", "j5p6emlxlecl.live", "egdk83k09qmr.live", "0fhr0297aorb.live", "6z4lwstr3zxx.live", "lh37yjie545p.live", "lfi8tslls020.live", "ppgwgn0qtww4.live", "0k6o18rmf93s.live", "sucnfknz0x3m.live", "r33j2bx1ieh9.live", "rti8b3e5byh3.live", "uj8gs5xxvv4g.live", "y7bc5b0ezh5m.live", "vh378qqwk9vc.live", "uamdjqdesjmn.live", "rfzo8fwm7pdw.live", "9gle7ejwpees.live", "26wem2p2aunb.live", "2ujyrqt4xzmp.live", "kg6w8hdimtgi.live", "dggn2tge08jf.live", "lygtfikzieri.live", "h8laq4jtyfqp.live", "u6ye5aivfq8b.live", "nwd3emyfsyin.live", "z3atxb3cfji3.live", "w00hvclrjhb1.live", "6mca3un8fmrd.live", "xv8ev6g1h4g3.live", "k1q1fkrd37n3.live", "btf4j310getp.live", "4p06saxn3ubp.live", "5aphqp78vw8h.live", "3r045r8mjwfp.live", "kwekpaz4eobt.liv
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll ReversingLabs: Detection: 13%
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DD475EBC-D960-4AF4-BB8A-BE91FA942756} Jump to behavior
Source: Binary string: C:\adm\jenkins\workspace\New_RDC_Sol_Plutus_Win_Build_git\2.0\dev\target\win\Release\Adobe Download Manager.pdb source: Reader_Install_Setup.exe, 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 45.155.37.158 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 45.83.20.213 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 46.249.38.179 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 149.154.153.2 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 188.166.15.250 443 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: ejz7h2nwpe9p.live
Source: Malware configuration extractor URLs: tok60x6gccij.live
Source: Malware configuration extractor URLs: aummhmvbuvf7.live
Source: Malware configuration extractor URLs: x5a5l51t3vh5.live
Source: Malware configuration extractor URLs: y82gwd3wieon.live
Source: Malware configuration extractor URLs: b8y5k2ri9mez.live
Source: Malware configuration extractor URLs: cc3bxmp3p9ww.live
Source: Malware configuration extractor URLs: zv119x3fg98y.live
Source: Malware configuration extractor URLs: vrsi1nlyz8hp.live
Source: Malware configuration extractor URLs: u8fbv3mj3v2o.live
Source: Malware configuration extractor URLs: iri6971t7ge3.live
Source: Malware configuration extractor URLs: 9nrkgb5ymmhx.live
Source: Malware configuration extractor URLs: 72sisvsb57q6.live
Source: Malware configuration extractor URLs: nlkef4koisho.live
Source: Malware configuration extractor URLs: n1gd464fiz18.live
Source: Malware configuration extractor URLs: qmgxpjkisusl.live
Source: Malware configuration extractor URLs: vmh0ep7s9854.live
Source: Malware configuration extractor URLs: vo3yj33yyalx.live
Source: Malware configuration extractor URLs: 541xdsl3qrmo.live
Source: Malware configuration extractor URLs: h64g4n2r4pio.live
Source: Malware configuration extractor URLs: bdleys30kkz3.live
Source: Malware configuration extractor URLs: 2e0ygf9sxa6j.live
Source: Malware configuration extractor URLs: hlhhny6jyz0h.live
Source: Malware configuration extractor URLs: w2pjbfv1lp0s.live
Source: Malware configuration extractor URLs: ituux0ny27ur.live
Source: Malware configuration extractor URLs: it44epclfvn0.live
Source: Malware configuration extractor URLs: w84emvz3j8hk.live
Source: Malware configuration extractor URLs: t6fln95iafzj.live
Source: Malware configuration extractor URLs: jbo4jhymyavk.live
Source: Malware configuration extractor URLs: y0rqp62hxwp0.live
Source: Malware configuration extractor URLs: rzctrohkd26r.live
Source: Malware configuration extractor URLs: q8txsh5ger29.live
Source: Malware configuration extractor URLs: nmmbz5mvu9b6.live
Source: Malware configuration extractor URLs: forned95q3gl.live
Source: Malware configuration extractor URLs: nvzd7pgfgpxt.live
Source: Malware configuration extractor URLs: y3md2wem8eab.live
Source: Malware configuration extractor URLs: sztn5z9mczvv.live
Source: Malware configuration extractor URLs: hfswfaj1th9o.live
Source: Malware configuration extractor URLs: iaqxv2w3o0xc.live
Source: Malware configuration extractor URLs: ugo1867z96wg.live
Source: Malware configuration extractor URLs: sdj52uv9ye3b.live
Source: Malware configuration extractor URLs: wrkxzshr4idg.live
Source: Malware configuration extractor URLs: 4xtvsj1w0qwx.live
Source: Malware configuration extractor URLs: gn5827958xrg.live
Source: Malware configuration extractor URLs: x1jlunfqrqtv.live
Source: Malware configuration extractor URLs: hquppb63rgrg.live
Source: Malware configuration extractor URLs: o91173l27glq.live
Source: Malware configuration extractor URLs: 3ysjrezb3os9.live
Source: Malware configuration extractor URLs: 5nhc44cf83r7.live
Source: Malware configuration extractor URLs: utltlu232nmc.live
Source: Malware configuration extractor URLs: px5wxjvm0958.live
Source: Malware configuration extractor URLs: sip8h0d4tgrf.live
Source: Malware configuration extractor URLs: 3ofolpuywddt.live
Source: Malware configuration extractor URLs: ig42hrwh0svv.live
Source: Malware configuration extractor URLs: r4og0ibkr2i1.live
Source: Malware configuration extractor URLs: s542jqly9hk1.live
Source: Malware configuration extractor URLs: 6yb78j9xx6kg.live
Source: Malware configuration extractor URLs: 67foms8ek35i.live
Source: Malware configuration extractor URLs: a1xbi34msajq.live
Source: Malware configuration extractor URLs: oltfqksrbe1h.live
Source: Malware configuration extractor URLs: olka4w167pg5.live
Source: Malware configuration extractor URLs: cq72kwl2pw8w.live
Source: Malware configuration extractor URLs: em3wdkia152l.live
Source: Malware configuration extractor URLs: 4cxyghx0ba1x.live
Source: Malware configuration extractor URLs: 99onc4240lhw.live
Source: Malware configuration extractor URLs: are8uz74o21e.live
Source: Malware configuration extractor URLs: 7u78fpro0nvy.live
Source: Malware configuration extractor URLs: mak2p2u1p6oc.live
Source: Malware configuration extractor URLs: 3l6704byr3c4.live
Source: Malware configuration extractor URLs: ijxbxsajcb1p.live
Source: Malware configuration extractor URLs: qnlqvmlc95m4.live
Source: Malware configuration extractor URLs: dkm740j7a284.live
Source: Malware configuration extractor URLs: j40qreidx6y3.live
Source: Malware configuration extractor URLs: we0f3yexor36.live
Source: Malware configuration extractor URLs: dd5bzcuuvist.live
Source: Malware configuration extractor URLs: eldzk3tkcta3.live
Source: Malware configuration extractor URLs: a6rtdeit0sty.live
Source: Malware configuration extractor URLs: hu3dj149h820.live
Source: Malware configuration extractor URLs: 77mk5fucuhe8.live
Source: Malware configuration extractor URLs: 437jwomut9vr.live
Source: Malware configuration extractor URLs: eqg3217g92zf.live
Source: Malware configuration extractor URLs: i22gcdhfevxk.live
Source: Malware configuration extractor URLs: xxdueooznk6v.live
Source: Malware configuration extractor URLs: tzcodnn2epik.live
Source: Malware configuration extractor URLs: ejr4r59avayq.live
Source: Malware configuration extractor URLs: 0ws4d9s611dt.live
Source: Malware configuration extractor URLs: frsgmv876w5a.live
Source: Malware configuration extractor URLs: ntrzvqm429kj.live
Source: Malware configuration extractor URLs: 3l9jbihmbpmk.live
Source: Malware configuration extractor URLs: cbugpmw95dcb.live
Source: Malware configuration extractor URLs: miq50i5wpk85.live
Source: Malware configuration extractor URLs: h8pwl3uhwlfn.live
Source: Malware configuration extractor URLs: qj3zj9oywxx7.live
Source: Malware configuration extractor URLs: zd6j8je6phb4.live
Source: Malware configuration extractor URLs: t6ocigyxberq.live
Source: Malware configuration extractor URLs: pdim2swkrf2v.live
Source: Malware configuration extractor URLs: mppytmrfpgug.live
Source: Malware configuration extractor URLs: i5ke68h24a00.live
Source: Malware configuration extractor URLs: qxul3spnx991.live
Source: Malware configuration extractor URLs: vzrt76g9gk0g.live
Source: Malware configuration extractor URLs: yc6716yc7nf7.live
Source: Malware configuration extractor URLs: 87bnnasq71mu.live
Source: Malware configuration extractor URLs: obmwpmuwhfu7.live
Source: Malware configuration extractor URLs: 0aw4a73tdsz1.live
Source: Malware configuration extractor URLs: n6nzy4xlso4s.live
Source: Malware configuration extractor URLs: syhmn2nbxrtr.live
Source: Malware configuration extractor URLs: exiarctkfedq.live
Source: Malware configuration extractor URLs: j5p6emlxlecl.live
Source: Malware configuration extractor URLs: egdk83k09qmr.live
Source: Malware configuration extractor URLs: 0fhr0297aorb.live
Source: Malware configuration extractor URLs: 6z4lwstr3zxx.live
Source: Malware configuration extractor URLs: lh37yjie545p.live
Source: Malware configuration extractor URLs: lfi8tslls020.live
Source: Malware configuration extractor URLs: ppgwgn0qtww4.live
Source: Malware configuration extractor URLs: 0k6o18rmf93s.live
Source: Malware configuration extractor URLs: sucnfknz0x3m.live
Source: Malware configuration extractor URLs: r33j2bx1ieh9.live
Source: Malware configuration extractor URLs: rti8b3e5byh3.live
Source: Malware configuration extractor URLs: uj8gs5xxvv4g.live
Source: Malware configuration extractor URLs: y7bc5b0ezh5m.live
Source: Malware configuration extractor URLs: vh378qqwk9vc.live
Source: Malware configuration extractor URLs: uamdjqdesjmn.live
Source: Malware configuration extractor URLs: rfzo8fwm7pdw.live
Source: Malware configuration extractor URLs: 9gle7ejwpees.live
Source: Malware configuration extractor URLs: 26wem2p2aunb.live
Source: Malware configuration extractor URLs: 2ujyrqt4xzmp.live
Source: Malware configuration extractor URLs: kg6w8hdimtgi.live
Source: Malware configuration extractor URLs: dggn2tge08jf.live
Source: Malware configuration extractor URLs: lygtfikzieri.live
Source: Malware configuration extractor URLs: h8laq4jtyfqp.live
Source: Malware configuration extractor URLs: u6ye5aivfq8b.live
Source: Malware configuration extractor URLs: nwd3emyfsyin.live
Source: Malware configuration extractor URLs: z3atxb3cfji3.live
Source: Malware configuration extractor URLs: w00hvclrjhb1.live
Source: Malware configuration extractor URLs: 6mca3un8fmrd.live
Source: Malware configuration extractor URLs: xv8ev6g1h4g3.live
Source: Malware configuration extractor URLs: k1q1fkrd37n3.live
Source: Malware configuration extractor URLs: btf4j310getp.live
Source: Malware configuration extractor URLs: 4p06saxn3ubp.live
Source: Malware configuration extractor URLs: 5aphqp78vw8h.live
Source: Malware configuration extractor URLs: 3r045r8mjwfp.live
Source: Malware configuration extractor URLs: kwekpaz4eobt.live
Source: Malware configuration extractor URLs: 0eiko3lmbxbj.live
Source: Malware configuration extractor URLs: 8vxea0tldluf.live
Source: Malware configuration extractor URLs: y2ec6qvepl7y.live
Source: Malware configuration extractor URLs: 5xlu80qs1ox1.live
Source: Malware configuration extractor URLs: n3om81law5m7.live
Source: Malware configuration extractor URLs: ei2svhuxkfnm.live
Source: Malware configuration extractor URLs: kdye9rtnqezb.live
Source: Malware configuration extractor URLs: boxoxs9gx6f5.live
Source: Malware configuration extractor URLs: ktzb5e49zz1m.live
Source: Malware configuration extractor URLs: ymz7vmrsh6eu.live
Source: Malware configuration extractor URLs: x7dnaw133jnh.live
Source: Malware configuration extractor URLs: hupacwlnz805.live
Source: Malware configuration extractor URLs: 1tlgdsxl0pqt.live
Source: Malware configuration extractor URLs: 3z5rr2y27c6j.live
Source: Malware configuration extractor URLs: ufiiux335dpw.live
Source: Malware configuration extractor URLs: vu32g1q7jvl3.live
Source: Malware configuration extractor URLs: fkvo7y76r6cl.live
Source: Malware configuration extractor URLs: aa8btew33mma.live
Source: Malware configuration extractor URLs: yfpmjc270ree.live
Source: Malware configuration extractor URLs: jrn2pbs4zh17.live
Source: Malware configuration extractor URLs: 7hxcfu85ux0c.live
Source: Malware configuration extractor URLs: xkctmynb51ur.live
Source: Malware configuration extractor URLs: 16fpr15y5e2s.live
Source: Malware configuration extractor URLs: lxck7t4mnvah.live
Source: Malware configuration extractor URLs: 2thp12dgf6rb.live
Source: Malware configuration extractor URLs: vzq8xfz91x5d.live
Source: Malware configuration extractor URLs: a0xjyxk6h5m7.live
Source: Malware configuration extractor URLs: l8is8ftcfws6.live
Source: Malware configuration extractor URLs: qtwfxhporina.live
Source: Malware configuration extractor URLs: 6lgie8q5pjdc.live
Source: Malware configuration extractor URLs: 12hpr97amca3.live
Source: Malware configuration extractor URLs: ya8ym63w9m91.live
Source: Malware configuration extractor URLs: kiph911rpr6p.live
Source: Malware configuration extractor URLs: vmduug7itjpc.live
Source: Malware configuration extractor URLs: q7bu8jglm22a.live
Source: Malware configuration extractor URLs: 9rfwwr2pkx4u.live
Source: Malware configuration extractor URLs: 0xejepvnnpze.live
Source: Malware configuration extractor URLs: fd7cxsr946wv.live
Source: Malware configuration extractor URLs: nsqum7l04ak6.live
Source: Malware configuration extractor URLs: 28hnsvxigwgm.live
Source: Malware configuration extractor URLs: rlezxvz505nn.live
Source: Malware configuration extractor URLs: r8o1vudqot70.live
Source: Malware configuration extractor URLs: 5ax9d1kvmld4.live
Source: Malware configuration extractor URLs: fum22rxxfolh.live
Source: Malware configuration extractor URLs: w525f7mmd4ms.live
Source: Malware configuration extractor URLs: 19pubdw7x197.live
Source: Malware configuration extractor URLs: 23k1m1uhe7kg.live
Source: Malware configuration extractor URLs: w3d73cw4ayun.live
Source: Malware configuration extractor URLs: e8y8k4xhyx42.live
Source: Malware configuration extractor URLs: lsogs7k1lsrr.live
Source: Malware configuration extractor URLs: vxcd26ui2k5o.live
Source: Malware configuration extractor URLs: vlqwx3ydmtxh.live
Source: Malware configuration extractor URLs: 0vyvyfx6ymxv.live
Source: Malware configuration extractor URLs: mrwrxcp86n8e.live
Source: Malware configuration extractor URLs: dxwhiektvxsc.live
Source: Malware configuration extractor URLs: zaig1x6gox2m.live
Source: Malware configuration extractor URLs: l1whn6jhl8xi.live
Source: Malware configuration extractor URLs: hwptyw6xppuu.live
Source: Malware configuration extractor URLs: tkhk0evpw5wi.live
Source: Malware configuration extractor URLs: tdcehfsov6o8.live
Source: Malware configuration extractor URLs: 0gylcs3gwdpp.live
Source: Malware configuration extractor URLs: f7lj3cp91c5o.live
Source: Malware configuration extractor URLs: op49rm7r54r1.live
Source: Malware configuration extractor URLs: g8zydz0jz6bv.live
Source: Malware configuration extractor URLs: m588j6oqsmyc.live
Source: Malware configuration extractor URLs: jgckcltjx3q4.live
Source: Malware configuration extractor URLs: gdo249s9ctn2.live
Source: Malware configuration extractor URLs: 1l7skmurzjhn.live
Source: Malware configuration extractor URLs: 08yr9hhkf9zh.live
Source: Malware configuration extractor URLs: 82oolxmgd19l.live
Source: Malware configuration extractor URLs: 3ipyuro17prh.live
Source: Malware configuration extractor URLs: e7c1o9hymmkq.live
Source: Malware configuration extractor URLs: i7teaxg9fq17.live
Source: Malware configuration extractor URLs: vwz9poay9t88.live
Source: Malware configuration extractor URLs: kaky1v99z650.live
Source: Malware configuration extractor URLs: z7w1125qgaak.live
Source: Malware configuration extractor URLs: ff7fsl0xpmig.live
Source: Malware configuration extractor URLs: wwp2hnto3y50.live
Source: Malware configuration extractor URLs: xj0airqray7d.live
Source: Malware configuration extractor URLs: x39w37ihaw67.live
Source: Malware configuration extractor URLs: a88mnb53f6ao.live
Source: Malware configuration extractor URLs: agvzlu1xi8aq.live
Source: Malware configuration extractor URLs: rigwjjv5e0te.live
Source: Malware configuration extractor URLs: 8f503mspar1t.live
Source: Malware configuration extractor URLs: u86t183m8fjl.live
Source: Malware configuration extractor URLs: n8r9e6f4eybg.live
Source: Malware configuration extractor URLs: twh0pzti1jmc.live
Source: Malware configuration extractor URLs: gxr3yjh3ez0o.live
Source: Malware configuration extractor URLs: 13gdw8hd0f5g.live
Source: Malware configuration extractor URLs: u07wbc76jc3l.live
Source: Malware configuration extractor URLs: hadsf1l0oorw.live
Source: Malware configuration extractor URLs: vdx5gmp7hohn.live
Source: Malware configuration extractor URLs: aho8skpvfpxw.live
Source: Malware configuration extractor URLs: bd5sokdfx4rb.live
Source: Malware configuration extractor URLs: di7gouks27ly.live
Source: Malware configuration extractor URLs: 9yvk5z9213sf.live
Source: Malware configuration extractor URLs: k2xk3c8ka53h.live
Source: Malware configuration extractor URLs: 164kx6yftp7e.live
Source: Malware configuration extractor URLs: p5dpz5k9s4hh.live
Source: Malware configuration extractor URLs: 2xokn358s23t.live
Source: Malware configuration extractor URLs: 9drofm4qhicr.live
Source: Malware configuration extractor URLs: velmddsj68vd.live
Source: Malware configuration extractor URLs: adu5tcdt1mw8.live
Source: Malware configuration extractor URLs: s1hfevtelz76.live
Source: Malware configuration extractor URLs: y1y2su385jdx.live
Source: Malware configuration extractor URLs: yj4obmh1laef.live
Source: Malware configuration extractor URLs: 0i5mk5xlq0p0.live
Source: Malware configuration extractor URLs: sbxmkuudcb2j.live
Source: Malware configuration extractor URLs: bto73r7u8xfq.live
Source: Malware configuration extractor URLs: 57qrnj91bqd6.live
Source: Malware configuration extractor URLs: ppakbng3anmz.live
Source: Malware configuration extractor URLs: ydp5gh48yi5c.live
Source: Malware configuration extractor URLs: lnksjujtesl1.live
Source: Malware configuration extractor URLs: toooegs0ua4k.live
Source: Malware configuration extractor URLs: uzpp0a72mgf8.live
Source: Malware configuration extractor URLs: w0qtz6j8u8h0.live
Source: Malware configuration extractor URLs: mmerhgt2a428.live
Source: Malware configuration extractor URLs: k596zkzwcv8x.live
Source: Malware configuration extractor URLs: j7hox858m1yw.live
Source: Malware configuration extractor URLs: vt762jefdhwk.live
Source: Malware configuration extractor URLs: kqofayjh1zst.live
Source: Malware configuration extractor URLs: 271bk6bm6ek7.live
Source: Malware configuration extractor URLs: 464ulfkbkxi6.live
Source: Malware configuration extractor URLs: fpqzlfi32bhw.live
Source: Malware configuration extractor URLs: x1glqki124qz.live
Source: Malware configuration extractor URLs: 4vh1mae0a37r.live
Source: Malware configuration extractor URLs: 28gh31g08o7w.live
Source: Malware configuration extractor URLs: bsm3ushv2khf.live
Source: Malware configuration extractor URLs: hxzt6iva3ycu.live
Source: Malware configuration extractor URLs: k6ncoqtenmyi.live
Source: Malware configuration extractor URLs: x7lbv7k4xmot.live
Source: Malware configuration extractor URLs: i3ddusdlpj8z.live
Source: Malware configuration extractor URLs: 3yywf2zmb2m5.live
Source: Malware configuration extractor URLs: xx6itd99vg7m.live
Source: Malware configuration extractor URLs: dd9bojxysyeb.live
Source: Malware configuration extractor URLs: u1uaoomqywpz.live
Source: Malware configuration extractor URLs: r4feghmjdqmx.live
Source: Malware configuration extractor URLs: bhkgnyvwctkm.live
Source: Malware configuration extractor URLs: byx6cdkrouzc.live
Source: Malware configuration extractor URLs: 65ymc9fdwffj.live
Source: Malware configuration extractor URLs: orp3efts3f5z.live
Source: Malware configuration extractor URLs: 2eiuyz0zf5qc.live
Source: Malware configuration extractor URLs: p3840f9xv0n9.live
Source: Malware configuration extractor URLs: 8oz8f5ir0n5l.live
Source: Malware configuration extractor URLs: i762u8xbamii.live
Source: Malware configuration extractor URLs: j7hkay3ccvu5.live
Source: Malware configuration extractor URLs: n4jcm1f5n25c.live
Source: Malware configuration extractor URLs: exe12ldlj0nb.live
Source: Malware configuration extractor URLs: z70o1vrhp5kt.live
Source: Malware configuration extractor URLs: 4tapo4p2dzqj.live
Source: Malware configuration extractor URLs: 9nsdtl72ktuk.live
Source: Malware configuration extractor URLs: ipmh0eee13h2.live
Source: Malware configuration extractor URLs: dg6aspb5wt99.live
Source: Malware configuration extractor URLs: b5n5p7r75ln3.live
Source: Malware configuration extractor URLs: va5rnvsffage.live
Source: Malware configuration extractor URLs: z2ki56hqcxzx.live
Source: Malware configuration extractor URLs: nketun9udno5.live
Source: Malware configuration extractor URLs: v9hu15wlr3a3.live
Contains functionality to determine the online IP of the system
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FCFC4C InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,std::_Deallocate, https://api.ipify.org/ 3_2_0000022E65FCFC4C
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.166.15.250 188.166.15.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EDIS-AS-EUAT EDIS-AS-EUAT
Source: Joe Sandbox View ASN Name: SHOCK-1US SHOCK-1US
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E660F4FB0 select,__WSAFDIsSet,__WSAFDIsSet,recv,WSAGetLastError,Sleep,WSAGetLastError,getsockopt,getsockopt,std::_Deallocate,std::_Deallocate,WSAGetLastError,WSAGetLastError, 3_2_0000022E660F4FB0
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp String found in binary or memory: http://myexternalip.com/raw
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Reader_Install_Setup.exe, 00000002.00000002.4178286591.0000000007642000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: http://typekit.com/eulas/0000000000000000000176ff
Source: Reader_Install_Setup.exe, 00000002.00000002.4184616950.0000000009702000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: http://typekit.com/eulas/000000000000000000017701
Source: Reader_Install_Setup.exe, 00000002.00000002.4184616950.0000000009702000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: http://typekit.com/eulas/000000000000000000017702
Source: Reader_Install_Setup.exe, 00000002.00000002.4178286591.0000000007642000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: http://typekit.com/eulas/000000000000000000017703
Source: Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4178286591.00000000076AA000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4173381032.000000000356B000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: http://typekit.com/eulas/000000000000000000017704
Source: Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4178286591.00000000076AA000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4173381032.000000000356B000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: http://typekit.com/eulas/000000000000000000017706
Source: Reader_Install_Setup.exe.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp String found in binary or memory: https://api.ipify.org/http://myexternalip.com/rawIP
Source: Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000003.1761747071.00000000094A0000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1756406466.0000000007729000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4182341319.0000000009260000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1760605699.00000000077A0000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1756350671.0000000009698000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1750169262.0000000003570000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://getbootstrap.com/)
Source: Reader_Install_Setup.exe String found in binary or memory: https://github.com/Fin
Source: Reader_Install_Setup.exe, 00000002.00000002.4177803623.00000000074CA000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1750611438.0000000003560000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Financial-Times/polyfill-service/issues/317
Source: Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000003.1761747071.00000000094A0000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4182341319.0000000009260000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1756350671.0000000009698000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1750169262.0000000003570000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/twbs/bootstrap/blob/main/LICENSE)
Source: Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000002.4178233121.00000000075B0000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1748114672.00000000075B5000.00000004.00000020.00020000.00000000.sdmp, 231[1].2.dr String found in binary or memory: https://mths.be/array-from
Source: Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000002.4178233121.00000000075B0000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1748114672.00000000075B5000.00000004.00000020.00020000.00000000.sdmp, 231[1].2.dr String found in binary or memory: https://mths.be/array-of
Source: Reader_Install_Setup.exe, 00000002.00000002.4178433184.000000000771A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://p.typekit.net/
Source: Reader_Install_Setup.exe, 00000002.00000002.4177118828.000000000741D000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: https://p.typekit.net/p.gif
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4178433184.0000000007749000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://p.typekit.net/p.gif?s=1&k=bxf0ivf&ht=tk&h=C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5CPa
Source: Reader_Install_Setup.exe, 00000002.00000002.4178433184.000000000771A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdc.adobe.io/SZ%
Source: Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176878067.0000000004990000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.00000000014B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdc.adobe.io/adm/actionList
Source: Reader_Install_Setup.exe, 00000002.00000002.4178433184.000000000779F000.00000004.00000020.00020000.00000000.sdmp, Adobe_ADM.log.2.dr String found in binary or memory: https://rdc.adobe.io/adm/actionList?installerName=readerdc64_en_ha_install.exe&defaultInstallerName=
Source: Reader_Install_Setup.exe, 00000002.00000002.4184569460.0000000009630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdc.adobe.io/analytics/events66
Source: Reader_Install_Setup.exe, 00000002.00000002.4184569460.0000000009630000.00000004.00000020.00020000.00000000.sdmp, Adobe_ADM.log.2.dr String found in binary or memory: https://rdc.adobe.io/analytics/events?UniqueId=CE1680CB-B496-484F-B8BA-A7D159A1C243&abbr=rdr&admErro
Source: Reader_Install_Setup.exe, 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://rdc.adobe.io/analytics/eventsanalyticstestWorkflowApplication
Source: Reader_Install_Setup.exe, 00000002.00000002.4184569460.0000000009630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdc.adobe.io:443/analytics/events?UniqueId=CE1680CB-B496-484F-B8BA-A7D159A1C243&abbr=rdr&adm
Source: Reader_Install_Setup.exe, 00000002.00000003.1761945684.0000000007675000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
Source: Reader_Install_Setup.exe, 00000002.00000003.1749394309.00000000089DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=arguments.length
Source: Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000002.4183756273.00000000093F0000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1749261059.00000000089FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reactjs.org/link/react-polyfills
Source: Reader_Install_Setup.exe, 00000002.00000002.4183756273.00000000093F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reactjs.org/link/react-polyfillsThis
Source: Reader_Install_Setup.exe, 00000002.00000003.1749261059.00000000089FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reactjs.org/link/react-polyfillsn.unstable_shouldYieldn.unstable_forceFrameRate
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/-U
Source: Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4178433184.0000000007749000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, 160[1].2.dr String found in binary or memory: https://use.typekit.net/bxf0ivf.js
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.00000000014B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/bxf0ivf.js020
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.00000000014B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/bxf0ivf.jsQ
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/bxf0ivf.jsRc
Source: Reader_Install_Setup.exe, 00000002.00000003.1749261059.00000000089FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/bxf0ivf.jsn.type
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://use.typekit.net/uT

E-Banking Fraud
barindex
Yara detected BumbleBee
Source: Yara match File source: 3.2.rundll32.exe.22e65fc0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.22e65fc0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.rundll32.exe.22e65fc0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Bumblebee_35f50bea Author: unknown
Source: 3.2.rundll32.exe.22e65fc0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Bumblebee_35f50bea Author: unknown
Source: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Bumblebee_35f50bea Author: unknown
Contains functionality to call native functions
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FEF23C GetModuleHandleA,GetProcAddress,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory, 3_2_0000022E65FEF23C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65CA8C31 NtCreateSection, 3_2_0000022E65CA8C31
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65CA9390 NtOpenFile, 3_2_0000022E65CA9390
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65CA8D40 NtCreateSection,NtMapViewOfSection, 3_2_0000022E65CA8D40
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\411fe0.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2128.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\411fe2.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\411fe2.msi Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\411fe2.msi Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00B599E0 2_2_00B599E0
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00B43BB0 2_2_00B43BB0
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00B5F4C0 2_2_00B5F4C0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E660F7450 3_2_0000022E660F7450
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E660F60B0 3_2_0000022E660F60B0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E660F4FB0 3_2_0000022E660F4FB0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FD505C 3_2_0000022E65FD505C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E660F7B20 3_2_0000022E660F7B20
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E660F6C60 3_2_0000022E660F6C60
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E660F57C0 3_2_0000022E660F57C0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E66122288 3_2_0000022E66122288
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E661202B0 3_2_0000022E661202B0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FC61C8 3_2_0000022E65FC61C8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FC4160 3_2_0000022E65FC4160
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FF0110 3_2_0000022E65FF0110
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FFD460 3_2_0000022E65FFD460
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FC63A4 3_2_0000022E65FC63A4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E6611B21C 3_2_0000022E6611B21C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FC4290 3_2_0000022E65FC4290
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E6610E250 3_2_0000022E6610E250
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FF8E20 3_2_0000022E65FF8E20
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FF0E00 3_2_0000022E65FF0E00
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E66068F00 3_2_0000022E66068F00
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E66102040 3_2_0000022E66102040
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FC4040 3_2_0000022E65FC4040
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E66129CC8 3_2_0000022E66129CC8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E6611ACD4 3_2_0000022E6611ACD4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FCCFA0 3_2_0000022E65FCCFA0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FE5F50 3_2_0000022E65FE5F50
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FD9F18 3_2_0000022E65FD9F18
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FF4EC0 3_2_0000022E65FF4EC0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FCBE7C 3_2_0000022E65FCBE7C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E6611FAE0 3_2_0000022E6611FAE0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FFDB40 3_2_0000022E65FFDB40
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FC3930 3_2_0000022E65FC3930
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E6610E870 3_2_0000022E6610E870
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FF8B70 3_2_0000022E65FF8B70
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FC3AC0 3_2_0000022E65FC3AC0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FFBAAF 3_2_0000022E65FFBAAF
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FE5A90 3_2_0000022E65FE5A90
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FFC6FA 3_2_0000022E65FFC6FA
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E66120528 3_2_0000022E66120528
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FEB768 3_2_0000022E65FEB768
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FF8720 3_2_0000022E65FF8720
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FFB71F 3_2_0000022E65FFB71F
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FDA6E8 3_2_0000022E65FDA6E8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E6610E610 3_2_0000022E6610E610
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFDFA5B5A53 3_2_00007FFDFA5B5A53
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFDFA5B5A30 3_2_00007FFDFA5B5A30
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFDFA5B6D10 3_2_00007FFDFA5B6D10
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFDFA5B5760 3_2_00007FFDFA5B5760
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65CA7DA4 3_2_0000022E65CA7DA4
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000022E65FC67EC appears 95 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000022E65FCF290 appears 95 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000022E660CF158 appears 42 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000022E65FD1A6C appears 41 times
PE file contains executable resources (Code or Archives)
Source: Reader_Install_Setup.exe.1.dr Static PE information: Resource name: PNG type: DOS executable (COM, 0x8C-variant)
Searches for the Microsoft Outlook file path
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Yara signature match
Source: 3.2.rundll32.exe.22e65fc0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Bumblebee_35f50bea reference_sample = 9fff05a5aa9cbbf7d37bc302d8411cbd63fb3a28dc6f5163798ae899b9edcda6, os = windows, severity = x86, creation_date = 2022-04-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Bumblebee, fingerprint = f2e07a9b7d143ca13852f723e7d0bd55365d6f8b5d9315b7e24b7f1101010820, id = 35f50bea-c497-4cc6-b915-8ad3aca7bee6, last_modified = 2022-06-09
Source: 3.2.rundll32.exe.22e65fc0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Bumblebee_35f50bea reference_sample = 9fff05a5aa9cbbf7d37bc302d8411cbd63fb3a28dc6f5163798ae899b9edcda6, os = windows, severity = x86, creation_date = 2022-04-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Bumblebee, fingerprint = f2e07a9b7d143ca13852f723e7d0bd55365d6f8b5d9315b7e24b7f1101010820, id = 35f50bea-c497-4cc6-b915-8ad3aca7bee6, last_modified = 2022-06-09
Source: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Bumblebee_35f50bea reference_sample = 9fff05a5aa9cbbf7d37bc302d8411cbd63fb3a28dc6f5163798ae899b9edcda6, os = windows, severity = x86, creation_date = 2022-04-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Bumblebee, fingerprint = f2e07a9b7d143ca13852f723e7d0bd55365d6f8b5d9315b7e24b7f1101010820, id = 35f50bea-c497-4cc6-b915-8ad3aca7bee6, last_modified = 2022-06-09
Source: Reader_Install_Setup.exe.1.dr Static PE information: Section: UPX1 ZLIB complexity 0.9888474447202166
Source: classification engine Classification label: mal100.troj.evad.winMSI@6/73@0/5
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FF4DE0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,StrCmpIW,Process32NextW,CloseHandle, 3_2_0000022E65FF4DE0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FF1450 CoCreateInstance,CoSetProxyBlanket,GetModuleHandleW,GetProcAddress,CoSetProxyBlanket,new,_com_util::ConvertStringToBSTR,_com_issue_error,new,_com_util::ConvertStringToBSTR,_com_issue_error,SysFreeString,SysFreeString,VariantInit,VariantClear, 3_2_0000022E65FF1450
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CML2185.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Mutant created: \Sessions\1\BaseNamedObjects\Adobe_ADM.log
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Mutant created: \Sessions\1\BaseNamedObjects\Adobe_GDE.log
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DFCDF6CF734A63117B.TMP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe "rundll32.exe" "C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll",DllRegisterServer
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Acrobat_DC_x64_VIP_v10.12.msi Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
Source: Reader_Install_Setup.exe String found in binary or memory: {\r\n .yZVqwct25RQtg_rJyphu {\r\n -ms-flex-flow: row nowrap;\r\n flex-flow: row nowrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n }\r\n .yZVqwct25RQtg_rJyphu .UdZ9h4yDyt7zzl_efcFz {\r\n -ms-flex-direction: row;\r\n fle
Source: Reader_Install_Setup.exe String found in binary or memory: essage": "Congratulations" }, "ActionList_Verify": { "message": "Verifying install..." }, "ActionList_ErrorUpdateMessage": { "message": "The command line argument -installer is required but not provided." }, "ActionList_AlreadyExist
Source: Reader_Install_Setup.exe String found in binary or memory: 95GF_bATvy {\r\n z-index: 1;\r\n}\r\n\r\n.zL1_mT_7fs5uZHMuZ2nw {\r\n display: -ms-flexbox;\r\n display: flex;\r\n -ms-flex-wrap: wrap;\r\n flex-wrap: wrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n}\r\n\r\n.zL1_mT_7fs5uZHMuZ2nw .c1S
Source: Reader_Install_Setup.exe String found in binary or memory: -start;\r\n }\r\n .g82qRD5i9MRBdeNytiPv .UdZ9h4yDyt7zzl_efcFz {\r\n -ms-flex-direction: row;\r\n flex-direction: row;\r\n }\r\n .g82qRD5i9MRBdeNytiPv .UdZ9h4yDyt7zzl_efcFz .WNvdx4uqUWtr9A7ET3s8 {\r\n position: absolute;\r\n }\r\n .g82qRD5i9MRBde
Source: Reader_Install_Setup.exe String found in binary or memory: t !important;\r\n justify-content: flex-start !important;\r\n }\r\n .mXqDCUtaC_JMHMad0ZwV {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex-end !important;\r\n }\r\n .qOrqtkCp3ivHw7SVfILq {\r\n -ms-flex-pack: center !important;\r\n
Source: Reader_Install_Setup.exe String found in binary or memory: lgende program(mer) bruger filer, som skal opdateres af Acrobat-installationen. Disse filer opdateres senere, efter disse programmer er blevet genstartet:" }, "ButtonOK": { "message": "OK" }, "ReaderSAPP_UninstallMessage": { "message": "F
Source: Reader_Install_Setup.exe String found in binary or memory: y-content: space-around !important;\r\n }\r\n .SkBdZQ4j6W8eEExZe0hD {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .WAJbhUQHN23bq7qy5Sn4 {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end
Source: Reader_Install_Setup.exe String found in binary or memory: er-mid marker-start overline-position overline-thickness paint-order panose-1 pointer-events rendering-intent shape-rendering stop-color stop-opacity strikethrough-position strikethrough-thickness stroke-dasharray stroke-dashoffset stroke-linecap stroke-linejo
Source: Reader_Install_Setup.exe String found in binary or memory: che Fertig stellen und starten Sie den Installationsvorgang neu." }, "invalidSKU": { "message": "Das {0}-Installationsprogramm ist veraltet oder eine Datei wurde umbenannt. Klicken Sie auf Fertig stellen, um das aktuelle Installa
Source: Reader_Install_Setup.exe String found in binary or memory: .Km2Za0W8caH7Y94_8Cii {\r\n -ms-flex-align: stretch !important;\r\n align-items: stretch !important;\r\n }\r\n .W43tG1Sz8VgKlzT3ABdI {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n }\r\n .jl0mwv_1IlwXKT
Source: Reader_Install_Setup.exe String found in binary or memory: art;\r\n align-items: flex-start;\r\n -ms-flex-pack: center;\r\n justify-content: center;\r\n}\r\n\r\n.KreO5lkqzKRYE6kMOpU8 > .SI26_236LLhD2moOSicV,\r\n.KreO5lkqzKRYE6kMOpU8 > .znKiFK8BtK3Ryz9nqB1f {\r\n width: 100%;\r\n}\r\n\r\n.KreO5lkqzKRYE6kMOpU8 > .SI
Source: Reader_Install_Setup.exe String found in binary or memory: -flex-flow: row nowrap;\r\n flex-flow: row nowrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n }\r\n .HR7PgL6swGh5IOFzTcX2 .UdZ9h4yDyt7zzl_efcFz {\r\n -ms-flex-direction: row;\r\n flex-direction: row;\r\n }\r\n .HR7PgL6swG
Source: Reader_Install_Setup.exe String found in binary or memory: gn: start !important;\r\n align-self: flex-start !important;\r\n }\r\n .eLScPzCVVKub71kFSTo6 {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n }\r\n .AjPsmeBDtyK_yy_tIXdq {\r\n -ms-flex-item-align: center !impo
Source: Reader_Install_Setup.exe String found in binary or memory: -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n}\r\n\r\n.q2Zc28XrMrY0gB3RKQXQ > .P9ttp5CfYv4K8NwPCfAS,\r\n.q2Zc28XrMrY0gB3RKQXQ > .m8oOHyBtRiyoCu3QS5_q, .q2Zc28XrMrY0gB3RKQXQ > .uTTRfMaOKj_KeT7DYxKx, .q2Zc28XrMrY0gB3RKQXQ > .iJvWw3vT2QR1DLdPDvu3, .
Source: Reader_Install_Setup.exe String found in binary or memory: "flex-shrink-0":"on8QKWtR02qa9o9le_l4","flex-shrink-1":"sSYTlm_fbXuMQ2nOLx0w","justify-content-start":"DASZHkth1o5IOMZyhTDx","justify-content-end":"LAWb7Cbf0N5DYoYZseWF","justify-content-center":"FXBomI8D0oPm5hc8wxwA","justify-content-between":"wcoUwDW3XLAvF5X
Source: Reader_Install_Setup.exe String found in binary or memory: \r\n\r\n.sSYTlm_fbXuMQ2nOLx0w {\r\n -ms-flex-negative: 1 !important;\r\n flex-shrink: 1 !important;\r\n}\r\n\r\n.DASZHkth1o5IOMZyhTDx {\r\n -ms-flex-pack: start !important;\r\n justify-content: flex-start !important;\r\n}\r\n\r\n.LAWb7Cbf0N5DYoYZseWF {\r\n
Source: Reader_Install_Setup.exe String found in binary or memory: Hf_0","justify-content-around":"YZxKsrbvidFu366yCv8k","align-items-start":"kzhaT0Oba_fChd17ICcv","align-items-end":"DfrSF9G_NhJxaBrTyI9E","align-items-center":"T2gjS8V2_aCimczn_mvA","align-items-baseline":"wvV162mt8CM64dJRJC_K","align-items-stretch":"uwleunsKz
Source: Reader_Install_Setup.exe String found in binary or memory: ustify-content: flex-start !important;\r\n }\r\n .y9ejXHhttjAEgovYXYMU {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex-end !important;\r\n }\r\n .COPRSpy9kETB_SZQ4smx {\r\n -ms-flex-pack: center !important;\r\n justify-content: c
Source: Reader_Install_Setup.exe String found in binary or memory: r\n justify-content: flex-start;\r\n align-items: flex-end;\r\n}\r\n\r\n.IDKVSl_h7I8AUkTJyJZR{\r\n color:#505050;\r\n margin-left: auto;\r\n}\r\n\r\n.mdye5L_d5nxHhgXOJzOl {\r\n background-color: #2680eb\r\n}\r\n\r\n.uA6xPsp_APEYTCYzQpAm {\r\n
Source: Reader_Install_Setup.exe String found in binary or memory: ZoW2nYlOE4","align-content-start":"Ux_l3vTkayi2Nq7VsaVG","align-content-end":"NeoGktt2uqAOkIls2tkD","align-content-center":"kFFYrbLbLECA7hshfgB4","align-content-between":"_ovIEpiGXhGpst7ciRVY","align-content-around":"lkHcf3zkijisAIDcTRgA","align-content-stretc
Source: Reader_Install_Setup.exe String found in binary or memory: ":"NEedZEkDvapuuRM76fDm","align-self-auto":"HZJOrTsRFta7TuRD5mLC","align-self-start":"OcYm86Cu28Oe4t9OrHGy","align-self-end":"Wie7fqOQFV_ARe1Jw09R","align-self-center":"M8kCN1fgOGwZVFJ3wLAX","align-self-baseline":"JItXRBa5bZTWWkWA6xmX","align-self-stretch":"B3
Source: Reader_Install_Setup.exe String found in binary or memory: d !important;\r\n }\r\n .AwPLyaWsRJ3kVfxTYAKZ {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .JLhQyJ9YeJ2Xzm4rGI0o {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end !important;\r\n }\r\n
Source: Reader_Install_Setup.exe String found in binary or memory: lign-items: flex-start !important;\r\n}\r\n\r\n.DfrSF9G_NhJxaBrTyI9E {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end !important;\r\n}\r\n\r\n.T2gjS8V2_aCimczn_mvA {\r\n -ms-flex-align: center !important;\r\n align-items: center !important;\
Source: Reader_Install_Setup.exe String found in binary or memory: {\r\n -ms-flex-align: stretch !important;\r\n align-items: stretch !important;\r\n }\r\n .kaIxRiZtzxK_YyZMBHo_ {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n }\r\n .l1QG33TebFm8kJRTmnh7 {\r\n -ms-fl
Source: Reader_Install_Setup.exe String found in binary or memory: aVG {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n}\r\n\r\n.NeoGktt2uqAOkIls2tkD {\r\n -ms-flex-line-pack: end !important;\r\n align-content: flex-end !important;\r\n}\r\n\r\n.kFFYrbLbLECA7hshfgB4 {\r\n -ms-flex-
Source: Reader_Install_Setup.exe String found in binary or memory: y-content-sm-start":"B5btvvlXn96uf7yGf1tR","justify-content-sm-end":"PoT2qU4sMKBleURcc2cJ","justify-content-sm-center":"AVIeQzlddzrtDxIBXkKd","justify-content-sm-between":"ivJwQA579UzEbjI7CkZ_","justify-content-sm-around":"z68IWjEqXuP67bRb8eEp","align-items-sm
Source: Reader_Install_Setup.exe String found in binary or memory: start":"fJTv_QJTsr6EO2H1q4V3","align-items-sm-end":"w8v8i3VE57doJW3WhKMD","align-items-sm-center":"xPBnP81DTQHre7ixEe_q","align-items-sm-baseline":"Fv8YCtye3D9Er3k3sYNM","align-items-sm-stretch":"V6bazQgwJb2yoGr1NWeW","align-content-sm-start":"WLLVW2mH0bVmfnnP
Source: Reader_Install_Setup.exe String found in binary or memory: ;\r\n align-self: auto !important;\r\n}\r\n\r\n.OcYm86Cu28Oe4t9OrHGy {\r\n -ms-flex-item-align: start !important;\r\n align-self: flex-start !important;\r\n}\r\n\r\n.Wie7fqOQFV_ARe1Jw09R {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end
Source: Reader_Install_Setup.exe String found in binary or memory: sm-auto":"IzdFJiZ2UCQMY9aGg_QA","align-self-sm-start":"iiYDHEA6tQXlGqaKw7jz","align-self-sm-end":"uq0dyk4fScobfEBVnATd","align-self-sm-center":"UpE4hJfsUm5TuZtTZvsv","align-self-sm-baseline":"e4_Oxc7RitQH_sjNSulu","align-self-sm-stretch":"k3cpKukN1yqN0o_bwWbO"
Source: Reader_Install_Setup.exe String found in binary or memory: r\n align-self: flex-start !important;\r\n }\r\n .gvNgooS8lRGqBrL8T2NG {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n }\r\n .hd7N4PctGEIBBTckCPnz {\r\n -ms-flex-item-align: center !important;\r\n align-se
Source: Reader_Install_Setup.exe String found in binary or memory: -reverse":"vy8MgiufjANaWTk_ZwWQ","flex-md-fill":"Oew_loBO0_dkmOrnii5w","flex-md-grow-0":"suF3M9_Dg1jwPDHryUtV","flex-md-grow-1":"NgldPqvt9DiqtAbphcRj","flex-md-shrink-0":"InhTYOgC9dF8dQSb1MLY","flex-md-shrink-1":"OqqmkSrciAjIMRn4zhht","justify-content-md-start
Source: Reader_Install_Setup.exe String found in binary or memory: :"hkIpV6klVOwAo752VSvr","justify-content-md-end":"eLk5KmeziN3FG_ZvWUbk","justify-content-md-center":"wx9l9CrohZahb5XLMrGW","justify-content-md-between":"ysWVT3V793_xoLXozo0y","justify-content-md-around":"cCZYopTiajqBE6zSF4mb","align-items-md-start":"THpMIn_rv9
Source: Reader_Install_Setup.exe String found in binary or memory: C"),a=!0,l="launchReader"),"true"===o.showLaunchAcrobat&&(i=t("Launch_Acrobat"),a=!0,l="launchAcrobat"),"true"===o.showLaunchReaderSAPP&&(i=t("Launch_Reader_DC"),a=!0,l="launchReaderSAPP")),a){var f="0";s&&(f="1");var p="<data><launchReaderSAPP>"+f+"</launchRe
Source: Reader_Install_Setup.exe String found in binary or memory: XJ1zTlRSw","align-items-md-end":"GDHTGrjlGD0S0f1_DiJ5","align-items-md-center":"wtOokl2f_oejiBt8WE_w","align-items-md-baseline":"RZpDrGEVofFZ2OwqC2qL","align-items-md-stretch":"wekS_MR1HkGU6Ej1xqxk","align-content-md-start":"LkRjjQuLuuq2HISiPqJR","align-conten
Source: Reader_Install_Setup.exe String found in binary or memory: s-flexbox;\r\n display: flex;\r\n -ms-flex-align: start;\r\n align-items: flex-start;\r\n -ms-flex-pack: justify;\r\n justify-content: space-between;\r\n padding: 1rem 1rem;\r\n border-bottom: 1px solid #dee2e6;\r\n border-top-left-radius: calc(0.3rem
Source: Reader_Install_Setup.exe String found in binary or memory: Rz26TjBddI4","align-self-md-start":"xTvlYZBtMd3hxVUw0G1S","align-self-md-end":"fZE3fFOWzrNpoqLg33AU","align-self-md-center":"R1In6pl7PW91BoY3krKQ","align-self-md-baseline":"J1mijNk_O5u2_BNY_hz0","align-self-md-stretch":"NAXMdJmeSI56lhqzCE60","flex-lg-row":"mj9
Source: Reader_Install_Setup.exe String found in binary or memory: tvvlXn96uf7yGf1tR {\r\n -ms-flex-pack: start !important;\r\n justify-content: flex-start !important;\r\n }\r\n .PoT2qU4sMKBleURcc2cJ {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex-end !important;\r\n }\r\n .AVIeQzlddzrtDxIBXkKd
Source: Reader_Install_Setup.exe String found in binary or memory: Gw99NEZmcvYy","flex-lg-fill":"HKtXJhwNMeSoCd3MgKGQ","flex-lg-grow-0":"dvvTGp7Qb5VsoLexKoAj","flex-lg-grow-1":"MF9RSy7GVU0ZJs8Gio4O","flex-lg-shrink-0":"lPtuBlsAx25tEyrdPW0j","flex-lg-shrink-1":"smDQGRg_vRvZ1zTRxO2O","justify-content-lg-start":"hz1rXkTClh20Fh5L
Source: Reader_Install_Setup.exe String found in binary or memory: T5h","justify-content-lg-end":"mXqDCUtaC_JMHMad0ZwV","justify-content-lg-center":"qOrqtkCp3ivHw7SVfILq","justify-content-lg-between":"LdfUwIH0FNecJPWWPrg1","justify-content-lg-around":"nVtckCgiojWEvbI_02td","align-items-lg-start":"SkBdZQ4j6W8eEExZe0hD","align-
Source: Reader_Install_Setup.exe String found in binary or memory: lex-pack: distribute !important;\r\n justify-content: space-around !important;\r\n }\r\n .fJTv_QJTsr6EO2H1q4V3 {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .w8v8i3VE57doJW3WhKMD {\r\n -ms-flex-align:
Source: Reader_Install_Setup.exe String found in binary or memory: tems-lg-end":"WAJbhUQHN23bq7qy5Sn4","align-items-lg-center":"kd6x9h_3ZymIzA4bgzN7","align-items-lg-baseline":"KO8aNPXTLKYLQxI6em9l","align-items-lg-stretch":"Km2Za0W8caH7Y94_8Cii","align-content-lg-start":"W43tG1Sz8VgKlzT3ABdI","align-content-lg-end":"jl0mwv_1
Source: Reader_Install_Setup.exe String found in binary or memory: -self-lg-start":"G9A3tlQ35wA03mx2tzqx","align-self-lg-end":"eLScPzCVVKub71kFSTo6","align-self-lg-center":"AjPsmeBDtyK_yy_tIXdq","align-self-lg-baseline":"tEiZrAGTU4ltRxVsQYja","align-self-lg-stretch":"zM8DoQ0E3PzQ1e4NdlbO","flex-xl-row":"xiURbQvawKtv3lpRx8BS",
Source: Reader_Install_Setup.exe String found in binary or memory: Y84ydtiU3il6ry9nY {\r\n -webkit-animation: none;\r\n animation: none;\r\n }\r\n}\r\n\r\n.W6C_Cm_0CSNW7ljg2Y9l {\r\n display: -ms-flexbox;\r\n display: flex;\r\n -ms-flex-align: start;\r\n align-items: flex-start;\r\n}\r\n\r\n.xyiYCq7vZX3AEsLK_h4t {\
Source: Reader_Install_Setup.exe String found in binary or memory: t -installer is required but not provided." }, "ActionList_AlreadyExists": { "message": "Application already installed" }, "ActionList_Complete": { "message": "Installation complete" }, "ActionList_Cancelled": { "message": "Can
Source: Reader_Install_Setup.exe String found in binary or memory: ());i.push([r.id,".h3prVibJIx6xMWozlLvS{\r\n display: flex;\r\n flex-direction: row;\r\n flex-wrap: nowrap;\r\n align-content: flex-end;\r\n justify-content: flex-start;\r\n align-items: flex-end;\r\n}",""]),i.locals={container:"h3prVibJIx6xM
Source: Reader_Install_Setup.exe String found in binary or memory: -xl-fill":"kGKaQXNtKVolETkb6VY_","flex-xl-grow-0":"NeShcrAZ5y_hpxB1Krrg","flex-xl-grow-1":"ysC1kPY5k3OAcyOOrAZF","flex-xl-shrink-0":"c7DdFRyXaVXxSNLm96SA","flex-xl-shrink-1":"vVfhGb47ZI1vy9SKdLAy","justify-content-xl-start":"EMKOqdcLxlLCtgNKAVN9","justify-cont
Source: Reader_Install_Setup.exe String found in binary or memory: nt-xl-end":"y9ejXHhttjAEgovYXYMU","justify-content-xl-center":"COPRSpy9kETB_SZQ4smx","justify-content-xl-between":"mYnlm8yqHdRJ8jWo0Ula","justify-content-xl-around":"SRf5p8hsCyhBY1KbbllG","align-items-xl-start":"AwPLyaWsRJ3kVfxTYAKZ","align-items-xl-end":"JLhQ
Source: Reader_Install_Setup.exe String found in binary or memory: iYDHEA6tQXlGqaKw7jz {\r\n -ms-flex-item-align: start !important;\r\n align-self: flex-start !important;\r\n }\r\n .uq0dyk4fScobfEBVnATd {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n }\r\n .UpE4hJfsUm5TuZtTZ
Source: Reader_Install_Setup.exe String found in binary or memory: J9YeJ2Xzm4rGI0o","align-items-xl-center":"TnX6CLfh8vo_Q_DeYU2g","align-items-xl-baseline":"VtD1JQ5GGSN55msvqOuH","align-items-xl-stretch":"r3SPzoMrEJe9HyIuwWCJ","align-content-xl-start":"kaIxRiZtzxK_YyZMBHo_","align-content-xl-end":"l1QG33TebFm8kJRTmnh7","alig
Source: Reader_Install_Setup.exe String found in binary or memory: Congratulations": { "message": "Gratulerer!" }, "ActionList_Verify": { "message": "Verifiserer installasjon ..." }, "ActionList_ErrorUpdateMessage": { "message": "Kommandolinjeargumentet -installasjonsprogram kreves, men er ikke oppg
Source: Reader_Install_Setup.exe String found in binary or memory: -content-xl-center":"MV4EN51PwhHoa9MTCThc","align-content-xl-between":"ch_UlL0T5dkZlpBCGf6z","align-content-xl-around":"qeeJg8mLhC36_AtZhgPi","align-content-xl-stretch":"VnQjhwHZwYkSNDH0IDLS","align-self-xl-auto":"f6I_MfERc6Cd5U2cvKdb","align-self-xl-start":"P
Source: Reader_Install_Setup.exe String found in binary or memory: Adobe Acrobat" }, "Congratulations": { "message": "Onnittelut" }, "ActionList_Verify": { "message": "Tarkistetaan asennusta..." }, "ActionList_ErrorUpdateMessage": { "message": "Komentoriviargumentti -installer vaaditaan, mutt
Source: Reader_Install_Setup.exe String found in binary or memory: -ms-flex-pack: start !important;\r\n justify-content: flex-start !important;\r\n }\r\n .eLk5KmeziN3FG_ZvWUbk {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex-end !important;\r\n }\r\n .wx9l9CrohZahb5XLMrGW {\r\n -ms-flex-pack:
Source: Reader_Install_Setup.exe String found in binary or memory: : "..." }, "ActionList_ErrorUpdateMessage": { "message": " -installer " }, "ActionList_AlreadyExists": { "message": "
Source: Reader_Install_Setup.exe String found in binary or memory: mportant;\r\n justify-content: space-around !important;\r\n }\r\n .THpMIn_rv9gXJ1zTlRSw {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .GDHTGrjlGD0S0f1_DiJ5 {\r\n -ms-flex-align: end !important;\r\n
Source: Reader_Install_Setup.exe String found in binary or memory: important;\r\n }\r\n .wekS_MR1HkGU6Ej1xqxk {\r\n -ms-flex-align: stretch !important;\r\n align-items: stretch !important;\r\n }\r\n .LkRjjQuLuuq2HISiPqJR {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n
Source: Reader_Install_Setup.exe String found in binary or memory: x-pack: start;\r\n justify-content: flex-start;\r\n }\r\n .bCwZiTNFMMbBWr3jcpcC .UdZ9h4yDyt7zzl_efcFz {\r\n -ms-flex-direction: row;\r\n flex-direction: row;\r\n }\r\n .bCwZiTNFMMbBWr3jcpcC .UdZ9h4yDyt7zzl_efcFz .WNvdx4uqUWtr9A7ET3s8 {\r\n posi
Source: Reader_Install_Setup.exe String found in binary or memory: \n -ms-flex-item-align: start !important;\r\n align-self: flex-start !important;\r\n }\r\n .fZE3fFOWzrNpoqLg33AU {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n }\r\n .R1In6pl7PW91BoY3krKQ {\r\n -ms-flex-i
Source: Reader_Install_Setup.exe String found in binary or memory: ft..." }, "ActionList_ErrorUpdateMessage": { "message": "Das Befehlszeilenargument -installer muss angegeben werden." }, "ActionList_AlreadyExists": { "message": "Die Anwendung ist bereits installiert." }, "ActionList_Comp
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Acrobat_DC_x64_VIP_v10.12.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe "C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe "rundll32.exe" "C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll",DllRegisterServer
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe "C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe "rundll32.exe" "C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: oleaccrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: pgpmapih.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DD475EBC-D960-4AF4-BB8A-BE91FA942756} Jump to behavior
Source: Acrobat_DC_x64_VIP_v10.12.msi Static file information: File size 2834432 > 1048576
Source: Binary string: C:\adm\jenkins\workspace\New_RDC_Sol_Plutus_Win_Build_git\2.0\dev\target\win\Release\Adobe Download Manager.pdb source: Reader_Install_Setup.exe, 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00F6F080 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 2_2_00F6F080
PE file contains an invalid checksum
Source: Reader_Install_Setup.exe.1.dr Static PE information: real checksum: 0x16e9b1 should be: 0x165850
Source: qpgEZsswIP.dll.1.dr Static PE information: real checksum: 0x0 should be: 0x25b1c4
PE file contains sections with non-standard names
Source: qpgEZsswIP.dll.1.dr Static PE information: section name: .rotext
Source: qpgEZsswIP.dll.1.dr Static PE information: section name: .rodata
Source: qpgEZsswIP.dll.1.dr Static PE information: section name: .rodata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00D05D5C push ecx; ret 2_2_00D05D6F
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00D9A90C push es; iretd 2_2_00D9A9CC
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_075751EF pushad ; iretd 2_2_075751F2
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_094A63AB push cs; retf 2_2_094A63AF
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_094A83B0 push esi; ret 2_2_094A83B2
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_094A2EA5 push esp; iretd 2_2_094A2EAB
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contain functionality to detect virtual machines
Source: C:\Windows\System32\rundll32.exe Code function: qemu qemu vmware vbox 3_2_0000022E65FF41F0
Source: C:\Windows\System32\rundll32.exe Code function: vbox_req_val vbox_req_key vbox_files vbox_dirs vbox_check_mac vbox_devices vbox_window_class vbox_network_class vbox_process vbox_mac_wmi vbox_eventlog_wmi vbox_firmware_smbios vbox_firmware_acpi vbox_bus_wmi vbox_baseborad_wmi vbox_pnpentity_pcideviceid_wmi vbox_pnpentity_controllers_wmi vbox_pnpentity_vboxname_wmi vmware_reg_key_value vmware_reg_keys vmware_files vmware_dir vmware_mac vmware_adapter_name vmware_devices vmware_processes vmware_firmware_smbios vmware_firmware_ACPI qemu_reg_key_value qemu_reg_key_value qemu_processes qemu_processes qemu_dir qemu_dir qemu_firmware_acpi qemu_firmware_acpi qemu_firmware_smbios qemu_firmware_smbios 3_2_0000022E65FE7198
Source: C:\Windows\System32\rundll32.exe Code function: vboxvideo VBoxVideoW8 VBoxWddm 3_2_0000022E65FF2160
Source: C:\Windows\System32\rundll32.exe Code function: System32\drivers\VBoxMouse.sys System32\drivers\VBoxGuest.sys System32\drivers\VBoxSF.sys System32\drivers\VBoxVideo.sys System32\vboxdisp.dll System32\vboxhook.dll System32\vboxmrxnp.dll System32\vboxogl.dll System32\vboxoglarrayspu.dll System32\vboxoglcrutil.dll System32\vboxoglerrorspu.dll System32\vboxoglfeedbackspu.dll System32\vboxoglpackspu.dll System32\vboxoglpassthroughspu.dll System32\vboxservice.exe System32\vboxservice.exe System32\vboxtray.exe System32\VBoxControl.exe 3_2_0000022E65FF1D10
Source: C:\Windows\System32\rundll32.exe Code function: VBOX VBOX VEN_VBOX 3_2_0000022E65FF2F00
Source: C:\Windows\System32\rundll32.exe Code function: VBoxWddm VBoxSF VBoxMouse VBoxGuest 3_2_0000022E65FF4650
Source: C:\Windows\System32\rundll32.exe Code function: vbox VBOX 3_2_0000022E65FF2470
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: rundll32.exe Binary or memory string: QEMU-GA.EXE
Source: rundll32.exe Binary or memory string: VMUSRVC.EXE
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: 00:0C:29PV00:1C:14CHECKING MAC STARTING WITH %S00:50:56\\.\HGFSVMWAREVMTOOLSD.EXE\\.\VMCIVMWAREUSER.EXEVMWARETRAY.EXEVMACTHLP.EXEVGAUTHSERVICE.EXEVMWARECHECKING VWWARE PROCESS %S VMWAREVMSRVC.EXECHECKING VIRTUAL PC PROCESSES %S VMUSRVC.EXESOFTWARE\MICROSOFT\VIRTUAL MACHINE\GUEST\PARAMETERSQEMUVDAGENT.EXEQEMU-GA.EXECHECKING QEMU PROCESSES %S VDSERVICE.EXESPICE GUEST TOOLSQEMU-GAQEMUCHECKING QEMU DIRECTORY %S BOCHSQEMUBXPCSOFTWARE\WINEWINE_GET_UNIX_FILE_NAMESYSTEM\CONTROLSET001\SERVICES\VIOSTORSYSTEM\CONTROLSET001\SERVICES\VIOSCSISYSTEM\CONTROLSET001\SERVICES\VIRTIOSERIALSYSTEM\CONTROLSET001\SERVICES\VIRTIO-FS SERVICESYSTEM\CONTROLSET001\SERVICES\BALLOONSERVICESYSTEM\CONTROLSET001\SERVICES\BALLOONSYSTEM32\DRIVERS\BALLOON.SYSSYSTEM\CONTROLSET001\SERVICES\NETKVMSYSTEM32\DRIVERS\PVPANIC.SYSSYSTEM32\DRIVERS\NETKVM.SYSSYSTEM32\DRIVERS\VIOGPUDO.SYSSYSTEM32\DRIVERS\VIOFS.SYSSYSTEM32\DRIVERS\VIORNG.SYSSYSTEM32\DRIVERS\VIOINPUT.SYSSYSTEM32\DRIVERS\VIOSER.SYSSYSTEM32\DRIVERS\VIOSCSI.SYSVIRTIO-WIN\SYSTEM32\DRIVERS\VIOSTOR.SYSBOT.EXESAMPLE.EXEMALWARE.EXESANDBOX.EXEKLAVME.EXETEST.EXETESTAPP.EXEMYAPP.EXECHECKING IF PROCESS FILE NAME LOOKS LIKE A HASH: %S CHECKING IF PROCESS FILE NAME CONTAINS: %S SANDBOXCURRENTUSERHAPUBWSEMILYIT-ADMINHONG LEEMILLERJOHNSONPETER WILSONMILOZSSAND BOXTIMMYMALTESTMALWAREVIRUSTEST USERCHECKING IF USERNAME MATCHES : %S JOHN DOESIZESELECT * FROM WIN32_LOGICALDISKVBOXQEMUVMWAREVIRTUALSELECT * FROM WIN32_COMPUTERSYSTEMHVM DOMUMODELSELECT * FROM WIN32_FANXENVIRTIOVMWSYSTEM\CURRENTCONTROLSET\ENUM\IDEPROCEXP64.EXESYSTEM\CURRENTCONTROLSET\ENUM\SCSIDESKTOPPRL_TOOLS.EXEPRL_CC.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 4090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 3620000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 4010000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 4390000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 7470000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 7510000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 7530000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8E50000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8EB0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8F50000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8FB0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 9010000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 9070000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 90D0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 90F0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 9190000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 91D0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 9220000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 9240000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 9260000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 9340000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 93C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 9400000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 7450000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 88F0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8910000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8BD0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8BF0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 94A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 9520000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 9A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8C30000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8C50000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8ED0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8F90000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 7590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 94C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8C90000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8C70000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: 8CB0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: F80000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: FA0000 memory commit | memory reserve | memory write watch Jump to behavior
Contains functionality to enumerate running services
Source: C:\Windows\System32\rundll32.exe Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW, 3_2_0000022E65FF4850
Contains functionality to query network adapater information
Source: C:\Windows\System32\rundll32.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree, 3_2_0000022E65FF4CD0
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\rundll32.exe TID: 7616 Thread sleep count: 61 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616 Thread sleep time: -122000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616 Thread sleep count: 85 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616 Thread sleep time: -255000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616 Thread sleep count: 73 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616 Thread sleep time: -146000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616 Thread sleep count: 76 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616 Thread sleep time: -228000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00D068EA VirtualQuery,GetSystemInfo, 2_2_00D068EA
Source: rundll32.exe Binary or memory string: VBoxGuest
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: VMware
Source: rundll32.exe Binary or memory string: VBoxMouse
Source: rundll32.exe Binary or memory string: Checking qemu processes %s
Source: rundll32.exe Binary or memory string: vmmemctl
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: 00:0c:29PV00:1C:14Checking MAC starting with %s00:50:56\\.\HGFSVMWarevmtoolsd.exe\\.\vmcivmwareuser.exevmwaretray.exevmacthlp.exeVGAuthService.exeVMwareChecking VWware process %s VMWAREVMSrvc.exeChecking Virtual PC processes %s VMUSrvc.exeSOFTWARE\Microsoft\Virtual Machine\Guest\ParametersQEMUvdagent.exeqemu-ga.exeChecking qemu processes %s vdservice.exeSPICE Guest Toolsqemu-gaqemuChecking QEMU directory %s BOCHSQEMUBXPCSOFTWARE\Winewine_get_unix_file_nameSYSTEM\ControlSet001\Services\viostorSYSTEM\ControlSet001\Services\vioscsiSYSTEM\ControlSet001\Services\VirtioSerialSYSTEM\ControlSet001\Services\VirtIO-FS ServiceSYSTEM\ControlSet001\Services\BalloonServiceSYSTEM\ControlSet001\Services\BALLOONSystem32\drivers\balloon.sysSYSTEM\ControlSet001\Services\netkvmSystem32\drivers\pvpanic.sysSystem32\drivers\netkvm.sysSystem32\drivers\viogpudo.sysSystem32\drivers\viofs.sysSystem32\drivers\viorng.sysSystem32\drivers\vioinput.sysSystem32\drivers\vioser.sysSystem32\drivers\vioscsi.sysVirtio-Win\System32\drivers\viostor.sysbot.exesample.exemalware.exesandbox.exeklavme.exetest.exetestapp.exemyapp.exeChecking if process file name looks like a hash: %s Checking if process file name contains: %s SandboxCurrentUserHAPUBWSEmilyIT-ADMINHong LeeMillerJohnsonPeter Wilsonmilozssand boxtimmymaltestmalwarevirustest userChecking if username matches : %s John DoeSizeSELECT * FROM Win32_LogicalDiskvboxqemuvmwareVirtualSELECT * FROM Win32_ComputerSystemHVM domUModelSELECT * FROM Win32_FanxenvirtioVMWSystem\CurrentControlSet\Enum\IDEprocexp64.exeSystem\CurrentControlSet\Enum\SCSIDesktopprl_tools.exeprl_cc.exe
Source: rundll32.exe Binary or memory string: System32\drivers\vmnetuserif.sys
Source: rundll32.exe, 00000003.00000002.4170488563.0000022E64164000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rodu8971434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.Noney
Source: rundll32.exe Binary or memory string: qemu-ga.exe
Source: rundll32.exe Binary or memory string: \\.\VBoxMiniRdrDN
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.0000000001505000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe Binary or memory string: VBoxTrayToolWnd
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: VMWARE
Source: rundll32.exe Binary or memory string: \\.\VBoxTrayIPC
Source: rundll32.exe Binary or memory string: VBoxTrayToolWndClass
Source: rundll32.exe Binary or memory string: System32\drivers\VBoxMouse.sys
Source: rundll32.exe Binary or memory string: vmmouse
Source: rundll32.exe Binary or memory string: VMUSrvc.exe
Source: rundll32.exe Binary or memory string: \\.\HGFS
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: vmware_reg_keys
Source: rundll32.exe Binary or memory string: vmwareuser.exe
Source: rundll32.exe Binary or memory string: qemu-ga
Source: rundll32.exe Binary or memory string: System32\drivers\VBoxGuest.sys
Source: rundll32.exe Binary or memory string: vmware
Source: rundll32.exe Binary or memory string: System32\drivers\vmmouse.sys
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: vmware_dir
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: vmware_devices
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: vmware_processes
Source: rundll32.exe Binary or memory string: System32\vboxservice.exe
Source: rundll32.exe Binary or memory string: \\.\VBoxGuest
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: qemu_reg_key_value
Source: rundll32.exe Binary or memory string: vboxservice.exe
Source: rundll32.exe Binary or memory string: System32\vboxtray.exe
Source: rundll32.exe Binary or memory string: \\.\vmci
Source: rundll32.exe Binary or memory string: HARDWARE\ACPI\FADT\VBOX__
Source: rundll32.exe Binary or memory string: VMWare\
Source: rundll32.exe Binary or memory string: System32\drivers\vmhgfs.sys
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: vmware_reg_key_value
Source: rundll32.exe Binary or memory string: VBoxSF
Source: rundll32.exe Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: rundll32.exe Binary or memory string: vboxtray.exe
Source: rundll32.exe Binary or memory string: vmwaretray.exe
Source: rundll32.exe Binary or memory string: System32\drivers\vmx86.sys
Source: rundll32.exe, 00000003.00000002.4170488563.0000022E64132000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: rundll32.exe Binary or memory string: System32\drivers\vmnet.sys
Source: rundll32.exe, 00000003.00000002.4170488563.0000022E64132000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringComputer System ProductComputer System ProductG59S8971434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.Noney*
Source: rundll32.exe Binary or memory string: vmtoolsd.exe
Source: rundll32.exe Binary or memory string: vmhgfs
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.0000000001505000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWs1?
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: vmware_adapter_name
Source: rundll32.exe Binary or memory string: HARDWARE\ACPI\RSDT\VBOX__
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: '\\.\pipe\VBoxMiniRdDN\\.\VBoxGuest\\.\pipe\VBoxTrayIPC\\.\VBoxTrayIPCVBoxTrayToolWndClassChecking device %s VirtualBox Shared FoldersVBoxTrayToolWndvboxtray.exevboxservice.exeSELECT * FROM Win32_NetworkAdapterConfigurationChecking VirtualBox process %s 08:00:27MACAddressVBoxVideoW8vboxvideoSELECT * FROM Win32_NTEventlogFileVBoxWddmSystemFileNameVirtualBoxSourcesVBOXvboxDeviceIdSELECT * FROM Win32_PnPEntityNamePCI\VEN_80EE&DEV_CAFE82441FX82801FBOpenHCD82371SBACPIBus_BUS_0SELECT * FROM Win32_BusPNP_BUS_0PCI_BUS_0ProductSELECT * FROM Win32_BaseBoardManufacturerVirtualBoxSELECT * FROM Win32_PnPDeviceOracle CorporationPNPDeviceIDCaptionVEN_VBOXVMWAREHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0SystemManufacturerSYSTEM\ControlSet001\Control\SystemInformationChecking reg key %sSystemProductNameSystem32\drivers\vmnet.sysSOFTWARE\VMware, Inc.\VMware ToolsSystem32\drivers\vmusb.sysSystem32\drivers\vmmouse.sysSystem32\drivers\vmci.sysSystem32\drivers\vm3dmp.sysSystem32\drivers\vmmemctl.sysSystem32\drivers\vmhgfs.sysSystem32\drivers\vmrawdsk.sysSystem32\drivers\vmx86.sysSystem32\drivers\vmkdb.sysSystem32\drivers\vmusbmouse.sysSystem32\drivers\vmnetadapter.sysSystem32\drivers\vmnetuserif.sys
Source: rundll32.exe Binary or memory string: \\.\pipe\VBoxTrayIPC
Source: rundll32.exe Binary or memory string: System32\vboxhook.dll
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: qemu_processes
Source: rundll32.exe Binary or memory string: System32\drivers\vmnetadapter.sys
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: qemu_dir
Source: rundll32.exe Binary or memory string: System32\vboxmrxnp.dll
Source: rundll32.exe, 00000003.00000002.4170488563.0000022E64127000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: BChecking Parallels processes: %sVBoxMouseVBoxSFvmciVBoxGuestvmmousevmhgfsvmusbvmmemctlvmx_svgavmusbmousevmx86vmxnetFailed to get services list.
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: vmware_firmware_smbios
Source: rundll32.exe Binary or memory string: System32\drivers\vmci.sys
Source: rundll32.exe Binary or memory string: VMSrvc.exe
Source: rundll32.exe Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: rundll32.exe Binary or memory string: vmx86
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: vmware_mac
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: qemu_firmware_acpi
Source: rundll32.exe Binary or memory string: SYSTEM\ControlSet001\Services\VBoxGuest
Source: rundll32.exe Binary or memory string: SYSTEM\ControlSet001\Services\VBoxService
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: iVMWare\
Source: rundll32.exe Binary or memory string: SYSTEM\ControlSet001\Services\VBoxMouse
Source: rundll32.exe Binary or memory string: VMWare
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: vmware_files
Source: rundll32.exe Binary or memory string: Checking QEMU directory %s
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: vmware_firmware_ACPI
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: ntdll.dllkernel32.dllLdrLoadDllLdrGetProcedureAddressZwProtectVirtualMemoryRtlAnsiStringToUnicodeStringRtlFreeUnicodeStringNtQueueApcThreadIsWow64ProcessLoadLibraryAZwQueryInformationProcessRtlNtStatusToDosErrorNtResumeProcessZwAllocateVirtualMemoryZwWriteVirtualMemoryZwReadVirtualMemoryZwGetContextThreadZwSetContextThreadNtMapViewOfSectionNtCreateSectionNtUnmapViewOfSectionZwCloseROOT\CIMV2CoSetProxyBlanketole32.dllWin32_ProcessCreateCommandLineWin32_ProcessStartupShowWindowCreateFlagsReturnValueProcessStartupInformationProcessIdSELECT * FROM Win32_ComputerSystemProductUUIDDomainSELECT * FROM Win32_ComputerSystem NameSELECT * FROM Win32_ComputerSystemCaptionSELECT * FROM Win32_OperatingSystem WQLIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\Description\SystemVBOXVideoBiosVersionSystemBiosVersionSystemBiosDateVIRTUALBOXChecking reg key HARDWARE\Description\System - %s is set to %s06/23/99HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__SOFTWARE\Oracle\VirtualBox Guest AdditionsHARDWARE\ACPI\RSDT\VBOX__SYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxGuestSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxServiceChecking reg key %s SYSTEM\ControlSet001\Services\VBoxVideoSystem32\drivers\VBoxGuest.sysSystem32\drivers\VBoxMouse.sysSystem32\drivers\VBoxVideo.sysSystem32\drivers\VBoxSF.sysSystem32\vboxhook.dllSystem32\vboxdisp.dllSystem32\vboxogl.dllSystem32\vboxmrxnp.dllSystem32\vboxoglcrutil.dllSystem32\vboxoglarrayspu.dllSystem32\vboxoglfeedbackspu.dllSystem32\vboxoglerrorspu.dllSystem32\vboxoglpassthroughspu.dllSystem32\vboxoglpackspu.dllSystem32\vboxtray.exeSystem32\vboxservice.exeChecking file %s System32\VBoxControl.exe%ProgramW6432%oracle\virtualbox guest additions\\\.\VBoxMiniRdrDN
Source: rundll32.exe Binary or memory string: System32\drivers\VBoxSF.sys
Source: rundll32.exe Binary or memory string: System32\drivers\vmmemctl.sys
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: qemu_firmware_smbios
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: client_idgroup_namesys_versionclient_versionsession_idiphashtask_statetask_idtask_resulttasksFORTHEEMPERORclient_pingclient_ipgeneralclient_typesessuuidusercheck_xenpsexp_runningwine_exportswine_reqvbox_req_valvbox_req_keyvbox_filesvbox_dirsvbox_check_macvbox_devicesvbox_window_classvbox_network_classvbox_processvbox_mac_wmivbox_eventlog_wmivbox_firmware_smbiosvbox_firmware_acpivbox_bus_wmivbox_baseborad_wmivbox_pnpentity_pcideviceid_wmivbox_pnpentity_controllers_wmivbox_pnpentity_vboxname_wmivmware_reg_key_valuevmware_reg_keysvmware_filesvmware_dirvmware_macvmware_adapter_namevmware_devicesvmware_processesvmware_firmware_smbiosvmware_firmware_ACPIvirtual_pc_processvirtual_pc_reg_keysvm_driver_servicescpu_fan_wmiqemu_reg_key_valueqemu_processesqemu_dirqemu_firmware_acpiqemu_firmware_smbioskvm_reg_keyskvm_fileskvm_dirparallels_processparallels_check_macmod_compdsksknown_umemsmsmvisfromdescknown_filesnum_of_procsreq_disk_enumproc_listbinary_db
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00D0D111 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00D0D111
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00F6F080 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 2_2_00F6F080
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00D299BF mov eax, dword ptr fs:[00000030h] 2_2_00D299BF
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00D1C54C mov ecx, dword ptr fs:[00000030h] 2_2_00D1C54C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FEDCF0 GetProcessHeap,HeapAlloc, 3_2_0000022E65FEDCF0
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe "C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00D05895 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00D05895
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: 2_2_00D0D111 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00D0D111
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E66115D8C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000022E66115D8C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E66143530 SetUnhandledExceptionFilter, 3_2_0000022E66143530
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 45.155.37.158 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 45.83.20.213 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 46.249.38.179 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 149.154.153.2 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 188.166.15.250 443 Jump to behavior
Searches for specific processes (likely to inject)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FF4DE0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,StrCmpIW,Process32NextW,CloseHandle, 3_2_0000022E65FF4DE0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: EnumSystemLocalesW, 2_2_00D27CD3
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: GetLocaleInfoW, 2_2_00D2EC98
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_00D2E816
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 2_2_00D2E403
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: GetLocaleInfoW, 2_2_00D2E5FE
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00D2ED67
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: EnumSystemLocalesW, 2_2_00D2E6F0
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: GetLocaleInfoW, 2_2_00D28290
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: EnumSystemLocalesW, 2_2_00D2E6A5
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: GetLocaleInfoW, 2_2_00D2EA69
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_00D2EB92
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Code function: EnumSystemLocalesW, 2_2_00D2E78B
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoW, 3_2_0000022E6612D0C8
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_0000022E66131F78
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_0000022E66131D90
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 3_2_0000022E6612CABC
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 3_2_0000022E66131898
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 3_2_0000022E66131968
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoW, 3_2_0000022E661434F0
Source: C:\Windows\System32\rundll32.exe Code function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW, 3_2_0000022E6613158C
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FDB25C CreateNamedPipeA,_CxxThrowException,CreateFileA,_CxxThrowException,std::_Deallocate, 3_2_0000022E65FDB25C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E660F42D8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_0000022E660F42D8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FF3C10 GetUserNameW, 3_2_0000022E65FF3C10
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FEAA68 RpcServerUseProtseqEpA,RpcServerRegisterIfEx,RpcServerListen,std::_Deallocate, 3_2_0000022E65FEAA68
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FEA9F4 RpcBindingFree, 3_2_0000022E65FEA9F4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FEA97C RpcBindingFree, 3_2_0000022E65FEA97C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FEA908 RpcBindingFree, 3_2_0000022E65FEA908
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FEA894 RpcBindingFree, 3_2_0000022E65FEA894
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000022E65FEAB40 RpcMgmtStopServerListening,RpcServerUnregisterIf, 3_2_0000022E65FEAB40
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1560658 Sample: Acrobat_DC_x64_VIP_v10.12.msi Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 27 Found malware configuration 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 3 other signatures 2->33 6 msiexec.exe 75 36 2->6         started        9 msiexec.exe 3 2->9         started        process3 file4 17 C:\Users\user\AppData\...\qpgEZsswIP.dll, PE32+ 6->17 dropped 19 C:\Users\user\...\Reader_Install_Setup.exe, PE32 6->19 dropped 11 rundll32.exe 6->11         started        15 Reader_Install_Setup.exe 2 73 6->15         started        process5 dnsIp6 21 45.155.37.158 SHOCK-1US Netherlands 11->21 23 46.249.38.179 HOSTKEY-ASNL Netherlands 11->23 25 3 other IPs or domains 11->25 35 System process connects to network (likely due to code injection or exploit) 11->35 37 Contains functionality to determine the online IP of the system 11->37 39 Contain functionality to detect virtual machines 11->39 41 2 other signatures 11->41 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.153.2
 unknown European Union
57169 EDIS-AS-EUAT true
45.155.37.158
 unknown Netherlands
395092 SHOCK-1US true
188.166.15.250
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
45.83.20.213
 unknown Latvia
35913 DEDIPATH-LLCUS true
46.249.38.179
 unknown Netherlands
57043 HOSTKEY-ASNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
9nrkgb5ymmhx.live true
  • Avira URL Cloud: safe
 unknown
8vxea0tldluf.live true
  • Avira URL Cloud: safe
 unknown
velmddsj68vd.live true
  • Avira URL Cloud: safe
 unknown
0xejepvnnpze.live true
  • Avira URL Cloud: safe
 unknown
aho8skpvfpxw.live true
  • Avira URL Cloud: safe
 unknown
9gle7ejwpees.live true
  • Avira URL Cloud: safe
 unknown
a0xjyxk6h5m7.live true
  • Avira URL Cloud: safe
 unknown
l1whn6jhl8xi.live true
  • Avira URL Cloud: safe
 unknown
kwekpaz4eobt.live true
  • Avira URL Cloud: safe
 unknown
kaky1v99z650.live true
  • Avira URL Cloud: safe
 unknown
iaqxv2w3o0xc.live true
  • Avira URL Cloud: safe
 unknown
ei2svhuxkfnm.live true
  • Avira URL Cloud: safe
 unknown
164kx6yftp7e.live true
  • Avira URL Cloud: safe
 unknown
tok60x6gccij.live true
  • Avira URL Cloud: safe
 unknown
437jwomut9vr.live true
  • Avira URL Cloud: safe
 unknown
vh378qqwk9vc.live true
  • Avira URL Cloud: safe
 unknown
uzpp0a72mgf8.live true
  • Avira URL Cloud: safe
 unknown
541xdsl3qrmo.live true
  • Avira URL Cloud: safe
 unknown
nvzd7pgfgpxt.live true
  • Avira URL Cloud: safe
 unknown
vmduug7itjpc.live true
  • Avira URL Cloud: safe
 unknown
ipmh0eee13h2.live true
  • Avira URL Cloud: safe
 unknown
a1xbi34msajq.live true
  • Avira URL Cloud: safe
 unknown
t6ocigyxberq.live true
  • Avira URL Cloud: safe
 unknown
sztn5z9mczvv.live true
  • Avira URL Cloud: safe
 unknown
w2pjbfv1lp0s.live true
  • Avira URL Cloud: safe
 unknown
vlqwx3ydmtxh.live true
  • Avira URL Cloud: safe
 unknown
forned95q3gl.live true
  • Avira URL Cloud: safe
 unknown
oltfqksrbe1h.live true
  • Avira URL Cloud: safe
 unknown
w525f7mmd4ms.live true
  • Avira URL Cloud: safe
 unknown
13gdw8hd0f5g.live true
  • Avira URL Cloud: safe
 unknown
77mk5fucuhe8.live true
  • Avira URL Cloud: safe
 unknown
twh0pzti1jmc.live true
  • Avira URL Cloud: safe
 unknown
n3om81law5m7.live true
  • Avira URL Cloud: safe
 unknown
hlhhny6jyz0h.live true
  • Avira URL Cloud: safe
 unknown
lfi8tslls020.live true
  • Avira URL Cloud: safe
 unknown
ya8ym63w9m91.live true
  • Avira URL Cloud: safe
 unknown
nsqum7l04ak6.live true
  • Avira URL Cloud: safe
 unknown
aa8btew33mma.live true
  • Avira URL Cloud: safe
 unknown
vt762jefdhwk.live true
  • Avira URL Cloud: safe
 unknown
y7bc5b0ezh5m.live true
  • Avira URL Cloud: safe
 unknown
h8laq4jtyfqp.live true
  • Avira URL Cloud: safe
 unknown
4p06saxn3ubp.live true
  • Avira URL Cloud: safe
 unknown
eldzk3tkcta3.live true
  • Avira URL Cloud: safe
 unknown
7hxcfu85ux0c.live true
  • Avira URL Cloud: safe
 unknown
26wem2p2aunb.live true
  • Avira URL Cloud: safe
 unknown
s542jqly9hk1.live true
  • Avira URL Cloud: safe
 unknown
0gylcs3gwdpp.live true
  • Avira URL Cloud: safe
 unknown
ppakbng3anmz.live true
  • Avira URL Cloud: safe
 unknown
ejz7h2nwpe9p.live true
  • Avira URL Cloud: safe
 unknown
va5rnvsffage.live true
  • Avira URL Cloud: safe
 unknown
r33j2bx1ieh9.live true
  • Avira URL Cloud: safe
 unknown
i5ke68h24a00.live true
  • Avira URL Cloud: safe
 unknown
aummhmvbuvf7.live true
  • Avira URL Cloud: safe
 unknown
3ysjrezb3os9.live true
  • Avira URL Cloud: safe
 unknown
mmerhgt2a428.live true
  • Avira URL Cloud: safe
 unknown
u86t183m8fjl.live true
  • Avira URL Cloud: safe
 unknown
exe12ldlj0nb.live true
  • Avira URL Cloud: safe
 unknown
x39w37ihaw67.live true
  • Avira URL Cloud: safe
 unknown
rzctrohkd26r.live true
  • Avira URL Cloud: safe
 unknown
adu5tcdt1mw8.live true
  • Avira URL Cloud: safe
 unknown
q8txsh5ger29.live true
  • Avira URL Cloud: safe
 unknown
2ujyrqt4xzmp.live true
  • Avira URL Cloud: safe
 unknown
toooegs0ua4k.live true
  • Avira URL Cloud: safe
 unknown
rigwjjv5e0te.live true
  • Avira URL Cloud: safe
 unknown
9yvk5z9213sf.live true
  • Avira URL Cloud: safe
 unknown
0ws4d9s611dt.live true
  • Avira URL Cloud: safe
 unknown
9nsdtl72ktuk.live true
  • Avira URL Cloud: safe
 unknown
pdim2swkrf2v.live true
  • Avira URL Cloud: safe
 unknown
orp3efts3f5z.live true
  • Avira URL Cloud: safe
 unknown
xj0airqray7d.live true
  • Avira URL Cloud: safe
 unknown
qxul3spnx991.live true
  • Avira URL Cloud: safe
 unknown
4vh1mae0a37r.live true
  • Avira URL Cloud: safe
 unknown
5aphqp78vw8h.live true
  • Avira URL Cloud: safe
 unknown
r4og0ibkr2i1.live true
  • Avira URL Cloud: safe
 unknown
kiph911rpr6p.live true
  • Avira URL Cloud: safe
 unknown
271bk6bm6ek7.live true
  • Avira URL Cloud: safe
 unknown
nketun9udno5.live true
  • Avira URL Cloud: safe
 unknown
6mca3un8fmrd.live true
  • Avira URL Cloud: safe
 unknown
mak2p2u1p6oc.live true
  • Avira URL Cloud: safe
 unknown
w3d73cw4ayun.live true
  • Avira URL Cloud: safe
 unknown
ufiiux335dpw.live true
  • Avira URL Cloud: safe
 unknown
egdk83k09qmr.live true
  • Avira URL Cloud: safe
 unknown
6lgie8q5pjdc.live true
  • Avira URL Cloud: safe
 unknown
z7w1125qgaak.live true
  • Avira URL Cloud: safe
 unknown
zd6j8je6phb4.live true
  • Avira URL Cloud: safe
 unknown
u1uaoomqywpz.live true
  • Avira URL Cloud: safe
 unknown