Windows Analysis Report
nDHL_AWB_6078538091_scr.exe

Overview

General Information

Sample name: nDHL_AWB_6078538091_scr.exe
Analysis ID: 1518416
MD5: cb44c4a51aae324c4e6b46a35a0a74d5
SHA1: e5d778b7fbb2fb0c03bf9e4bbdf92f342c76b899
SHA256: 66472d444cb6711510279a537213dac4de18ef68b30c50bb92789ceeb2d7bd1c
Tags: DHLexeFormbooknDHL_AWB_6078538091_scruser-abuse_ch
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: InstallUtil.exe.4316.7.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: nDHL_AWB_6078538091_scr.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: nDHL_AWB_6078538091_scr.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: nDHL_AWB_6078538091_scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: nDHL_AWB_6078538091_scr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004FC3000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1497780094.0000000006260000.00000004.08000000.00040000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000003252000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003578000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004FC3000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1497780094.0000000006260000.00000004.08000000.00040000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000003252000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003578000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0603D7C8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_0606FE02
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_0606FE08
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 4x nop then jmp 060646C4h 0_2_060644B0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 4x nop then jmp 060646C4h 0_2_060644C0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 4x nop then jmp 0606B658h 0_2_0606B598
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 4x nop then jmp 0606B658h 0_2_0606B5A0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 4x nop then jmp 06084803h 0_2_06084758
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 4x nop then jmp 060811E1h 0_2_06080E98
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 4x nop then jmp 060811E1h 0_2_06080EA8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 4x nop then jmp 060811E1h 0_2_06080F90
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 4x nop then jmp 06084803h 0_2_06084758
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 3_2_05DBD7C8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 05DEB658h 3_2_05DEB598
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 05DEB658h 3_2_05DEB5A0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 05DE46C4h 3_2_05DE44C0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 05DE46C4h 3_2_05DE44B0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_05DEFE08
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_05DEFE03
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 05E04803h 3_2_05E04758
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 05E011E1h 3_2_05E00F90
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 05E011E1h 3_2_05E00EA8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 05E011E1h 3_2_05E00E98
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 05E04803h 3_2_05E04758
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 6_2_0623D7C8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 6_2_0626FE02
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 6_2_0626FE08
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 062646C4h 6_2_062644B0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 062646C4h 6_2_062644C0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 0626B658h 6_2_0626B5A0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 0626B658h 6_2_0626B598
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 06284803h 6_2_06284758
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 062811E1h 6_2_06280EA8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 062811E1h 6_2_06280E98
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 062811E1h 6_2_06280F90
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 4x nop then jmp 06284803h 6_2_06284758
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49706 -> 163.44.198.71:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View ASN Name: GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.9:49706 -> 163.44.198.71:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: nffplp.com
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodo
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1567070498.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2696912738.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1660340383.0000000000770000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertifi
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: InstallUtil.exe, 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: InstallUtil.exe, 00000002.00000002.1570629164.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nffplp.com
Source: InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.com
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1567070498.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2696912738.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.com~v(
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000003252000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003578000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1602077026.0000000004DD4000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1692713652.0000000005164000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003111000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0606CED8 NtProtectVirtualMemory, 0_2_0606CED8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0606E410 NtResumeThread, 0_2_0606E410
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0606CED0 NtProtectVirtualMemory, 0_2_0606CED0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0606E409 NtResumeThread, 0_2_0606E409
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DEE410 NtResumeThread, 3_2_05DEE410
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DECED8 NtProtectVirtualMemory, 3_2_05DECED8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DEE409 NtResumeThread, 3_2_05DEE409
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DECED0 NtProtectVirtualMemory, 3_2_05DECED0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0626CED8 NtProtectVirtualMemory, 6_2_0626CED8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0626E410 NtResumeThread, 6_2_0626E410
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0626CED0 NtProtectVirtualMemory, 6_2_0626CED0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0626E409 NtResumeThread, 6_2_0626E409
Detected potential crypto function
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_02F65790 0_2_02F65790
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_02F698B8 0_2_02F698B8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_02F661CC 0_2_02F661CC
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_02F6ED40 0_2_02F6ED40
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_02F65780 0_2_02F65780
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05EE0048 0_2_05EE0048
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05EE0002 0_2_05EE0002
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05F866F0 0_2_05F866F0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05F859E0 0_2_05F859E0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05F859D1 0_2_05F859D1
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05F86C68 0_2_05F86C68
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05F80040 0_2_05F80040
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05F80006 0_2_05F80006
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05F866E1 0_2_05F866E1
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05F85268 0_2_05F85268
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05F85258 0_2_05F85258
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0603001E 0_2_0603001E
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06030040 0_2_06030040
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0603ECD0 0_2_0603ECD0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_060319A7 0_2_060319A7
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06053E88 0_2_06053E88
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_060507CF 0_2_060507CF
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06050B07 0_2_06050B07
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_060519E8 0_2_060519E8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06069C90 0_2_06069C90
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06066128 0_2_06066128
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06067729 0_2_06067729
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06067738 0_2_06067738
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0606C010 0_2_0606C010
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06060878 0_2_06060878
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06069C80 0_2_06069C80
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06066118 0_2_06066118
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06088E00 0_2_06088E00
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06080218 0_2_06080218
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06086B90 0_2_06086B90
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06089900 0_2_06089900
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06087E27 0_2_06087E27
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06080E98 0_2_06080E98
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06080EA8 0_2_06080EA8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06080F90 0_2_06080F90
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0608D591 0_2_0608D591
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0608D5D0 0_2_0608D5D0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0608D5E0 0_2_0608D5E0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06088DF3 0_2_06088DF3
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06086B81 0_2_06086B81
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0608DBA0 0_2_0608DBA0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0608DBB0 0_2_0608DBB0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_060898F3 0_2_060898F3
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06390007 0_2_06390007
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06390040 0_2_06390040
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_063AD130 0_2_063AD130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0110A310 2_2_0110A310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0110E318 2_2_0110E318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_011063B0 2_2_011063B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_011096F8 2_2_011096F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0110A810 2_2_0110A810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0110AB38 2_2_0110AB38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01105BC0 2_2_01105BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01106F30 2_2_01106F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_011063A0 2_2_011063A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0110E610 2_2_0110E610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0110E62C 2_2_0110E62C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0110E69A 2_2_0110E69A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0110A809 2_2_0110A809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01105B1F 2_2_01105B1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01105B35 2_2_01105B35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0110AB2C 2_2_0110AB2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01109A40 2_2_01109A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01102A9C 2_2_01102A9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01102AA8 2_2_01102AA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01106F27 2_2_01106F27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0110AEF8 2_2_0110AEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0633FB68 2_2_0633FB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06335C62 2_2_06335C62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_063330BE 2_2_063330BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_063726B8 2_2_063726B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_063756C8 2_2_063756C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637ACF0 2_2_0637ACF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_063795C8 2_2_063795C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637EA00 2_2_0637EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637D2D8 2_2_0637D2D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06370040 2_2_06370040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06377880 2_2_06377880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637D920 2_2_0637D920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_063726AB 2_2_063726AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637CE98 2_2_0637CE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637BF60 2_2_0637BF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637A4A8 2_2_0637A4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637ACE0 2_2_0637ACE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_063784D3 2_2_063784D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_063784D8 2_2_063784D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06379D38 2_2_06379D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637F510 2_2_0637F510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06379D48 2_2_06379D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06378D90 2_2_06378D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637CA58 2_2_0637CA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637B284 2_2_0637B284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_063772E0 2_2_063772E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06377305 2_2_06377305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637BBB0 2_2_0637BBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06370006 2_2_06370006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06377870 2_2_06377870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637D911 2_2_0637D911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0637E9F2 2_2_0637E9F2
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_015198B8 3_2_015198B8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_01516218 3_2_01516218
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_0151ED40 3_2_0151ED40
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_01515790 3_2_01515790
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_01515780 3_2_01515780
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05D066F0 3_2_05D066F0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05D059D1 3_2_05D059D1
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05D059E0 3_2_05D059E0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05D00040 3_2_05D00040
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05D06C68 3_2_05D06C68
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05D00007 3_2_05D00007
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05D066E1 3_2_05D066E1
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05D05258 3_2_05D05258
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05D05268 3_2_05D05268
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DB19A7 3_2_05DB19A7
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DBECD0 3_2_05DBECD0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DB0040 3_2_05DB0040
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DB0007 3_2_05DB0007
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DD07CF 3_2_05DD07CF
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DD19E8 3_2_05DD19E8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DD0B07 3_2_05DD0B07
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DE6128 3_2_05DE6128
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DE9C90 3_2_05DE9C90
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DE6118 3_2_05DE6118
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DE4938 3_2_05DE4938
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DE9C80 3_2_05DE9C80
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DE0878 3_2_05DE0878
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DEC010 3_2_05DEC010
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DE7738 3_2_05DE7738
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DE7729 3_2_05DE7729
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E07F70 3_2_05E07F70
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E08A70 3_2_05E08A70
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E00218 3_2_05E00218
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E0CD88 3_2_05E0CD88
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E0CD78 3_2_05E0CD78
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E0C7A8 3_2_05E0C7A8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E00F90 3_2_05E00F90
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E0C799 3_2_05E0C799
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E07F60 3_2_05E07F60
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E00EA8 3_2_05E00EA8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E00E98 3_2_05E00E98
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E07679 3_2_05E07679
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E08A61 3_2_05E08A61
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_06010026 3_2_06010026
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_06010040 3_2_06010040
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_0602D130 3_2_0602D130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B6A1D8 4_2_00B6A1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B695C0 4_2_00B695C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B66500 4_2_00B66500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B6A6D8 4_2_00B6A6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B6E6C0 4_2_00B6E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B6AA00 4_2_00B6AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B66DF8 4_2_00B66DF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B664F1 4_2_00B664F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B6550B 4_2_00B6550B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B6A6C8 4_2_00B6A6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B6E9B8 4_2_00B6E9B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B6A9F0 4_2_00B6A9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B6E9D4 4_2_00B6E9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B65910 4_2_00B65910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B69908 4_2_00B69908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B6EA42 4_2_00B6EA42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B62B06 4_2_00B62B06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B62C00 4_2_00B62C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B66DE8 4_2_00B66DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E057C1 4_2_05E057C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1E990 4_2_05E1E990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1DD70 4_2_05E1DD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E19958 4_2_05E19958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1D8A1 4_2_05E1D8A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1B080 4_2_05E1B080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E10040 4_2_05E10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E17C10 4_2_05E17C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E103D0 4_2_05E103D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1D268 4_2_05E1D268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E15658 4_2_05E15658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1263B 4_2_05E1263B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1C9E8 4_2_05E1C9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1E981 4_2_05E1E981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E19120 4_2_05E19120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1A0C8 4_2_05E1A0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1A0D8 4_2_05E1A0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1F8A0 4_2_05E1F8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E10040 4_2_05E10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E18863 4_2_05E18863
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E18868 4_2_05E18868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1B070 4_2_05E1B070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1A838 4_2_05E1A838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E17C00 4_2_05E17C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E10007 4_2_05E10007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1001F 4_2_05E1001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E103C0 4_2_05E103C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1BF40 4_2_05E1BF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1C2F0 4_2_05E1C2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1CE28 4_2_05E1CE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E1B614 4_2_05E1B614
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_018598B8 6_2_018598B8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_01856218 6_2_01856218
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0185ED40 6_2_0185ED40
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_01855780 6_2_01855780
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_01855790 6_2_01855790
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_061866F0 6_2_061866F0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06185258 6_2_06185258
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06185268 6_2_06185268
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_061866E1 6_2_061866E1
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06180007 6_2_06180007
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06180040 6_2_06180040
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06186C68 6_2_06186C68
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_061859D1 6_2_061859D1
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_061859E0 6_2_061859E0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0623001F 6_2_0623001F
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06230040 6_2_06230040
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0623ECD0 6_2_0623ECD0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_062319A7 6_2_062319A7
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_062507CF 6_2_062507CF
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06250B07 6_2_06250B07
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_062519E8 6_2_062519E8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06269C90 6_2_06269C90
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06266128 6_2_06266128
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06267729 6_2_06267729
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06267738 6_2_06267738
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0626C010 6_2_0626C010
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06260878 6_2_06260878
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06269C80 6_2_06269C80
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06266118 6_2_06266118
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06287F70 6_2_06287F70
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06280218 6_2_06280218
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06288A70 6_2_06288A70
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0628767A 6_2_0628767A
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06280EA8 6_2_06280EA8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06280E98 6_2_06280E98
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06287F60 6_2_06287F60
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0628C740 6_2_0628C740
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0628C750 6_2_0628C750
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06280F90 6_2_06280F90
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0628CD20 6_2_0628CD20
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0628CD30 6_2_0628CD30
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06288A61 6_2_06288A61
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06490040 6_2_06490040
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06490006 6_2_06490006
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_064AD130 6_2_064AD130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9A1D8 7_2_02A9A1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9E6C0 7_2_02A9E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9A6D8 7_2_02A9A6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A995C0 7_2_02A995C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A96500 7_2_02A96500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9AA00 7_2_02A9AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A92E88 7_2_02A92E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A96DF8 7_2_02A96DF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A93285 7_2_02A93285
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A932C2 7_2_02A932C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A932DB 7_2_02A932DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A93202 7_2_02A93202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9326A 7_2_02A9326A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A93240 7_2_02A93240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A93256 7_2_02A93256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9533D 7_2_02A9533D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9A6C8 7_2_02A9A6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A964F4 7_2_02A964F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9EA42 7_2_02A9EA42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A92BF2 7_2_02A92BF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9E9B8 7_2_02A9E9B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9A9F0 7_2_02A9A9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9E9D4 7_2_02A9E9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A99908 7_2_02A99908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A92C00 7_2_02A92C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A96DE8 7_2_02A96DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9ADC0 7_2_02A9ADC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_02A9ADD0 7_2_02A9ADD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_065457C1 7_2_065457C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06555658 7_2_06555658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655D268 7_2_0655D268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655263A 7_2_0655263A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_065503D0 7_2_065503D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06550040 7_2_06550040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06557C10 7_2_06557C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655B080 7_2_0655B080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655D8A1 7_2_0655D8A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06559958 7_2_06559958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655DD70 7_2_0655DD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06559120 7_2_06559120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655E990 7_2_0655E990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655B614 7_2_0655B614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06553220 7_2_06553220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655CE28 7_2_0655CE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655C2F0 7_2_0655C2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655BF40 7_2_0655BF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_065503C0 7_2_065503C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655B070 7_2_0655B070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06558862 7_2_06558862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06558868 7_2_06558868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06550006 7_2_06550006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06557C00 7_2_06557C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655A838 7_2_0655A838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655A0D8 7_2_0655A0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655A0C8 7_2_0655A0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06550040 7_2_06550040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655F8A0 7_2_0655F8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655C9E8 7_2_0655C9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0655E982 7_2_0655E982
Sample file is different than original file name gathered from version info
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1488219580.0000000005910000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMrhjishcuy.dll" vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.000000000720F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1458608672.00000000013DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004FC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.000000000348F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1497780094.0000000006260000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003111000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004111000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMrhjishcuy.dll" vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMrhjishcuy.dll" vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000000.1442310652.0000000000E0A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameairtel.exe. vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.0000000006F11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.0000000006F11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameairtel.exe. vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe Binary or memory string: OriginalFilenameairtel.exe. vs nDHL_AWB_6078538091_scr.exe
Uses 32bit PE files
Source: nDHL_AWB_6078538091_scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/2@2/2
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe File created: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: nDHL_AWB_6078538091_scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: nDHL_AWB_6078538091_scr.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: nDHL_AWB_6078538091_scr.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe File read: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe "C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe"
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe "C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe"
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe "C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe"
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: nDHL_AWB_6078538091_scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: nDHL_AWB_6078538091_scr.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: nDHL_AWB_6078538091_scr.exe Static file information: File size 2324480 > 1048576
Source: nDHL_AWB_6078538091_scr.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x236e00
Source: nDHL_AWB_6078538091_scr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004FC3000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1497780094.0000000006260000.00000004.08000000.00040000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000003252000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003578000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004FC3000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1497780094.0000000006260000.00000004.08000000.00040000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000003252000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003578000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.nDHL_AWB_6078538091_scr.exe.5f90000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nDHL_AWB_6078538091_scr.exe.4db1fb0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nDHL_AWB_6078538091_scr.exe.4b86250.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1496540734.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1664175759.000000000340C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1468627740.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nDHL_AWB_6078538091_scr.exe PID: 2376, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Tcdyttxfbca.exe PID: 4020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Tcdyttxfbca.exe PID: 1824, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05EE2EA7 push esp; retf 0_2_05EE2EA8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_05F8A227 push ebp; retf 0_2_05F8A22A
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06033265 pushad ; iretd 0_2_0603326C
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06030526 push ss; ret 0_2_06030527
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06069752 push es; ret 0_2_0606976C
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0606B099 push es; retf 0_2_0606B09C
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_06086498 push esp; iretd 0_2_06086499
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0608C8F3 push es; ret 0_2_0608C8F4
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Code function: 0_2_0639318C push E8000001h; retf 0_2_06393191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0633121B push ebp; iretd 2_2_0633121F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06331744 push eax; iretd 2_2_06331748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06330F84 push edi; iretd 2_2_06330F88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_063314E9 push edx; iretd 2_2_063314EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0633294C push cs; iretd 2_2_0633294F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06372F89 push es; ret 2_2_06372FA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06376941 push es; iretd 2_2_06376950
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05642EA7 push esp; retf 3_2_05642EA8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05D0A227 push ebp; retf 3_2_05D0A22A
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DB0526 push ss; ret 3_2_05DB0527
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DB3265 pushad ; iretd 3_2_05DB326C
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05DE42D9 push ebx; ret 3_2_05DE42DA
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_05E06498 push esp; iretd 3_2_05E06499
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 3_2_0601318C push E8000001h; retf 3_2_06013191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B6DE88 pushfd ; ret 4_2_00B6DE89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05E0C46B push esi; ret 4_2_05E0C471
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0618CE31 push es; iretd 6_2_0618CE34
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0618A227 push ebp; retf 6_2_0618A22A
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0618CA6D push es; ret 6_2_0618CA78
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0618CAFF push es; iretd 6_2_0618CB00
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_0618CC5F push es; ret 6_2_0618CC60
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Code function: 6_2_06233265 pushad ; iretd 6_2_0623326C
Drops PE files
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe File created: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Jump to dropped file
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tcdyttxfbca Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tcdyttxfbca Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: nDHL_AWB_6078538091_scr.exe PID: 2376, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Tcdyttxfbca.exe PID: 4020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Tcdyttxfbca.exe PID: 1824, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003111000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.0000000002597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory allocated: 2F20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory allocated: 3110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory allocated: 5110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory allocated: 6F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory allocated: 6100000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1100000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2C50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4C50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory allocated: 14D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory allocated: 2FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory allocated: 2E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory allocated: 6B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory allocated: 5E80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: B60000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2560000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2390000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory allocated: 1850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory allocated: 3370000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory allocated: 3230000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory allocated: 7010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory allocated: 6300000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4C00000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06335C62 rdtsc 2_2_06335C62
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799920 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799804 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799673 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799594 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2722 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2773 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7066 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2374 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7474 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1780 Thread sleep count: 2722 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -99888s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1780 Thread sleep count: 7110 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -99781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -99668s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -99558s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -99172s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -98937s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -98812s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -98703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -98594s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -98463s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -98359s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -98250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -98140s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -98031s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -97922s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -97812s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -97703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -97594s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -97469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -97359s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -97250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -97140s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -97023s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -96922s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -96811s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -96703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -96592s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -96482s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -96371s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -96256s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -96128s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -95999s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -95890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -95781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -95671s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -95562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -95453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -95344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -95234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -95125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -95015s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -94905s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -94797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -94685s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -94578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -94469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -94359s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -94250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -94140s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -94030s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924 Thread sleep time: -93836s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6176 Thread sleep count: 2773 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6176 Thread sleep count: 7066 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -99781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -99651s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -99219s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -99109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -98999s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -98891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -98766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -98641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -98515s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -98405s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -98138s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -97973s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -97844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -97734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -97625s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -97515s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -97406s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -97297s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -97182s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -97078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -96969s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -96849s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -96734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -96625s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -96516s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -96406s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -96297s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -96187s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -96078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -95969s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -95859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -95750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -95640s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -95530s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -95422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -95312s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -95203s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -95089s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -94947s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -94841s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -94734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -1799920s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -1799804s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -1799673s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -1799547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -1799438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844 Thread sleep time: -1799328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5364 Thread sleep count: 2374 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -99874s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -99765s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5364 Thread sleep count: 7474 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -99219s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -99109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -98999s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -98891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -98781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -98672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -98562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -98453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -98343s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -98234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -98124s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -98009s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -97903s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -97652s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -97450s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -97344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -97234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -97125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -97016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -96906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -96797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -96688s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -96578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -96469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -96344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -96234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -96125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -96016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -95906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -95796s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -95687s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -95578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -95469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -95344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -95234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -95062s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -94950s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -94826s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -94717s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -94609s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -94500s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -1799922s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -1799812s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -1799703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608 Thread sleep time: -1799594s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99888 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99668 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99558 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98463 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97023 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96811 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96592 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96482 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96371 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96256 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96128 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95999 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94905 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94685 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94030 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 93836 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99651 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98999 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98405 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98138 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97973 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97182 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96849 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95530 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95089 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94947 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94841 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799920 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799804 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799673 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99874 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98999 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98124 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98009 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97903 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97652 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97450 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95796 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94950 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94826 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94717 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799594 Jump to behavior
Source: InstallUtil.exe, 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VIRTUAL#vmware%VirtualBox&root\CIMV2'SELECT * FROM Win32_VideoController(Name)VMware
Source: InstallUtil.exe, 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: InstallUtil.exe, 00000004.00000002.1682859235.00000000058EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00B6C7B4 CheckRemoteDebuggerPresent, 4_2_00B6C7B4
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06335C62 rdtsc 2_2_06335C62
Enables debug privileges
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 560000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 560000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 492000 Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 494000 Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AB6008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 560000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 562000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5F2000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5F4000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 342008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 492000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 494000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: A79008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Queries volume information: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Queries volume information: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Queries volume information: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000002.1570629164.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1570629164.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2700048230.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1664483302.00000000025F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1664483302.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2700048230.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1570629164.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1664483302.00000000025CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4316, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1664483302.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1570629164.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4316, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000002.1570629164.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1570629164.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2700048230.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1664483302.00000000025F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1664483302.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2700048230.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1570629164.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1664483302.00000000025CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4316, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518416 Sample: nDHL_AWB_6078538091_scr.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 27 nffplp.com 2->27 29 ip-api.com 2->29 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected AgentTesla 2->55 57 5 other signatures 2->57 7 nDHL_AWB_6078538091_scr.exe 1 4 2->7         started        11 Tcdyttxfbca.exe 2 2->11         started        13 Tcdyttxfbca.exe 2 2->13         started        signatures3 process4 file5 23 C:\Users\user\AppData\...\Tcdyttxfbca.exe, PE32 7->23 dropped 25 C:\Users\...\Tcdyttxfbca.exe:Zone.Identifier, ASCII 7->25 dropped 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->59 61 Writes to foreign memory regions 7->61 63 Allocates memory in foreign processes 7->63 15 InstallUtil.exe 15 2 7->15         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Injects a PE file into a foreign processes 11->69 19 InstallUtil.exe 2 11->19         started        21 InstallUtil.exe 2 13->21         started        signatures6 process7 dnsIp8 31 ip-api.com 208.95.112.1, 49705, 49707, 49714 TUT-ASUS United States 15->31 33 nffplp.com 163.44.198.71, 49706, 49708, 49715 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG Singapore 15->33 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->35 37 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->39 41 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 15->41 43 Installs a global keyboard hook 19->43 45 Tries to steal Mail credentials (via file / registry access) 21->45 47 Tries to harvest and steal ftp login credentials 21->47 49 Tries to harvest and steal browser information (history, passwords, etc) 21->49 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
163.44.198.71
 nffplp.com Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true

Contacted Domains

Name IP Active
ip-api.com 208.95.112.1 true
nffplp.com 163.44.198.71 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/line/?fields=hosting false
  • URL Reputation: safe
 unknown