Windows Analysis Report
RFQ____RM quotation_JPEG IMAGE.img.exe

Overview

General Information

Sample name: RFQ____RM quotation_JPEG IMAGE.img.exe
Analysis ID: 1519289
MD5: c3490999b5e36705b9b2abb2a3ed08c1
SHA1: f6af8f800b5e86d12ea5a1a5567da493d0c816b3
SHA256: 8f2dd3233b7b97265bcdfc1053875652d9f9012d3716de034f73b5caadd78d7b
Tags: exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: RFQ____RM quotation_JPEG IMAGE.img.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Avira: detection malicious, Label: HEUR/AGEN.1323682
Found malware configuration
Source: 00000006.00000002.2322264218.0000000003762000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7898897232:AAH4QekZK0wf1eNHt5yAECTe9huaiVIg5vE/sendMessage?chat_id=5726609491", "Token": "7898897232:AAH4QekZK0wf1eNHt5yAECTe9huaiVIg5vE", "Chat_id": "5726609491", "Version": "5.1"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: RFQ____RM quotation_JPEG IMAGE.img.exe ReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: RFQ____RM quotation_JPEG IMAGE.img.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: RFQ____RM quotation_JPEG IMAGE.img.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49727 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49742 version: TLS 1.0
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: RFQ____RM quotation_JPEG IMAGE.img.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2112460663.00000000065D0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004259000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2224812433.0000000002510000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2248365081.000000000346F000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2322264218.00000000036DF000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2301023518.0000000002659000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2112460663.00000000065D0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004259000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2224812433.0000000002510000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2248365081.000000000346F000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2322264218.00000000036DF000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2301023518.0000000002659000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2111673628.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2111673628.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 4x nop then jmp 064F56A5h 0_2_064F566E
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 4x nop then jmp 064F56A5h 0_2_064F5418
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 4x nop then jmp 064F56A5h 0_2_064F5428
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_064F4428
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_064F4420
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 4x nop then jmp 0650FB60h 0_2_0650FAA0
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 4x nop then jmp 0650FB60h 0_2_0650FAA8
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 4x nop then jmp 06508A9Ch 0_2_06508892
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 4x nop then jmp 06508A9Ch 0_2_065088A0
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 4x nop then jmp 065080D2h 0_2_06507D78
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 4x nop then jmp 065080D2h 0_2_06507D68
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_065CD918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 014DF206h 2_2_014DF017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 014DFB90h 2_2_014DF017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_014DE538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06858945h 2_2_06858608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06856171h 2_2_06855EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068558C1h 2_2_06855618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06855D19h 2_2_06855A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_068533A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_068533B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06856E79h 2_2_06856BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068565C9h 2_2_06856320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06856A21h 2_2_06856778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06850741h 2_2_06850498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06857751h 2_2_068574A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06850B99h 2_2_068508F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068502E9h 2_2_06850040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068572FAh 2_2_06857050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06855441h 2_2_06855198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06858459h 2_2_068581B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06857BA9h 2_2_06857900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06850FF1h 2_2_06850D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06858001h 2_2_06857D58
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_05A94428
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05A956A5h 3_2_05A95428
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_05A94420
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05A956A5h 3_2_05A95418
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05A956A5h 3_2_05A9566E
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05AA80D2h 3_2_05AA7D68
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05AA80D2h 3_2_05AA7D78
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05AA8A9Ch 3_2_05AA88A0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05AA8A9Ch 3_2_05AA8893
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05AAFB60h 3_2_05AAFAA8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05AAFB60h 3_2_05AAFAA0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 3_2_05B6D918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 010FF1F6h 5_2_010FF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 010FFB80h 5_2_010FF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_010FE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_010FEB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_010FED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06811A38h 5_2_06811620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068102F1h 5_2_06810040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06811471h 5_2_068111C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681D1A1h 5_2_0681CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681F8B9h 5_2_0681F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06811A38h 5_2_06811610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681C8F1h 5_2_0681C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681DA51h 5_2_0681D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06810751h 5_2_068104A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681E759h 5_2_0681E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681B791h 5_2_0681B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681DEA9h 5_2_0681DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681C041h 5_2_0681BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06811011h 5_2_06810D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681F009h 5_2_0681ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681CD49h 5_2_0681CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681FD11h 5_2_0681FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681D5F9h 5_2_0681D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681E301h 5_2_0681E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681F461h 5_2_0681F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681C499h 5_2_0681C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06810BB1h 5_2_06810900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681EBB1h 5_2_0681E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0681BBE9h 5_2_0681B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06811A38h 5_2_06811966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06848945h 5_2_06848608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068402E9h 5_2_06840040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06846171h 5_2_06845EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068458C1h 5_2_06845618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06845D19h 5_2_06845A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 5_2_068433A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 5_2_068433B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06846E79h 5_2_06846BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068465C9h 5_2_06846320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06846A21h 5_2_06846778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06840741h 5_2_06840498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06847751h 5_2_068474A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06840B99h 5_2_068408F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068472FAh 5_2_06847050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06845441h 5_2_06845198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06848459h 5_2_068481B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06847BA9h 5_2_06847900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06840FF1h 5_2_06840D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06848001h 5_2_06847D58
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05C456A5h 6_2_05C45418
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 6_2_05C44420
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 6_2_05C44428
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05C456A5h 6_2_05C45428
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05C456A5h 6_2_05C4566E
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05C580D2h 6_2_05C57D68
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05C580D2h 6_2_05C57D78
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05C58A9Ch 6_2_05C58892
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05C58A9Ch 6_2_05C588A0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05C5FB60h 6_2_05C5FAA0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then jmp 05C5FB60h 6_2_05C5FAA8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 6_2_05D1D918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0090F1F6h 7_2_0090F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0090FB80h 7_2_0090F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_0090E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06001A38h 7_2_06001620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 060002F1h 7_2_06000040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06001471h 7_2_060011C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600F8B9h 7_2_0600F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06001A38h 7_2_06001610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600C8F1h 7_2_0600C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600D1A1h 7_2_0600CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600DA51h 7_2_0600D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600DEA9h 7_2_0600DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06000751h 7_2_060004A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600E759h 7_2_0600E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600B791h 7_2_0600B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06001011h 7_2_06000D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600F009h 7_2_0600ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600C041h 7_2_0600BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600FD11h 7_2_0600FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600CD49h 7_2_0600CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600D5F9h 7_2_0600D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600E301h 7_2_0600E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06000BB1h 7_2_06000900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600EBB1h 7_2_0600E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600BBE9h 7_2_0600B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06001A38h 7_2_06001966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600F461h 7_2_0600F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0600C499h 7_2_0600C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06038945h 7_2_06038608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06030741h 7_2_06030498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 060358C1h 7_2_06035618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06035D19h 7_2_06035A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06036171h 7_2_06035EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_060336CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 060365C9h 7_2_06036320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06036A21h 7_2_06036778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_060333A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_060333B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06036E79h 7_2_06036BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 060302E9h 7_2_06030040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 060372FAh 7_2_06037050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06037751h 7_2_060374A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06030B99h 7_2_060308F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06037BA9h 7_2_06037900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06030FF1h 7_2_06030D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06038001h 7_2_06037D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06035441h 7_2_06035198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06038459h 7_2_060381B0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 67.212.175.162:443 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 67.212.175.162:443 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 67.212.175.162:443 -> 192.168.2.5:49712
Source: Network traffic Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 67.212.175.162:443 -> 192.168.2.5:49712
Source: Network traffic Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 67.212.175.162:443 -> 192.168.2.5:49732
Source: Network traffic Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 67.212.175.162:443 -> 192.168.2.5:49732
Yara detected Generic Downloader
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /panel/Skdqhzzwa.mp3 HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/Skdqhzzwa.mp3 HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/Skdqhzzwa.mp3 HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 67.212.175.162 67.212.175.162
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49708 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49729 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49746 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49719 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49738 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49709 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49707 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49730 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49728 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49744 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49757 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49755 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49727 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49742 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /panel/Skdqhzzwa.mp3 HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/Skdqhzzwa.mp3 HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/Skdqhzzwa.mp3 HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: wymascensores.com
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: InstallUtil.exe, 00000002.00000002.4524686788.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000003035000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E05000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E32000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.00000000029A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A92000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000002.00000002.4524686788.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000003007000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000003035000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E05000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E32000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.00000000029EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000002.00000002.4524686788.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.0000000003555000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2224812433.000000000259A000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2248365081.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4518406958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2322264218.0000000003762000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2301023518.00000000027C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000005.00000002.4524242471.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.orgh
Source: InstallUtil.exe, 00000002.00000002.4524686788.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000003035000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002F56000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E05000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E32000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A92000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.0000000003251000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2224812433.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2301023518.000000000261D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2111673628.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2111673628.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2248365081.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2322264218.0000000004015000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2111673628.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000002.00000002.4524686788.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000003035000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E05000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E32000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.00000000029A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A92000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.0000000003555000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2224812433.000000000259A000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2248365081.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4518406958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2322264218.0000000003762000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2301023518.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.00000000029A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000007.00000002.4525996681.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: InstallUtil.exe, 00000002.00000002.4524686788.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000003035000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E05000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002E32000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A92000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4525996681.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2111673628.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2111673628.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.0000000003299000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2224812433.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2301023518.0000000002659000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2111673628.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2224812433.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2301023518.000000000261D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wymascensores.com
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2224812433.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2301023518.0000000002611000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wymascensores.com/panel/Skdqhzzwa.mp3
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.5:49732 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2089672155.0000000003555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000006.00000002.2322264218.0000000003762000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.2322264218.0000000003762000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2224812433.000000000259A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2248365081.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.2248365081.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000006.00000002.2301023518.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.4518406958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.4518406958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2105174965.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2105174965.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RFQ____RM quotation_JPEG IMAGE.img.exe PID: 3148, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RFQ____RM quotation_JPEG IMAGE.img.exe PID: 3148, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Gydvapkca.exe PID: 5332, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Gydvapkca.exe PID: 5332, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 3176, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 3176, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Gydvapkca.exe PID: 6716, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Gydvapkca.exe PID: 6716, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: RFQ____RM quotation_JPEG IMAGE.img.exe
Source: initial sample Static PE information: Filename: RFQ____RM quotation_JPEG IMAGE.img.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064F14F8 NtProtectVirtualMemory, 0_2_064F14F8
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064F2A30 NtResumeThread, 0_2_064F2A30
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064F14F0 NtProtectVirtualMemory, 0_2_064F14F0
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064F2A29 NtResumeThread, 0_2_064F2A29
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A914F8 NtProtectVirtualMemory, 3_2_05A914F8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A92A30 NtResumeThread, 3_2_05A92A30
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A914F0 NtProtectVirtualMemory, 3_2_05A914F0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A92A29 NtResumeThread, 3_2_05A92A29
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C414F8 NtProtectVirtualMemory, 6_2_05C414F8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C42A30 NtResumeThread, 6_2_05C42A30
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C414F0 NtProtectVirtualMemory, 6_2_05C414F0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C42A29 NtResumeThread, 6_2_05C42A29
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_063E0040 0_2_063E0040
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_063E001E 0_2_063E001E
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_01412010 0_2_01412010
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_01412322 0_2_01412322
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_01410A58 0_2_01410A58
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_01410D21 0_2_01410D21
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0141D2D0 0_2_0141D2D0
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_014116C5 0_2_014116C5
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_014120B1 0_2_014120B1
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_01410D6A 0_2_01410D6A
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_01410DE1 0_2_01410DE1
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_01418F2B 0_2_01418F2B
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_01418F38 0_2_01418F38
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_014112F6 0_2_014112F6
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_014117C6 0_2_014117C6
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064FDB90 0_2_064FDB90
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064FD048 0_2_064FD048
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064F566E 0_2_064F566E
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064FDE8D 0_2_064FDE8D
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064F5418 0_2_064F5418
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064F5428 0_2_064F5428
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064FDB81 0_2_064FDB81
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064FD038 0_2_064FD038
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064FB142 0_2_064FB142
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064FB150 0_2_064FB150
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06504C38 0_2_06504C38
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0650A4F0 0_2_0650A4F0
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0650A548 0_2_0650A548
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0650E1B0 0_2_0650E1B0
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0650A538 0_2_0650A538
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0650E1A1 0_2_0650E1A1
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06547FB8 0_2_06547FB8
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0654C100 0_2_0654C100
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06548EC0 0_2_06548EC0
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06548EB0 0_2_06548EB0
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06547FA9 0_2_06547FA9
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0654C427 0_2_0654C427
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0654D2F8 0_2_0654D2F8
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06540006 0_2_06540006
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_065B1F90 0_2_065B1F90
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_065B1F81 0_2_065B1F81
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_065C0040 0_2_065C0040
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_065C0033 0_2_065C0033
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0684DBE8 0_2_0684DBE8
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0684CF38 0_2_0684CF38
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06830007 0_2_06830007
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06830040 0_2_06830040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014D6120 2_2_014D6120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014DC1A0 2_2_014DC1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014DF017 2_2_014DF017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014DB338 2_2_014DB338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014DC480 2_2_014DC480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014D6748 2_2_014D6748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014DC762 2_2_014DC762
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014DB7E2 2_2_014DB7E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014D46D9 2_2_014D46D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014D9868 2_2_014D9868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014DCA42 2_2_014DCA42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014DBE97 2_2_014DBE97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014D3572 2_2_014D3572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014DB502 2_2_014DB502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014DE527 2_2_014DE527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014DE538 2_2_014DE538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014DBEC0 2_2_014DBEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685B6E8 2_2_0685B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06858608 2_2_06858608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685AA58 2_2_0685AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685D670 2_2_0685D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685C388 2_2_0685C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06858BED 2_2_06858BED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685B0A0 2_2_0685B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685A408 2_2_0685A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685D028 2_2_0685D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_068511A0 2_2_068511A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685C9D8 2_2_0685C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685BD38 2_2_0685BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06855EB8 2_2_06855EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06855EC8 2_2_06855EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685B6D9 2_2_0685B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685560A 2_2_0685560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06855618 2_2_06855618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685AA48 2_2_0685AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06855A60 2_2_06855A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685D663 2_2_0685D663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06855A70 2_2_06855A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_068533A8 2_2_068533A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_068533B8 2_2_068533B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06856BC1 2_2_06856BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06856BD0 2_2_06856BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685A3F8 2_2_0685A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06856312 2_2_06856312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06856320 2_2_06856320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06853730 2_2_06853730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685676A 2_2_0685676A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06856778 2_2_06856778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685C378 2_2_0685C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685B08F 2_2_0685B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06850488 2_2_06850488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06857497 2_2_06857497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06850498 2_2_06850498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_068574A8 2_2_068574A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_068508E0 2_2_068508E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_068508F0 2_2_068508F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_068578F0 2_2_068578F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06850007 2_2_06850007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06852807 2_2_06852807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06852818 2_2_06852818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685D018 2_2_0685D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06854430 2_2_06854430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06850040 2_2_06850040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06857040 2_2_06857040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06857050 2_2_06857050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685518A 2_2_0685518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06851191 2_2_06851191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06855198 2_2_06855198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_068581A0 2_2_068581A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_068581B0 2_2_068581B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685C9C8 2_2_0685C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_068585FC 2_2_068585FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06857900 2_2_06857900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0685BD28 2_2_0685BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06850D39 2_2_06850D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06850D48 2_2_06850D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06857D48 2_2_06857D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06857D58 2_2_06857D58
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_02212322 3_2_02212322
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_02212010 3_2_02212010
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_02210A58 3_2_02210A58
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_02210D21 3_2_02210D21
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_0221D2D0 3_2_0221D2D0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_022116C5 3_2_022116C5
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_022120B1 3_2_022120B1
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_02218F2B 3_2_02218F2B
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_02218F38 3_2_02218F38
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_02210D6A 3_2_02210D6A
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_02210DE1 3_2_02210DE1
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_022112F6 3_2_022112F6
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_022117C6 3_2_022117C6
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_0598142C 3_2_0598142C
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_0598C048 3_2_0598C048
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05980040 3_2_05980040
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_059845D8 3_2_059845D8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_059845CA 3_2_059845CA
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_059856E0 3_2_059856E0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05980006 3_2_05980006
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_0598C03A 3_2_0598C03A
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_0598ABB1 3_2_0598ABB1
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_0598ABC0 3_2_0598ABC0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A9CC88 3_2_05A9CC88
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A9C140 3_2_05A9C140
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A95428 3_2_05A95428
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A95418 3_2_05A95418
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A9CC79 3_2_05A9CC79
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A9CF85 3_2_05A9CF85
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A9566E 3_2_05A9566E
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A9C131 3_2_05A9C131
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AAE1B0 3_2_05AAE1B0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AAA548 3_2_05AAA548
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AA4C38 3_2_05AA4C38
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AAE1A1 3_2_05AAE1A1
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AAA538 3_2_05AAA538
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AABB4F 3_2_05AABB4F
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AD0853 3_2_05AD0853
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AE7FB8 3_2_05AE7FB8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AEC100 3_2_05AEC100
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AEC427 3_2_05AEC427
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AE7FA9 3_2_05AE7FA9
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AE8EB0 3_2_05AE8EB0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AE8EC0 3_2_05AE8EC0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AE0006 3_2_05AE0006
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AED2F8 3_2_05AED2F8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05B60006 3_2_05B60006
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05B60040 3_2_05B60040
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05DEDBE8 3_2_05DEDBE8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05DD0040 3_2_05DD0040
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05DD0007 3_2_05DD0007
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05DECF38 3_2_05DECF38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010F6108 5_2_010F6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010FC190 5_2_010FC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010FF007 5_2_010FF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010FB328 5_2_010FB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010FC470 5_2_010FC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010F6730 5_2_010F6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010FC752 5_2_010FC752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010F97E8 5_2_010F97E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010FBBD2 5_2_010FBBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010FCA32 5_2_010FCA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010F4AD9 5_2_010F4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010FBEB0 5_2_010FBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010FE517 5_2_010FE517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010FE528 5_2_010FE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_010FB4F2 5_2_010FB4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06818460 5_2_06818460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06817D90 5_2_06817D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06810040 5_2_06810040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06813870 5_2_06813870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068111C0 5_2_068111C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681CEEB 5_2_0681CEEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681CEF8 5_2_0681CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681F600 5_2_0681F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681F610 5_2_0681F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681C638 5_2_0681C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681C648 5_2_0681C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681D798 5_2_0681D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681D7A8 5_2_0681D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06810490 5_2_06810490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068104A0 5_2_068104A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681E4A0 5_2_0681E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681E4B0 5_2_0681E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681B4D7 5_2_0681B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681B4E8 5_2_0681B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681DC00 5_2_0681DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681BD88 5_2_0681BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681BD98 5_2_0681BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06810D51 5_2_06810D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681ED50 5_2_0681ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06810D60 5_2_06810D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681ED60 5_2_0681ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681CAA0 5_2_0681CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681FA59 5_2_0681FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681FA68 5_2_0681FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068173D8 5_2_068173D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068173E8 5_2_068173E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681DBF1 5_2_0681DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681D340 5_2_0681D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681D350 5_2_0681D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068108F0 5_2_068108F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681E8F8 5_2_0681E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06810007 5_2_06810007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681E04B 5_2_0681E04B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681E058 5_2_0681E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06813860 5_2_06813860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681F1A9 5_2_0681F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068111B0 5_2_068111B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681F1B8 5_2_0681F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681C1E0 5_2_0681C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681C1F0 5_2_0681C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06810900 5_2_06810900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681E908 5_2_0681E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681B930 5_2_0681B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0681B940 5_2_0681B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684B6E8 5_2_0684B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06848608 5_2_06848608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684AA58 5_2_0684AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684D670 5_2_0684D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684C388 5_2_0684C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06848BF3 5_2_06848BF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684B0A0 5_2_0684B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684A408 5_2_0684A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684D028 5_2_0684D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06840040 5_2_06840040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068411A0 5_2_068411A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684C9D8 5_2_0684C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684BD38 5_2_0684BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06845EB8 5_2_06845EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06845EC8 5_2_06845EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684B6D9 5_2_0684B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684560B 5_2_0684560B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06845618 5_2_06845618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684AA48 5_2_0684AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06845A60 5_2_06845A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684D661 5_2_0684D661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06845A70 5_2_06845A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068433A8 5_2_068433A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068433B8 5_2_068433B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06846BC1 5_2_06846BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06846BD0 5_2_06846BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684A3F8 5_2_0684A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06846313 5_2_06846313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06846320 5_2_06846320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06843730 5_2_06843730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06846768 5_2_06846768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06846778 5_2_06846778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684C378 5_2_0684C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684B08F 5_2_0684B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06840488 5_2_06840488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06847497 5_2_06847497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06840498 5_2_06840498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068474A8 5_2_068474A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068408E0 5_2_068408E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068408F0 5_2_068408F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068478F0 5_2_068478F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06840007 5_2_06840007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06842807 5_2_06842807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06842818 5_2_06842818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684D018 5_2_0684D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06844430 5_2_06844430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06847040 5_2_06847040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06847050 5_2_06847050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684518F 5_2_0684518F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06845198 5_2_06845198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068481A0 5_2_068481A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068481B0 5_2_068481B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684C9C8 5_2_0684C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_068485F8 5_2_068485F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06847900 5_2_06847900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0684BD2F 5_2_0684BD2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06840D39 5_2_06840D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06840D48 5_2_06840D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06847D48 5_2_06847D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06847D58 5_2_06847D58
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024F2322 6_2_024F2322
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024F2010 6_2_024F2010
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024F0A58 6_2_024F0A58
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024F0D21 6_2_024F0D21
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024FD2D0 6_2_024FD2D0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024F16C5 6_2_024F16C5
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024F20B1 6_2_024F20B1
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024F8F2B 6_2_024F8F2B
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024F8F38 6_2_024F8F38
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024F0D6A 6_2_024F0D6A
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024F0DE1 6_2_024F0DE1
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024F12F6 6_2_024F12F6
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_024F17C6 6_2_024F17C6
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05B3142C 6_2_05B3142C
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05B30040 6_2_05B30040
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05B3C048 6_2_05B3C048
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05B345D8 6_2_05B345D8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05B345C9 6_2_05B345C9
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05B356E0 6_2_05B356E0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05B3C03A 6_2_05B3C03A
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05B30014 6_2_05B30014
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05B3ABB1 6_2_05B3ABB1
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05B3ABC0 6_2_05B3ABC0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C4CC88 6_2_05C4CC88
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C4C140 6_2_05C4C140
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C4CC79 6_2_05C4CC79
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C45418 6_2_05C45418
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C45428 6_2_05C45428
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C4CF85 6_2_05C4CF85
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C4566E 6_2_05C4566E
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C4C131 6_2_05C4C131
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C5E1B0 6_2_05C5E1B0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C5A548 6_2_05C5A548
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C54C38 6_2_05C54C38
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C5E1A1 6_2_05C5E1A1
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C5A538 6_2_05C5A538
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C5BB4F 6_2_05C5BB4F
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C80853 6_2_05C80853
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C97FB8 6_2_05C97FB8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C9C100 6_2_05C9C100
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C9C427 6_2_05C9C427
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C97FA9 6_2_05C97FA9
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C98EC0 6_2_05C98EC0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C98EB0 6_2_05C98EB0
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C90006 6_2_05C90006
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05C9D2F8 6_2_05C9D2F8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05D10040 6_2_05D10040
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05D10007 6_2_05D10007
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05F9DBE8 6_2_05F9DBE8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05F80040 6_2_05F80040
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05F80006 6_2_05F80006
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 6_2_05F9CF38 6_2_05F9CF38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0090F007 7_2_0090F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0090C190 7_2_0090C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00906108 7_2_00906108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0090B328 7_2_0090B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0090C470 7_2_0090C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00906730 7_2_00906730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0090C751 7_2_0090C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00909858 7_2_00909858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00904AD9 7_2_00904AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0090CA31 7_2_0090CA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0090BBD2 7_2_0090BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0090BEB0 7_2_0090BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0090B4F2 7_2_0090B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0090E517 7_2_0090E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0090E528 7_2_0090E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00903570 7_2_00903570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06008460 7_2_06008460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06007D90 7_2_06007D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06000040 7_2_06000040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06003870 7_2_06003870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060011C0 7_2_060011C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600F600 7_2_0600F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600F610 7_2_0600F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600C638 7_2_0600C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600C648 7_2_0600C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600CEEB 7_2_0600CEEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600CEF8 7_2_0600CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600D798 7_2_0600D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600D7A8 7_2_0600D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600DC00 7_2_0600DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06000490 7_2_06000490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060004A0 7_2_060004A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600E4A0 7_2_0600E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600E4B0 7_2_0600E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600B4D7 7_2_0600B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600B4E8 7_2_0600B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600ED50 7_2_0600ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06000D51 7_2_06000D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06000D60 7_2_06000D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600ED60 7_2_0600ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600BD88 7_2_0600BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600BD98 7_2_0600BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600FA59 7_2_0600FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600FA68 7_2_0600FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600CA90 7_2_0600CA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600CAA0 7_2_0600CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600D340 7_2_0600D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600D350 7_2_0600D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060073E8 7_2_060073E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600DBF1 7_2_0600DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06000007 7_2_06000007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600E04B 7_2_0600E04B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600E058 7_2_0600E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06003860 7_2_06003860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060008F0 7_2_060008F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600E8F8 7_2_0600E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06000900 7_2_06000900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600E908 7_2_0600E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600B930 7_2_0600B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600B940 7_2_0600B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600F1A9 7_2_0600F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060011B0 7_2_060011B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600F1B8 7_2_0600F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600C1E0 7_2_0600C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0600C1F0 7_2_0600C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06038608 7_2_06038608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603AA58 7_2_0603AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603D670 7_2_0603D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603B6E8 7_2_0603B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603C388 7_2_0603C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603A408 7_2_0603A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603D028 7_2_0603D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06038C51 7_2_06038C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06030498 7_2_06030498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603B0A0 7_2_0603B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603BD38 7_2_0603BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060311A0 7_2_060311A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603C9D8 7_2_0603C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06038603 7_2_06038603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603560B 7_2_0603560B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06035618 7_2_06035618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603AA48 7_2_0603AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603D662 7_2_0603D662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06035A60 7_2_06035A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06035A70 7_2_06035A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06035EB8 7_2_06035EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06035EC8 7_2_06035EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603B6D9 7_2_0603B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06036313 7_2_06036313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06036320 7_2_06036320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06033730 7_2_06033730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06036768 7_2_06036768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06036778 7_2_06036778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603C378 7_2_0603C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060333A8 7_2_060333A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060333B8 7_2_060333B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06036BC1 7_2_06036BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06036BD0 7_2_06036BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603A3F8 7_2_0603A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06032807 7_2_06032807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06030006 7_2_06030006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06032818 7_2_06032818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603D018 7_2_0603D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06034430 7_2_06034430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06030040 7_2_06030040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06037049 7_2_06037049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06037050 7_2_06037050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06030488 7_2_06030488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603B08F 7_2_0603B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06037497 7_2_06037497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060374A8 7_2_060374A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060308E0 7_2_060308E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060308F0 7_2_060308F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060378F0 7_2_060378F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06037900 7_2_06037900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603BD28 7_2_0603BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06030D39 7_2_06030D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06030D48 7_2_06030D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06037D48 7_2_06037D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06037D58 7_2_06037D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603518B 7_2_0603518B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06031191 7_2_06031191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_06035198 7_2_06035198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060381A0 7_2_060381A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_060381B0 7_2_060381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0603C9C8 7_2_0603C9C8
Sample file is different than original file name gathered from version info
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2111673628.00000000064A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2112460663.00000000065D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.0000000003555000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000000.2052909448.0000000000C72000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamecrypted aw.exe6 vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.00000000034C9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.00000000034C9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecrypted aw.exe6 vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004259000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.0000000003299000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2087239384.000000000144E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2110257215.00000000061F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecrypted aw.exe6 vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameHlytzfcdj.dll" vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.00000000043A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameHlytzfcdj.dll" vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2110612573.0000000006280000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameHlytzfcdj.dll" vs RFQ____RM quotation_JPEG IMAGE.img.exe
Source: RFQ____RM quotation_JPEG IMAGE.img.exe Binary or memory string: OriginalFilenamecrypted aw.exe6 vs RFQ____RM quotation_JPEG IMAGE.img.exe
Uses 32bit PE files
Source: RFQ____RM quotation_JPEG IMAGE.img.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2089672155.0000000003555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000006.00000002.2322264218.0000000003762000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.2322264218.0000000003762000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2224812433.000000000259A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2248365081.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.2248365081.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000006.00000002.2301023518.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.4518406958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.4518406958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2105174965.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2105174965.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RFQ____RM quotation_JPEG IMAGE.img.exe PID: 3148, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RFQ____RM quotation_JPEG IMAGE.img.exe PID: 3148, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Gydvapkca.exe PID: 5332, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Gydvapkca.exe PID: 5332, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 3176, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 3176, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Gydvapkca.exe PID: 6716, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Gydvapkca.exe PID: 6716, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, -kk-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, -kk-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, 2-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, 2-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.65d0000.13.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.65d0000.13.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, 2-.cs Base64 encoded string: 'sS3EzkPIq3urKzyR2NKtwlJBNfVk8azCI8Wgp4QmoZJ4fZbaHSKWnckEtYSxsT42'
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.65d0000.13.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.65d0000.13.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.65d0000.13.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.65d0000.13.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.65d0000.13.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.65d0000.13.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/2@3/3
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe File created: C:\Users\user\AppData\Roaming\Gydvapkca.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: RFQ____RM quotation_JPEG IMAGE.img.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RFQ____RM quotation_JPEG IMAGE.img.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: InstallUtil.exe, 00000002.00000002.4524686788.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.0000000003107000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4532616204.0000000003F0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4524686788.00000000030FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002F05000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4524242471.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RFQ____RM quotation_JPEG IMAGE.img.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe File read: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe "C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe"
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Gydvapkca.exe "C:\Users\user\AppData\Roaming\Gydvapkca.exe"
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Gydvapkca.exe "C:\Users\user\AppData\Roaming\Gydvapkca.exe"
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: RFQ____RM quotation_JPEG IMAGE.img.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RFQ____RM quotation_JPEG IMAGE.img.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2112460663.00000000065D0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004259000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2224812433.0000000002510000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2248365081.000000000346F000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2322264218.00000000036DF000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2301023518.0000000002659000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2112460663.00000000065D0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004259000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2224812433.0000000002510000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2248365081.000000000346F000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2322264218.00000000036DF000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2301023518.0000000002659000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2111673628.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2111673628.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.64a0000.12.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.64a0000.12.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.64a0000.12.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.64a0000.12.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.64a0000.12.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.4c0fca0.5.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.4c0fca0.5.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.4c0fca0.5.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.4c0fca0.5.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.4c0fca0.5.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.65d0000.13.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.65d0000.13.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.65d0000.13.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 6.2.Gydvapkca.exe.3efb240.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.6380000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Gydvapkca.exe.3c8b240.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.4b3b240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.497de10.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2301023518.0000000002659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2322264218.0000000003EFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2089672155.0000000003299000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2248365081.0000000003C8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2111165061.0000000006380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2224812433.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2105174965.0000000004439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ____RM quotation_JPEG IMAGE.img.exe PID: 3148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gydvapkca.exe PID: 5332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gydvapkca.exe PID: 6716, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064FF78C push es; retf 0_2_064FF7A0
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064FF7A1 push es; retf 0_2_064FF7A0
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_064F3BC2 pushad ; ret 0_2_064F3BC9
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_065076E0 pushfd ; iretd 0_2_065076ED
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06502291 push es; ret 0_2_065022A0
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06500006 push es; iretd 0_2_0650001C
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06545E79 push es; ret 0_2_06545EAC
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06545E79 push es; iretd 0_2_06545EE4
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0654EED8 pushfd ; retf 0_2_0654EED9
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0654EE88 push esp; retf 0_2_0654EE89
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06545EAD push es; iretd 0_2_06545EE4
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06547746 push es; retf 0_2_06547748
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06545F9D push es; ret 0_2_06545FC8
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_06543221 push ss; iretd 0_2_06543224
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0654B870 push es; ret 0_2_0654B920
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0654714C push cs; ret 0_2_0654714F
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0654610E push es; retf 0_2_06546118
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_0654E1FD push ecx; iretd 0_2_0654E21C
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_065B12CA push B006593Fh; iretd 0_2_065B1325
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_065C3E89 push esi; ret 0_2_065C3E8F
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Code function: 0_2_065C3287 push ecx; iretd 0_2_065C3288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014D9720 push esp; ret 2_2_014D9721
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06853181 push ebx; retf 2_2_06853182
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05902EA7 push esp; retf 3_2_05902EA8
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A9FD99 push B005B334h; iretd 3_2_05A9FDB5
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05A93BC3 pushad ; ret 3_2_05A93BC9
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AEEE88 push esp; retf 3_2_05AEEE89
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AEEED8 pushfd ; retf 3_2_05AEEED9
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AEE1FD push ecx; iretd 3_2_05AEE21C
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AE714C push cs; ret 3_2_05AE714F
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Code function: 3_2_05AE3221 push ss; iretd 3_2_05AE3224
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.6280000.10.raw.unpack, wtV2nOsa2CmueAALmHi.cs High entropy of concatenated method names: 'PFbsEwe8Je', 'U8A85IunLbckruXOhDR', 'OXjBLtu8xSCXlJah1KF', 'sn7C6IuGdhT3sheVtS2', 'P9RXemubvLWXbI1nupb', 'Dj7tppuu2qYweNJ4vxS', 'QBv2E9uOMLSi0Vf4Ble'
Source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.6280000.10.raw.unpack, AjBCn8seDa4miASEKPT.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'GQls38iTt8', 'NtProtectVirtualMemory', 'w0seO0u9fbRFVTcnXsD', 'c9XCmcuIYPjMvXYXVn5', 'eWcexQu3KDyCJbDflMR', 'fgPXOhutfph5jtCyIwD'
Drops PE files
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe File created: C:\Users\user\AppData\Roaming\Gydvapkca.exe Jump to dropped file
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Gydvapkca Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Gydvapkca Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RFQ____RM quotation_JPEG IMAGE.img.exe PID: 3148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gydvapkca.exe PID: 5332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gydvapkca.exe PID: 6716, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2089672155.0000000003299000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000003.00000002.2224812433.00000000023E9000.00000004.00000800.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2301023518.0000000002659000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Memory allocated: 13D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Memory allocated: 3250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Memory allocated: 3060000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1490000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2E80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory allocated: 2210000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory allocated: 23A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory allocated: 43A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 10F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory allocated: 24F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory allocated: 2610000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory allocated: 4610000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 900000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 28E0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 10E0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599873 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599542 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598827 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598467 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598357 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597810 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595951 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599873 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599580 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599452 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599279 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599017 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598905 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598553 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598202 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597872 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597421 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597202 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596714 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596608 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596374 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596042 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595911 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595551 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595436 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595327 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594523 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594420 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594310 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593608 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593499 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594475
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594097
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2619 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7208 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 5259 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 4551 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 5657
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 4185
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4796 Thread sleep count: 2619 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -599873s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4796 Thread sleep count: 7208 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -599542s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -599422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -599063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -598938s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -598827s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -598718s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -598578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -598467s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -598357s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -598250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -598141s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -598031s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -597922s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -597810s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -597703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -597594s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -597485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -597360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -597235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -597110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -596985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -596860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -596735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -596610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -596485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -596360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -596235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -596109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -595951s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -595844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -595688s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -595562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -595453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -595344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -594985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -594859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -594750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -594641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -594531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -594422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -594313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -594188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5804 Thread sleep time: -594063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -32281802128991695s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7104 Thread sleep count: 5259 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -599873s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -599750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -599580s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -599452s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -599279s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7104 Thread sleep count: 4551 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -599156s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -599017s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -598905s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -598671s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -598553s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -598422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -598312s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -598202s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -598093s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -597984s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -597872s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -597750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -597640s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -597531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -597421s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -597312s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -597202s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -597093s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -596714s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -596608s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -596484s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -596374s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -596265s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -596156s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -596042s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -595911s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -595781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -595672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -595551s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -595436s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -595327s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -595203s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -595093s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -594984s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -594875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -594765s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -594656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -594523s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -594420s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -594310s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -594062s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -593937s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -593828s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -593718s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -593608s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -593499s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3624 Thread sleep time: -593375s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep count: 39 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -599874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836 Thread sleep count: 5657 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836 Thread sleep count: 4185 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -599766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -599656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -599546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -599437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -599064s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -598953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -598844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -598719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -598609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -598500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -598391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -598281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -598172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -598062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -597953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -597844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -597734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -597625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -597516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -597391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -597266s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -597156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -597047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -596937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -596815s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -596702s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -596592s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -596478s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -596375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -596265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -596156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -596047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -595922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -595812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -595703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -595594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -595469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -595359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -595250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -595141s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -595031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -594922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -594812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -594703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -594594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -594475s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -594359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -594250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5136 Thread sleep time: -594097s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599873 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599542 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598827 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598467 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598357 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597810 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595951 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599873 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599580 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599452 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599279 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599017 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598905 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598553 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598202 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597872 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597421 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597202 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596714 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596608 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596374 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596042 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595911 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595551 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595436 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595327 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594523 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594420 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594310 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593608 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593499 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594475
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594097
Source: Gydvapkca.exe, 00000003.00000002.2221122194.0000000000901000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: Gydvapkca.exe, 00000006.00000002.2301023518.0000000002659000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: Gydvapkca.exe, 00000006.00000002.2301023518.0000000002659000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: InstallUtil.exe, 00000007.00000002.4520592957.0000000000978000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: RFQ____RM quotation_JPEG IMAGE.img.exe, 00000000.00000002.2087239384.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4520094050.0000000001258000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.4521083391.0000000001139000.00000004.00000020.00020000.00000000.sdmp, Gydvapkca.exe, 00000006.00000002.2297730611.0000000000840000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_06817D90 LdrInitializeThunk, 5_2_06817D90
Enables debug privileges
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 380000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 380000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: DE8008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B5A008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 380000
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 382000
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3A2000
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3A4000
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 54C008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Queries volume information: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Queries volume information: C:\Users\user\AppData\Roaming\Gydvapkca.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Queries volume information: C:\Users\user\AppData\Roaming\Gydvapkca.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Gydvapkca.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ____RM quotation_JPEG IMAGE.img.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2089672155.0000000003555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2322264218.0000000003762000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2224812433.000000000259A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4525996681.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2248365081.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4524242471.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2301023518.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4524686788.0000000003043000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4518406958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2105174965.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4525996681.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4524686788.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4524242471.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ____RM quotation_JPEG IMAGE.img.exe PID: 3148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gydvapkca.exe PID: 5332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gydvapkca.exe PID: 6716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5780, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2089672155.0000000003555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2322264218.0000000003762000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2224812433.000000000259A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2248365081.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2301023518.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4518406958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2105174965.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ____RM quotation_JPEG IMAGE.img.exe PID: 3148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gydvapkca.exe PID: 5332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gydvapkca.exe PID: 6716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5780, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.431fdb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ____RM quotation_JPEG IMAGE.img.exe.42d1590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2089672155.0000000003555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2322264218.0000000003762000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2224812433.000000000259A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4525996681.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2248365081.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4524242471.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2301023518.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4524686788.0000000003043000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4518406958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2105174965.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2105174965.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4525996681.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4524686788.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4524242471.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ____RM quotation_JPEG IMAGE.img.exe PID: 3148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gydvapkca.exe PID: 5332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gydvapkca.exe PID: 6716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5780, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519289 Sample: RFQ____RM quotation_JPEG IM... Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 32 reallyfreegeoip.org 2->32 34 wymascensores.com 2->34 36 2 other IPs or domains 2->36 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 52 10 other signatures 2->52 7 RFQ____RM quotation_JPEG IMAGE.img.exe 16 4 2->7         started        12 Gydvapkca.exe 14 2 2->12         started        14 Gydvapkca.exe 2->14         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 32->50 process4 dnsIp5 38 wymascensores.com 67.212.175.162, 443, 49704, 49712 SINGLEHOP-LLCUS United States 7->38 24 C:\Users\user\AppData\Roamingbehaviorgraphydvapkca.exe, PE32 7->24 dropped 26 C:\Users\...behaviorgraphydvapkca.exe:Zone.Identifier, ASCII 7->26 dropped 54 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->54 56 Writes to foreign memory regions 7->56 58 Allocates memory in foreign processes 7->58 16 InstallUtil.exe 14 2 7->16         started        60 Antivirus detection for dropped file 12->60 62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 20 InstallUtil.exe 2 12->20         started        66 Injects a PE file into a foreign processes 14->66 22 InstallUtil.exe 14->22         started        file6 signatures7 process8 dnsIp9 28 reallyfreegeoip.org 188.114.96.3, 443, 49706, 49707 CLOUDFLARENETUS European Union 16->28 30 checkip.dyndns.com 158.101.44.242, 49705, 49708, 49710 ORACLE-BMC-31898US United States 16->30 40 Tries to steal Mail credentials (via file / registry access) 22->40 42 Tries to harvest and steal browser information (history, passwords, etc) 22->42 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
67.212.175.162
 wymascensores.com United States
32475 SINGLEHOP-LLCUS true
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
wymascensores.com 67.212.175.162 true
reallyfreegeoip.org 188.114.96.3 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://wymascensores.com/panel/Skdqhzzwa.mp3 true
  • Avira URL Cloud: safe
 unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • Avira URL Cloud: safe
 unknown