Windows Analysis Report
Ref_336210627.exe

Overview

General Information

Sample name: Ref_336210627.exe
Analysis ID: 1519347
MD5: bd22f0c99670c51675ebb91843db7181
SHA1: 8d290ff02196024b6ae7a564172a29e73e00de7d
SHA256: 8921e9e55861c043b028cee713316efd923aff62fca9abb2e7cc7eb3092063e3
Tags: exeSnakeKeyloggeruser-cocaman
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000009.00000002.2144670543.000000000437D000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendqpostal@bisttro.shop", "Password": "W79cDo2h05Iv", "Host": "bisttro.shop", "Port": "587", "Version": "5.1"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ijohw.exe ReversingLabs: Detection: 21%
Multi AV Scanner detection for submitted file
Source: Ref_336210627.exe ReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\ijohw.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Ref_336210627.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Ref_336210627.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49757 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49772 version: TLS 1.0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: Ref_336210627.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Ref_336210627.exe, 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1790161541.0000000003708000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1811785668.0000000006740000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2034336187.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.00000000042FF000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2115666335.0000000003633000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Ref_336210627.exe, 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1790161541.0000000003708000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1811785668.0000000006740000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2034336187.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.00000000042FF000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2115666335.0000000003633000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Ref_336210627.exe, 00000000.00000002.1810021867.0000000006500000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004C6E000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.000000000499D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Ref_336210627.exe, 00000000.00000002.1810021867.0000000006500000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004C6E000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.000000000499D000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 4x nop then jmp 06587B17h 0_2_06587AB8
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 4x nop then jmp 06588291h 0_2_06588230
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 4x nop then jmp 06588291h 0_2_06588220
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 4x nop then jmp 06587B17h 0_2_06587AA8
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 4x nop then jmp 06588291h 0_2_06588446
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 4x nop then jmp 0658EA00h 0_2_0658E948
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 4x nop then jmp 0658EA00h 0_2_0658E940
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0673D578
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 05CF7B17h 3_2_05CF7AB8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 05CFEA00h 3_2_05CFE948
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 05CFEA00h 3_2_05CFE940
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 05CF8291h 3_2_05CF8446
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 05CF7B17h 3_2_05CF7AA8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 05CF8291h 3_2_05CF8220
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 05CF8291h 3_2_05CF8230
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 05DE4DCAh 3_2_05DE4D8D
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 05DE4DCAh 3_2_05DE4C50
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 05DE4DCAh 3_2_05DE4C60
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 05DE4DCAh 3_2_05DE4F3A
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_05DE2F38
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_05DE2F30
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 3_2_05EAD578
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 06567B17h 9_2_06567AB8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 06568291h 9_2_06568230
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 06568291h 9_2_06568220
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 06567B17h 9_2_06567AA8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 06568291h 9_2_0656843F
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 0656EA00h 9_2_0656E940
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 0656EA00h 9_2_0656E948
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 065F4DCAh 9_2_065F4F3A
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 9_2_065F2F38
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 9_2_065F2F30
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 065F4DCAh 9_2_065F4C50
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 065F4DCAh 9_2_065F4C60
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then jmp 065F4DCAh 9_2_065F4D8D
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 9_2_0661D578

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 172.86.66.70:80 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 172.86.66.70:80 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 172.86.66.70:80 -> 192.168.2.4:49753
Source: Network traffic Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 172.86.66.70:80 -> 192.168.2.4:49753
Source: Network traffic Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 172.86.66.70:80 -> 192.168.2.4:49755
Source: Network traffic Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 172.86.66.70:80 -> 192.168.2.4:49755
Yara detected Generic Downloader
Source: Yara match File source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.437fdb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ijohw.exe.3a3fdb0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.43acc48.9.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /y3/Lusnteor.mp3 HTTP/1.1Host: 172.86.66.70Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /y3/Lusnteor.mp3 HTTP/1.1Host: 172.86.66.70Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /y3/Lusnteor.mp3 HTTP/1.1Host: 172.86.66.70Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 193.122.130.0 193.122.130.0
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: M247GB M247GB
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49744 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49756 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49759 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49774 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49771 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49776 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49758 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49775 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49735 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49770 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49773 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49781 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49779 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49764 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49760 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49751 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49757 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49772 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /y3/Lusnteor.mp3 HTTP/1.1Host: 172.86.66.70Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /y3/Lusnteor.mp3 HTTP/1.1Host: 172.86.66.70Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /y3/Lusnteor.mp3 HTTP/1.1Host: 172.86.66.70Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: Ref_336210627.exe, 00000000.00000002.1790161541.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2034336187.0000000002971000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2115666335.000000000323D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://172.86.66.70
Source: Ref_336210627.exe, 00000000.00000002.1790161541.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2034336187.0000000002971000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2115666335.0000000003231000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2113494065.0000000001459000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.86.66.70/y3/Lusnteor.mp3
Source: InstallUtil.exe, 00000001.00000002.1906440796.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.00000000029EB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002611000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002555000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.00000000025F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.000000000264C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.00000000025E8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002603000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.000000000263E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.0000000003324000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.000000000341B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.000000000340C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000001.00000002.1906440796.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A2E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002931000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.00000000029EB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002611000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002555000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.00000000025F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.000000000264C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.000000000261E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002598000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002549000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.00000000025E8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002603000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.000000000263E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000001.00000002.1906440796.0000000002931000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002491000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.0000000003261000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Ref_336210627.exe, 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1790161541.000000000378B000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.000000000442C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1903743320.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2034336187.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2049506536.0000000003ABE000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.000000000437D000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2115666335.00000000036BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: Ref_336210627.exe, ijohw.exe.0.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Ref_336210627.exe, ijohw.exe.0.dr String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Ref_336210627.exe, ijohw.exe.0.dr String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Ref_336210627.exe, ijohw.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Ref_336210627.exe, ijohw.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Ref_336210627.exe, ijohw.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Ref_336210627.exe, ijohw.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Ref_336210627.exe, ijohw.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: InstallUtil.exe, 00000001.00000002.1906440796.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002611000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.00000000025F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.000000000264C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.00000000025E8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002603000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.000000000263E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.000000000256D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.000000000333C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.000000000341B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.000000000340C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: Ref_336210627.exe, 00000000.00000002.1790161541.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002931000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2034336187.0000000002971000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2115666335.000000000323D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002491000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.0000000003261000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Ref_336210627.exe, ijohw.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Ref_336210627.exe, ijohw.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Ref_336210627.exe, ijohw.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Ref_336210627.exe, 00000000.00000002.1810021867.0000000006500000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004C6E000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.000000000499D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Ref_336210627.exe, 00000000.00000002.1810021867.0000000006500000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004C6E000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2049506536.0000000004374000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.000000000499D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Ref_336210627.exe, 00000000.00000002.1810021867.0000000006500000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004C6E000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.000000000499D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000001.00000002.1906440796.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A2E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.00000000029EB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002611000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002555000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.00000000025F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.000000000264C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002598000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.00000000025E8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002603000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.000000000263E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.0000000003367000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.0000000003324000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.000000000341B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Ref_336210627.exe, 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1790161541.000000000378B000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.000000000442C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1903743320.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.00000000029EB000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2034336187.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2049506536.0000000003ABE000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.000000000437D000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2115666335.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002555000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.0000000003324000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 0000000B.00000002.2212706413.000000000340C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: InstallUtil.exe, 00000001.00000002.1906440796.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A2E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1906440796.0000000002A99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002611000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.00000000025F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.000000000264C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002598000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.00000000025E8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.0000000002603000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2125618809.000000000263E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.0000000003367000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.000000000341B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2212706413.000000000340C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: Ref_336210627.exe, 00000000.00000002.1810021867.0000000006500000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004C6E000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.000000000499D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Ref_336210627.exe, 00000000.00000002.1790161541.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1810021867.0000000006500000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004C6E000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2034336187.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2115666335.0000000003321000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.000000000499D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Ref_336210627.exe, 00000000.00000002.1810021867.0000000006500000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004C6E000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.000000000499D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: Ref_336210627.exe, ijohw.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.ijohw.exe.3a3fdb0.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.ijohw.exe.3a3fdb0.8.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.ijohw.exe.3a3fdb0.8.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.ijohw.exe.3a3fdb0.8.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ref_336210627.exe.437fdb0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ref_336210627.exe.437fdb0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ref_336210627.exe.437fdb0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ref_336210627.exe.437fdb0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ref_336210627.exe.43acc48.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ref_336210627.exe.43acc48.9.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ref_336210627.exe.43acc48.9.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ref_336210627.exe.43acc48.9.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.ijohw.exe.3a3fdb0.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.ijohw.exe.3a3fdb0.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.ijohw.exe.3a3fdb0.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.ijohw.exe.3a3fdb0.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ref_336210627.exe.43acc48.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ref_336210627.exe.43acc48.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ref_336210627.exe.43acc48.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ref_336210627.exe.43acc48.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.2144670543.000000000437D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.2144670543.000000000437D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.1903743320.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1903743320.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2034336187.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2049506536.0000000003ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.2049506536.0000000003ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.2115666335.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1790161541.000000000378B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1804561635.000000000442C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1804561635.000000000442C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Ref_336210627.exe PID: 6036, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Ref_336210627.exe PID: 6036, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 480, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 480, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: ijohw.exe PID: 3120, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ijohw.exe PID: 3120, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: ijohw.exe PID: 4168, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ijohw.exe PID: 4168, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_06671138 NtResumeThread, 0_2_06671138
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_06671131 NtResumeThread, 0_2_06671131
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658FEA0 NtProtectVirtualMemory, 0_2_0658FEA0
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658FE98 NtProtectVirtualMemory, 0_2_0658FE98
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFFEA0 NtProtectVirtualMemory, 3_2_05CFFEA0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFFE98 NtProtectVirtualMemory, 3_2_05CFFE98
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DE1138 NtResumeThread, 3_2_05DE1138
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DE1131 NtResumeThread, 3_2_05DE1131
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656FEA0 NtProtectVirtualMemory, 9_2_0656FEA0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656FE98 NtProtectVirtualMemory, 9_2_0656FE98
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065F1138 NtResumeThread, 9_2_065F1138
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065F1131 NtResumeThread, 9_2_065F1131
Detected potential crypto function
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_016322F2 0_2_016322F2
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_01630A58 0_2_01630A58
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_01630D1B 0_2_01630D1B
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_01638C48 0_2_01638C48
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0163D1D8 0_2_0163D1D8
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0163169E 0_2_0163169E
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_01631FE0 0_2_01631FE0
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_01632081 0_2_01632081
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_01638A18 0_2_01638A18
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_01630D62 0_2_01630D62
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_01630DD9 0_2_01630DD9
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_01638C38 0_2_01638C38
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_016312D4 0_2_016312D4
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0163179D 0_2_0163179D
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_01639660 0_2_01639660
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_01639670 0_2_01639670
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_064D0048 0_2_064D0048
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0655142C 0_2_0655142C
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0655BCE0 0_2_0655BCE0
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_06550040 0_2_06550040
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0655BCD0 0_2_0655BCD0
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_06555398 0_2_06555398
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_065553A8 0_2_065553A8
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_06550006 0_2_06550006
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0655A8D0 0_2_0655A8D0
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0655A8C0 0_2_0655A8C0
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658E7E2 0_2_0658E7E2
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658AFA8 0_2_0658AFA8
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658FC18 0_2_0658FC18
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658D0B8 0_2_0658D0B8
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_06584958 0_2_06584958
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658E5D0 0_2_0658E5D0
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658E215 0_2_0658E215
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_065886B9 0_2_065886B9
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658EF1A 0_2_0658EF1A
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658EF28 0_2_0658EF28
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658AF97 0_2_0658AF97
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658FC08 0_2_0658FC08
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658D0A9 0_2_0658D0A9
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658DD40 0_2_0658DD40
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658DD30 0_2_0658DD30
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658DDDE 0_2_0658DDDE
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658E5C2 0_2_0658E5C2
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658C590 0_2_0658C590
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0658DDBA 0_2_0658DDBA
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066CF8A0 0_2_066CF8A0
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066CC1F0 0_2_066CC1F0
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066C819A 0_2_066C819A
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066C8FE8 0_2_066C8FE8
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066C8FD8 0_2_066C8FD8
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066CD408 0_2_066CD408
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066CC527 0_2_066CC527
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066C0040 0_2_066C0040
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066C0023 0_2_066C0023
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066C81CC 0_2_066C81CC
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_06730040 0_2_06730040
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_06730007 0_2_06730007
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_0699CD10 0_2_0699CD10
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_064D0001 0_2_064D0001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00CC6120 1_2_00CC6120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00CCC489 1_2_00CCC489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00CC3581 1_2_00CC3581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00CCB50D 1_2_00CCB50D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00CC46D9 1_2_00CC46D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00CCB7F1 1_2_00CCB7F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00CCC771 1_2_00CCC771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00CC6898 1_2_00CC6898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00CCBAC0 1_2_00CCBAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00CCCA41 1_2_00CCCA41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00CCBDA0 1_2_00CCBDA0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB22F2 3_2_00EB22F2
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB0A58 3_2_00EB0A58
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB8C48 3_2_00EB8C48
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB0D18 3_2_00EB0D18
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EBD1D8 3_2_00EBD1D8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB169E 3_2_00EB169E
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB1FE0 3_2_00EB1FE0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB2081 3_2_00EB2081
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB8C42 3_2_00EB8C42
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB0DD9 3_2_00EB0DD9
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB0D62 3_2_00EB0D62
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB12D4 3_2_00EB12D4
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB9670 3_2_00EB9670
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_00EB179D 3_2_00EB179D
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CCBCE0 3_2_05CCBCE0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CC142C 3_2_05CC142C
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CC0040 3_2_05CC0040
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CCBCD0 3_2_05CCBCD0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CCA8C0 3_2_05CCA8C0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CCA8D0 3_2_05CCA8D0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CC0019 3_2_05CC0019
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CC5398 3_2_05CC5398
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CC53A8 3_2_05CC53A8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFE5D0 3_2_05CFE5D0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFDD40 3_2_05CFDD40
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CF4958 3_2_05CF4958
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFD0B8 3_2_05CFD0B8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFFC18 3_2_05CFFC18
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFAFA8 3_2_05CFAFA8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFE5C2 3_2_05CFE5C2
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFDDDE 3_2_05CFDDDE
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFC590 3_2_05CFC590
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFDDBA 3_2_05CFDDBA
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFDD30 3_2_05CFDD30
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFD0A9 3_2_05CFD0A9
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFFC08 3_2_05CFFC08
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFAF97 3_2_05CFAF97
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFEF1A 3_2_05CFEF1A
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFEF28 3_2_05CFEF28
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CFE215 3_2_05CFE215
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DEB820 3_2_05DEB820
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DE3270 3_2_05DE3270
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DE4D8D 3_2_05DE4D8D
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DE4C50 3_2_05DE4C50
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DE4C60 3_2_05DE4C60
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DEA859 3_2_05DEA859
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DEA868 3_2_05DEA868
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DEB810 3_2_05DEB810
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DEBAF7 3_2_05DEBAF7
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DE3261 3_2_05DE3261
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E3C1F0 3_2_05E3C1F0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E3819A 3_2_05E3819A
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E3F8A0 3_2_05E3F8A0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E3C527 3_2_05E3C527
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E3D408 3_2_05E3D408
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E38FE8 3_2_05E38FE8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E38FD8 3_2_05E38FD8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E381CC 3_2_05E381CC
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E30040 3_2_05E30040
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E30007 3_2_05E30007
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05EA0040 3_2_05EA0040
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05EA0031 3_2_05EA0031
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_0610CD10 3_2_0610CD10
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_014122F2 9_2_014122F2
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_01410A58 9_2_01410A58
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_01410D18 9_2_01410D18
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_01418C48 9_2_01418C48
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0141D1D8 9_2_0141D1D8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0141169E 9_2_0141169E
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_01411FE0 9_2_01411FE0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_01412081 9_2_01412081
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_01410D62 9_2_01410D62
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_01410DD9 9_2_01410DD9
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_01418C3B 9_2_01418C3B
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_014193FC 9_2_014193FC
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_01419385 9_2_01419385
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_01419265 9_2_01419265
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_014112D4 9_2_014112D4
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0141179D 9_2_0141179D
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_01419670 9_2_01419670
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0653142C 9_2_0653142C
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0653BCE0 9_2_0653BCE0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_06530040 9_2_06530040
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0653BCD0 9_2_0653BCD0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_06535398 9_2_06535398
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065353A8 9_2_065353A8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_06530006 9_2_06530006
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0653A8D0 9_2_0653A8D0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0653A8C0 9_2_0653A8C0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_06564718 9_2_06564718
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656E7E2 9_2_0656E7E2
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656AFA8 9_2_0656AFA8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656FC18 9_2_0656FC18
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656D0B8 9_2_0656D0B8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656DD40 9_2_0656DD40
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656E5D0 9_2_0656E5D0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656E215 9_2_0656E215
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656EF1A 9_2_0656EF1A
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656EF28 9_2_0656EF28
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656AF97 9_2_0656AF97
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656FC08 9_2_0656FC08
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656D0A9 9_2_0656D0A9
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656DD30 9_2_0656DD30
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656DDDE 9_2_0656DDDE
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656E5C2 9_2_0656E5C2
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656C590 9_2_0656C590
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0656DDBA 9_2_0656DDBA
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065F3270 9_2_065F3270
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065FB820 9_2_065FB820
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065F4C50 9_2_065F4C50
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065F4C60 9_2_065F4C60
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065F4D8D 9_2_065F4D8D
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065F3261 9_2_065F3261
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065FBAF7 9_2_065FBAF7
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065FA85A 9_2_065FA85A
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065FA868 9_2_065FA868
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065FB810 9_2_065FB810
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_06610040 9_2_06610040
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_06610016 9_2_06610016
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_066BF8A0 9_2_066BF8A0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_066BC1F0 9_2_066BC1F0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_066B819A 9_2_066B819A
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_066B8FE8 9_2_066B8FE8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_066B8FD8 9_2_066B8FD8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_066BD408 9_2_066BD408
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_066BC527 9_2_066BC527
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_066B0040 9_2_066B0040
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_066B0006 9_2_066B0006
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_066B81CC 9_2_066B81CC
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_0697CD10 9_2_0697CD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022CB328 10_2_022CB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022C6108 10_2_022C6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022CC192 10_2_022CC192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022C6730 10_2_022C6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022CC752 10_2_022CC752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022CC470 10_2_022CC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022C9540 10_2_022C9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022CCA32 10_2_022CCA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022C4AD9 10_2_022C4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022CBBD2 10_2_022CBBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022CBEB2 10_2_022CBEB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022CB4F2 10_2_022CB4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_022C3572 10_2_022C3572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018CC190 11_2_018CC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018C6108 11_2_018C6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018CB4A0 11_2_018CB4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018CC470 11_2_018CC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018C6730 11_2_018C6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018CC751 11_2_018CC751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018C9858 11_2_018C9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018CBBD3 11_2_018CBBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018C4AD9 11_2_018C4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018CCA31 11_2_018CCA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018CBEB0 11_2_018CBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018C3570 11_2_018C3570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_018CB4F3 11_2_018CB4F3
PE / OLE file has an invalid certificate
Source: Ref_336210627.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Ref_336210627.exe, 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1790161541.00000000032E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1810021867.0000000006500000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1788694534.00000000014BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1790161541.0000000003708000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameGpsgfzjcr.dll" vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1809223366.0000000006250000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameGpsgfzjcr.dll" vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1790161541.000000000378B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1804561635.0000000004C6E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1804561635.000000000442C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameGpsgfzjcr.dll" vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1811785668.0000000006740000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref_336210627.exe
Source: Ref_336210627.exe, 00000000.00000002.1804561635.00000000042B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref_336210627.exe
Uses 32bit PE files
Source: Ref_336210627.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.ijohw.exe.3a3fdb0.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.ijohw.exe.3a3fdb0.8.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.ijohw.exe.3a3fdb0.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.ijohw.exe.3a3fdb0.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ref_336210627.exe.437fdb0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ref_336210627.exe.437fdb0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ref_336210627.exe.437fdb0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ref_336210627.exe.437fdb0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ref_336210627.exe.43acc48.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ref_336210627.exe.43acc48.9.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ref_336210627.exe.43acc48.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ref_336210627.exe.43acc48.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.ijohw.exe.3a3fdb0.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.ijohw.exe.3a3fdb0.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.ijohw.exe.3a3fdb0.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.ijohw.exe.3a3fdb0.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ref_336210627.exe.43acc48.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ref_336210627.exe.43acc48.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ref_336210627.exe.43acc48.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ref_336210627.exe.43acc48.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.2144670543.000000000437D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.2144670543.000000000437D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.1903743320.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1903743320.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2034336187.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2049506536.0000000003ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.2049506536.0000000003ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.2115666335.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1790161541.000000000378B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1804561635.000000000442C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1804561635.000000000442C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Ref_336210627.exe PID: 6036, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Ref_336210627.exe PID: 6036, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 480, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 480, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: ijohw.exe PID: 3120, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ijohw.exe PID: 3120, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: ijohw.exe PID: 4168, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ijohw.exe PID: 4168, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: classification engine Classification label: mal100.troj.evad.winEXE@24/3@2/3
Source: C:\Users\user\Desktop\Ref_336210627.exe File created: C:\Users\user\AppData\Roaming\ijohw.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03
Source: Ref_336210627.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Ref_336210627.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Ref_336210627.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\Ref_336210627.exe File read: C:\Users\user\Desktop\Ref_336210627.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Ref_336210627.exe "C:\Users\user\Desktop\Ref_336210627.exe"
Source: C:\Users\user\Desktop\Ref_336210627.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\ijohw.exe "C:\Users\user\AppData\Roaming\ijohw.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: unknown Process created: C:\Users\user\AppData\Roaming\ijohw.exe "C:\Users\user\AppData\Roaming\ijohw.exe"
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\Ref_336210627.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\Ref_336210627.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Ref_336210627.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Ref_336210627.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Ref_336210627.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Ref_336210627.exe, 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1790161541.0000000003708000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1811785668.0000000006740000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2034336187.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.00000000042FF000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2115666335.0000000003633000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Ref_336210627.exe, 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1790161541.0000000003708000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1811785668.0000000006740000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2034336187.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.00000000042FF000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2115666335.0000000003633000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Ref_336210627.exe, 00000000.00000002.1810021867.0000000006500000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004C6E000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.000000000499D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Ref_336210627.exe, 00000000.00000002.1810021867.0000000006500000.00000004.08000000.00040000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Ref_336210627.exe, 00000000.00000002.1804561635.0000000004C6E000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.0000000004BEE000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2144670543.000000000499D000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Ref_336210627.exe.6500000.11.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.Ref_336210627.exe.6500000.11.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.Ref_336210627.exe.6500000.11.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.Ref_336210627.exe.6500000.11.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.Ref_336210627.exe.6500000.11.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.Ref_336210627.exe.4c6e9d0.2.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.Ref_336210627.exe.4c6e9d0.2.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.Ref_336210627.exe.4c6e9d0.2.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.Ref_336210627.exe.4c6e9d0.2.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.Ref_336210627.exe.4c6e9d0.2.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.Ref_336210627.exe.6610000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.4b99f70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ijohw.exe.4b1a300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ijohw.exe.499d230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.49dd210.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1810532267.0000000006610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1790161541.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2115666335.00000000032CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2034336187.000000000299F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2144670543.000000000499D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1804561635.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ref_336210627.exe PID: 6036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ijohw.exe PID: 3120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ijohw.exe PID: 4168, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_064D2E9D push esp; retf 0_2_064D2EA8
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_06554594 push E8000001h; ret 0_2_06554599
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_065573DD push es; retf 0_2_065573E0
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_06581FB1 push es; ret 0_2_06581FC0
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066C5EB7 push es; ret 0_2_066C5ED4
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066C6211 push es; iretd 0_2_066C6224
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066C6362 push esp; retf 0_2_066C6369
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066C63B2 pushfd ; retf 0_2_066C63B9
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066C60C9 push es; retf 0_2_066C60F8
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066C6087 push es; retf 0_2_066C6094
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_066CB970 push es; ret 0_2_066CBA20
Source: C:\Users\user\Desktop\Ref_336210627.exe Code function: 0_2_067383E4 push ecx; iretd 0_2_067383E5
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05CC4594 push E8000001h; ret 3_2_05CC4599
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DE7806 push esp; iretd 3_2_05DE7807
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05DE3B40 pushad ; ret 3_2_05DE3B49
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E363B3 pushfd ; retf 3_2_05E363B9
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E36363 push esp; retf 3_2_05E36369
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05E605F0 push 0000002Eh; iretd 3_2_05E605F4
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05EA83E4 push ecx; iretd 3_2_05EA83E5
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05EA2A83 push es; retf 3_2_05EA2A8A
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 3_2_05EA2A08 push es; retf 3_2_05EA2A0F
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_064B2EA7 push esp; retf 9_2_064B2EA8
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_06534594 push E8000001h; ret 9_2_06534599
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065373DD push es; retf 9_2_065373E0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_06561FB1 push es; ret 9_2_06561FC0
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065FB555 push es; iretd 9_2_065FB570
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065F5DAC push es; iretd 9_2_065F5DB4
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065FA2D9 push es; ret 9_2_065FA2DC
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065F3B40 pushad ; ret 9_2_065F3B49
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_065F7806 push esp; iretd 9_2_065F7807
Source: C:\Users\user\AppData\Roaming\ijohw.exe Code function: 9_2_06611F77 push esi; ret 9_2_06611F7E
Source: 0.2.Ref_336210627.exe.6250000.10.raw.unpack, fo2MhyAtd3tcBNcyt74.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'DT7AOvjp6y', 'NtProtectVirtualMemory', 'BlimSuWrOpARhqUKet7', 'cJVqSwWDsmDX4ZtRuPK', 'shENFoWQSvGbOaUZ5kN', 'c5BtMlWW8YIca96SHmR'
Source: 0.2.Ref_336210627.exe.6250000.10.raw.unpack, z0yuTBAxoNgAbLgMYFW.cs High entropy of concatenated method names: 'U0ZAD0emdC', 'SQHTnlWBmZfWkqa34kN', 'DK3IobWM9qdNuGO1GRN', 'LohloHWbccejRqV4Wuy', 'wl6q63WU6TiuEO099Bj', 'VfDeaNWwq7f6qSnbPd2', 'eoFX8AWifehBblLpgBs', 'ekveLhW4lNKqOpS4BlP'
Drops PE files
Source: C:\Users\user\Desktop\Ref_336210627.exe File created: C:\Users\user\AppData\Roaming\ijohw.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ijohw Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ijohw Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Ref_336210627.exe PID: 6036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ijohw.exe PID: 3120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ijohw.exe PID: 4168, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Ref_336210627.exe, 00000000.00000002.1790161541.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2034336187.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ijohw.exe, 00000009.00000002.2115666335.00000000032CB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Ref_336210627.exe Memory allocated: 1630000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Memory allocated: 32B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Memory allocated: 18F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2930000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 27E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory allocated: EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory allocated: 2970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory allocated: 26D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory allocated: 1410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory allocated: 3230000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory allocated: 30C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 22C0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2490000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4490000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 18C0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 3260000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 5260000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599888 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599780 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599559 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599449 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599223 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599106 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598974 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598841 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598624 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598296 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597748 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597529 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597421 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596845 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596731 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596514 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596232 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595866 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595751 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595355 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594796 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594686 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594468 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594331 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594813
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599111
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596433
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596323
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596211
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594063
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 3386 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 6449 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 1042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 8796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7262
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2577
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -32281802128991695s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 764 Thread sleep count: 3386 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -599888s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 764 Thread sleep count: 6449 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -599780s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -599672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -599559s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -599449s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -599343s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -599223s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -599106s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -598974s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -598841s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -598734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -598624s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -598515s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -598406s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -598296s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -598187s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -598078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -597968s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -597859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -597748s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -597640s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -597529s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -597421s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -597312s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -597203s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -597093s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -596984s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -596845s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -596731s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -596625s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -596514s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -596232s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -596031s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -595866s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -595751s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -595625s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -595515s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -595355s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -595234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -595125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -595015s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -594906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -594796s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -594686s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -594578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -594468s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -594331s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -594218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -594109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -594000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3468 Thread sleep time: -593890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep count: 32 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 416 Thread sleep count: 1042 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -599891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 416 Thread sleep count: 8796 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -599781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -599672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -599562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -599453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -599344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -599234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -599125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -599016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -598891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -598735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -598622s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -598467s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -598191s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -598063s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -597953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -597844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -597734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -597625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -597515s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -597406s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -597297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -597188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -597063s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -596941s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -596825s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -596703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -596594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -596484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -596375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -596266s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -596141s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -596016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -595906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -595797s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -595687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -595578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -595469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -595359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -595250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -595140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -595031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -594922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -594813s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -594703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -594578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -594469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -594344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -594234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2860 Thread sleep time: -594102s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep count: 36 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5516 Thread sleep count: 7262 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -599859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5516 Thread sleep count: 2577 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -599750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -599638s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -599527s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -599422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -599111s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -598924s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -598804s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -598688s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -598578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -598469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -598344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -598232s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -598125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -598016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -597906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -597797s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -597688s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -597563s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -597453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -597344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -597219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -597109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -597000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -596891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -596781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -596672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -596549s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -596433s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -596323s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -596211s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -596094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -595984s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -595875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -595766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -595641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -595516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -595406s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -595297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -595187s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -595078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -594969s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -594859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -594750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -594641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -594516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -594391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -594281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -594172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7032 Thread sleep time: -594063s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599888 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599780 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599559 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599449 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599223 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599106 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598974 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598841 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598624 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598296 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597748 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597529 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597421 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596845 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596731 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596514 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596232 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595866 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595751 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595355 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594796 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594686 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594468 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594331 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594813
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599111
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596433
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596323
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596211
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594063
Source: Ref_336210627.exe, 00000000.00000002.1788694534.00000000014F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
Source: ijohw.exe, 00000009.00000002.2113494065.0000000001459000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
Source: ijohw.exe, 00000009.00000002.2115666335.00000000032CB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: ijohw.exe, 00000009.00000002.2115666335.00000000032CB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: InstallUtil.exe, 00000001.00000002.1904191855.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, ijohw.exe, 00000003.00000002.2032180010.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2122020409.0000000000896000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2209628746.0000000001537000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Ref_336210627.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Ref_336210627.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Ref_336210627.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3A0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Ref_336210627.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3A0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Ref_336210627.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000 Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 65E008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3A0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3A2000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3C2000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3C4000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5A4008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 108D008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Ref_336210627.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Ref_336210627.exe Queries volume information: C:\Users\user\Desktop\Ref_336210627.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ref_336210627.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Queries volume information: C:\Users\user\AppData\Roaming\ijohw.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Queries volume information: C:\Users\user\AppData\Roaming\ijohw.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ijohw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Ref_336210627.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ijohw.exe.3a3fdb0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.437fdb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.43acc48.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ijohw.exe.3a3fdb0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.43acc48.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2144670543.000000000437D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1903743320.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2034336187.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2049506536.0000000003ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2115666335.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1790161541.000000000378B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1804561635.000000000442C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1906440796.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2125618809.0000000002491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2212706413.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ref_336210627.exe PID: 6036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ijohw.exe PID: 3120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ijohw.exe PID: 4168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1260, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ijohw.exe.3a3fdb0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.437fdb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.43acc48.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ijohw.exe.3a3fdb0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.43acc48.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2144670543.000000000437D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1903743320.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2034336187.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2049506536.0000000003ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2115666335.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1790161541.000000000378B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1804561635.000000000442C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ref_336210627.exe PID: 6036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ijohw.exe PID: 3120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ijohw.exe PID: 4168, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ijohw.exe.3a3fdb0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.4331590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.437fdb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.43acc48.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ijohw.exe.3a3fdb0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref_336210627.exe.43acc48.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2144670543.000000000437D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2049506536.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1804561635.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1903743320.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2034336187.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2049506536.0000000003ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2115666335.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1790161541.000000000378B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1804561635.000000000442C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1906440796.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2125618809.0000000002491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2212706413.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ref_336210627.exe PID: 6036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ijohw.exe PID: 3120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ijohw.exe PID: 4168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1260, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519347 Sample: Ref_336210627.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 47 reallyfreegeoip.org 2->47 49 checkip.dyndns.org 2->49 51 checkip.dyndns.com 2->51 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 67 8 other signatures 2->67 9 Ref_336210627.exe 16 4 2->9         started        14 ijohw.exe 14 2 2->14         started        16 ijohw.exe 2 2->16         started        signatures3 65 Tries to detect the country of the analysis system (by using the IP) 47->65 process4 dnsIp5 57 172.86.66.70, 49732, 49753, 49755 M247GB United States 9->57 43 C:\Users\user\AppData\Roaming\ijohw.exe, PE32 9->43 dropped 45 C:\Users\user\...\ijohw.exe:Zone.Identifier, ASCII 9->45 dropped 69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->69 71 Writes to foreign memory regions 9->71 73 Allocates memory in foreign processes 9->73 18 InstallUtil.exe 14 4 9->18         started        75 Multi AV Scanner detection for dropped file 14->75 77 Machine Learning detection for dropped file 14->77 79 Injects a PE file into a foreign processes 14->79 21 InstallUtil.exe 14->21         started        23 InstallUtil.exe 16->23         started        file6 signatures7 process8 dnsIp9 53 reallyfreegeoip.org 188.114.96.3, 443, 49734, 49735 CLOUDFLARENETUS European Union 18->53 55 checkip.dyndns.com 193.122.130.0, 49733, 49736, 49739 ORACLE-BMC-31898US United States 18->55 25 cmd.exe 1 18->25         started        27 cmd.exe 21->27         started        29 cmd.exe 23->29         started        process10 process11 31 conhost.exe 25->31         started        33 choice.exe 1 25->33         started        35 conhost.exe 27->35         started        37 choice.exe 27->37         started        39 conhost.exe 29->39         started        41 choice.exe 29->41         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.86.66.70
 unknown United States
9009 M247GB true
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
193.122.130.0
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
checkip.dyndns.com 193.122.130.0 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://172.86.66.70/y3/Lusnteor.mp3 true
  • Avira URL Cloud: safe
 unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • Avira URL Cloud: safe
 unknown