Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LETTER OF AUTHORIZATION.exe

Overview

General Information

Sample name:LETTER OF AUTHORIZATION.exe
Analysis ID:1464858
MD5:57cb0d1fbbe7e57e906d9bec624ff50f
SHA1:d8eeb1c8e4530d619c7a5927fec5fcc892e0b24f
SHA256:235feecbf39c506144e406ee52d764d830e5124d113280a5e339bf3bdee978a5
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LETTER OF AUTHORIZATION.exe (PID: 5776 cmdline: "C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exe" MD5: 57CB0D1FBBE7E57E906D9BEC624FF50F)
    • InstallUtil.exe (PID: 2432 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • InstallUtil.exe (PID: 3580 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • WerFault.exe (PID: 2348 cmdline: C:\Windows\system32\WerFault.exe -u -p 5776 -s 1008 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x1484e:$a1: get_encryptedPassword
      • 0x14b3a:$a2: get_encryptedUsername
      • 0x1465a:$a3: get_timePasswordChanged
      • 0x14755:$a4: get_passwordField
      • 0x14864:$a5: set_encryptedPassword
      • 0x15e37:$a7: get_logins
      • 0x15d9a:$a10: KeyLoggerEventArgs
      • 0x15a33:$a11: KeyLoggerEventArgsEventHandler
      00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x18110:$x1: $%SMTPDV$
      • 0x18176:$x2: $#TheHashHere%&
      • 0x1976d:$x3: %FTPDV$
      • 0x19861:$x4: $%TelegramDv$
      • 0x15a33:$x5: KeyLoggerEventArgs
      • 0x15d9a:$x5: KeyLoggerEventArgs
      • 0x19791:$m2: Clipboard Logs ID
      • 0x199b1:$m2: Screenshot Logs ID
      • 0x19ac1:$m2: keystroke Logs ID
      • 0x19d9b:$m3: SnakePW
      • 0x19989:$m4: \SnakeKeylogger\
      00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.InstallUtil.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          2.2.InstallUtil.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            2.2.InstallUtil.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                  Click to see the 28 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}
                  Multi AV Scanner detection for submitted file
                  Source: LETTER OF AUTHORIZATION.exeReversingLabs: Detection: 50%
                  Source: LETTER OF AUTHORIZATION.exeVirustotal: Detection: 45%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: LETTER OF AUTHORIZATION.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: LETTER OF AUTHORIZATION.exe PID: 5776, type: MEMORYSTR
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49701 version: TLS 1.0
                  Source: LETTER OF AUTHORIZATION.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: System.ni.pdbRSDS source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb#( source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: System.Core.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: System.ni.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: System.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: System.Core.ni.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0299F1F6h2_2_0299F007
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0299FB80h2_2_0299F007
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_0299E528
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055F1011h2_2_055F0D60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FF009h2_2_055FED60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FC041h2_2_055FBD98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FDEA9h2_2_055FDC00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FB791h2_2_055FB4E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FE759h2_2_055FE4B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055F0751h2_2_055F04A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FDA51h2_2_055FD7A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FC8F1h2_2_055FC648
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FF8B9h2_2_055FF610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055F1A38h2_2_055F1610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055F1A38h2_2_055F1620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FD1A1h2_2_055FCEF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FBBE9h2_2_055FB940
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055F1A38h2_2_055F1966
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FEBB1h2_2_055FE908
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055F0BB1h2_2_055F0900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055F1471h2_2_055F11C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FC499h2_2_055FC1F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FF461h2_2_055FF1B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FE301h2_2_055FE058
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055F02F1h2_2_055F0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FD5F9h2_2_055FD350
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FFD11h2_2_055FFA68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 055FCD49h2_2_055FCAA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06598945h2_2_06598608
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06595D19h2_2_06595A70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 065958C1h2_2_06595618
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06596171h2_2_06595EC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_065936CE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06596A21h2_2_06596778
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 065965C9h2_2_06596320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06596E79h2_2_06596BD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_065933B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_065933A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 065972FAh2_2_06597050
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 065902E9h2_2_06590040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06590B99h2_2_065908F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06590741h2_2_06590498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06597751h2_2_065974A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06598001h2_2_06597D58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06590FF1h2_2_06590D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06597BA9h2_2_06597900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06595441h2_2_06595198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06598459h2_2_065981B0

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49701 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: InstallUtil.exe, 00000002.00000002.4543065876.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: InstallUtil.exe, 00000002.00000002.4543065876.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B3F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002A63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: InstallUtil.exe, 00000002.00000002.4543065876.00000000029B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: InstallUtil.exe, 00000002.00000002.4543065876.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: InstallUtil.exe, 00000002.00000002.4543065876.00000000029B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                  Source: InstallUtil.exe, 00000002.00000002.4543065876.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002A76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: InstallUtil.exe, 00000002.00000002.4543065876.0000000002B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                  Source: InstallUtil.exe, 00000002.00000002.4543065876.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: LETTER OF AUTHORIZATION.exe PID: 5776, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: LETTER OF AUTHORIZATION.exe PID: 5776, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: InstallUtil.exe PID: 2432, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: InstallUtil.exe PID: 2432, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD348916080_2_00007FFD34891608
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD3489B6610_2_00007FFD3489B661
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD3489AEBF0_2_00007FFD3489AEBF
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD348937DC0_2_00007FFD348937DC
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD348A41F90_2_00007FFD348A41F9
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD3489E1E90_2_00007FFD3489E1E9
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD348A31C70_2_00007FFD348A31C7
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD34898B480_2_00007FFD34898B48
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD34898B400_2_00007FFD34898B40
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD3489B2800_2_00007FFD3489B280
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD34897DFB0_2_00007FFD34897DFB
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD3489FE000_2_00007FFD3489FE00
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD3489BE380_2_00007FFD3489BE38
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD34896F180_2_00007FFD34896F18
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD348996A60_2_00007FFD348996A6
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD348A3B390_2_00007FFD348A3B39
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD34899B2C0_2_00007FFD34899B2C
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD348982610_2_00007FFD34898261
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD348A6A890_2_00007FFD348A6A89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0299B3282_2_0299B328
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0299F0072_2_0299F007
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0299C1902_2_0299C190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_029961082_2_02996108
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_029967302_2_02996730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0299C7512_2_0299C751
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0299C4702_2_0299C470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_02994AD92_2_02994AD9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0299CA312_2_0299CA31
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0299BBD22_2_0299BBD2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_029998582_2_02999858
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0299BEB02_2_0299BEB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0299E5172_2_0299E517
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0299E5282_2_0299E528
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_029935702_2_02993570
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F84602_2_055F8460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F38702_2_055F3870
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F7B702_2_055F7B70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F0D512_2_055F0D51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FED502_2_055FED50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F0D602_2_055F0D60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FED602_2_055FED60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FBD982_2_055FBD98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F7D902_2_055F7D90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FBD882_2_055FBD88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FDC002_2_055FDC00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FB4D72_2_055FB4D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FB4E82_2_055FB4E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F04902_2_055F0490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FE4B02_2_055FE4B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F04A02_2_055F04A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FE4A02_2_055FE4A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FD7982_2_055FD798
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FD7A82_2_055FD7A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FC6482_2_055FC648
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FF6102_2_055FF610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FF6002_2_055FF600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FC6382_2_055FC638
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FCEF82_2_055FCEF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FCEEA2_2_055FCEEA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FB9402_2_055FB940
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FE9082_2_055FE908
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F09002_2_055F0900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FB9302_2_055FB930
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F11C02_2_055F11C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FC1F02_2_055FC1F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FC1E02_2_055FC1E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FF1B82_2_055FF1B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F11B02_2_055F11B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FF1A92_2_055FF1A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FE0582_2_055FE058
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FE0492_2_055FE049
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F00402_2_055F0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F38602_2_055F3860
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F00142_2_055F0014
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FE8F82_2_055FE8F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F08F02_2_055F08F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FD3502_2_055FD350
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FD3402_2_055FD340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F73D82_2_055F73D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FDBF12_2_055FDBF1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F73E82_2_055F73E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FFA592_2_055FFA59
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FFA682_2_055FFA68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FCA902_2_055FCA90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055FCAA02_2_055FCAA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659AA582_2_0659AA58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659D6702_2_0659D670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065986082_2_06598608
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659B6E82_2_0659B6E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659C3882_2_0659C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06598C512_2_06598C51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659A4082_2_0659A408
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659D0282_2_0659D028
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659B0A02_2_0659B0A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659BD382_2_0659BD38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659C9D82_2_0659C9D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065911A02_2_065911A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659AA482_2_0659AA48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06595A702_2_06595A70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06595A602_2_06595A60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659D6622_2_0659D662
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065956182_2_06595618
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659560A2_2_0659560A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065986022_2_06598602
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659B6D92_2_0659B6D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06595EC82_2_06595EC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06595EB82_2_06595EB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065967782_2_06596778
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659C3782_2_0659C378
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659676A2_2_0659676A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065963122_2_06596312
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065937302_2_06593730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065963202_2_06596320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06596BD02_2_06596BD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06596BC12_2_06596BC1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659A3F82_2_0659A3F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065933B82_2_065933B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065933A82_2_065933A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065970502_2_06597050
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065970492_2_06597049
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065900402_2_06590040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065928182_2_06592818
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659D0182_2_0659D018
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065928072_2_06592807
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065900062_2_06590006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065944302_2_06594430
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065908F02_2_065908F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065978F02_2_065978F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065908E02_2_065908E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065904982_2_06590498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065974972_2_06597497
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065904882_2_06590488
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659B08F2_2_0659B08F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065974A82_2_065974A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06597D582_2_06597D58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06590D482_2_06590D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06597D482_2_06597D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065979002_2_06597900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06590D392_2_06590D39
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659BD282_2_0659BD28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659C9C82_2_0659C9C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065951982_2_06595198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065911912_2_06591191
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0659518A2_2_0659518A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065981B02_2_065981B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065981A02_2_065981A0
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5776 -s 1008
                  Source: LETTER OF AUTHORIZATION.exeStatic PE information: No import functions for PE file found
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2150146211.00000118FF2A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameElujuginesojisoF vs LETTER OF AUTHORIZATION.exe
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2148277244.00000118918E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameElujuginesojisoF vs LETTER OF AUTHORIZATION.exe
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000000.2078531124.00000118FEA82000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOmuxinaq> vs LETTER OF AUTHORIZATION.exe
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs LETTER OF AUTHORIZATION.exe
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameElujuginesojisoF vs LETTER OF AUTHORIZATION.exe
                  Source: LETTER OF AUTHORIZATION.exeBinary or memory string: OriginalFilenameOmuxinaq> vs LETTER OF AUTHORIZATION.exe
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: LETTER OF AUTHORIZATION.exe PID: 5776, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: LETTER OF AUTHORIZATION.exe PID: 5776, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: InstallUtil.exe PID: 2432, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: InstallUtil.exe PID: 2432, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@6/5@2/2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5776
                  Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d259c026-c497-4174-832e-9ba7f2022638Jump to behavior
                  Source: LETTER OF AUTHORIZATION.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: InstallUtil.exe, 00000002.00000002.4543065876.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4544323565.0000000003A3C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002C2E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002C3A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: LETTER OF AUTHORIZATION.exeReversingLabs: Detection: 50%
                  Source: LETTER OF AUTHORIZATION.exeVirustotal: Detection: 45%
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeFile read: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exe "C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exe"
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5776 -s 1008
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: LETTER OF AUTHORIZATION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: LETTER OF AUTHORIZATION.exeStatic file information: File size 3097248 > 1048576
                  Source: LETTER OF AUTHORIZATION.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: LETTER OF AUTHORIZATION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: System.ni.pdbRSDS source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb#( source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: System.Core.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: System.ni.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: System.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: Binary string: System.Core.ni.pdb source: WER2F83.tmp.dmp.6.dr
                  Source: LETTER OF AUTHORIZATION.exeStatic PE information: 0x840105AF [Tue Mar 6 15:11:43 2040 UTC]
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD34891598 push edi; iretd 0_2_00007FFD348AB2B6
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeCode function: 0_2_00007FFD3496026B push esp; retf 4810h0_2_00007FFD34960312
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0299B0A5 pushfd ; iretd 2_2_0299B0AA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F2E78 push esp; iretd 2_2_055F2E79
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: LETTER OF AUTHORIZATION.exe PID: 5776, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeMemory allocated: 118FEDC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeMemory allocated: 118FF450000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 29B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 49B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599427Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598968Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598750Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598640Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597209Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597038Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596374Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595247Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594794Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594660Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7163Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep count: 33 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6868Thread sleep count: 2688 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -599890s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6868Thread sleep count: 7163 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -599671s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -599427s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -599297s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -599187s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -599078s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -598968s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -598859s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -598750s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -598640s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -598531s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -598422s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -598312s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -598203s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -598093s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -597984s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -597875s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -597765s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -597655s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -597546s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -597437s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -597328s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -597209s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -597038s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -596922s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -596812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -596703s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -596593s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -596484s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -596374s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -596234s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -596125s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -596015s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -595906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -595797s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -595687s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -595578s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -595468s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -595359s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -595247s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -595125s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -595015s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -594906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -594794s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -594660s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -594531s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7096Thread sleep time: -594422s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599427Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598968Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598750Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598640Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597209Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597038Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596374Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595247Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594794Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594660Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594422Jump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: VMware
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                  Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                  Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: InstallUtil.exe, 00000002.00000002.4542240473.0000000000CC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                  Source: LETTER OF AUTHORIZATION.exe, 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                  Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_055F7B70 LdrInitializeThunk,2_2_055F7B70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000Jump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000Jump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 90F008Jump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeQueries volume information: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4543065876.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4543065876.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: LETTER OF AUTHORIZATION.exe PID: 5776, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2432, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: LETTER OF AUTHORIZATION.exe PID: 5776, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2432, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917c4270.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.LETTER OF AUTHORIZATION.exe.118917a3828.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4543065876.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4543065876.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: LETTER OF AUTHORIZATION.exe PID: 5776, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2432, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		311
                  Process Injection                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		121
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		41
                  Virtualization/Sandbox Evasion                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
                  Process Injection                  		Security Account Manager41
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares1
                  Data from Local System                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Timestomp                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  LETTER OF AUTHORIZATION.exe50%ReversingLabsByteCode-MSIL.Spyware.Snakekeylogger
                  LETTER OF AUTHORIZATION.exe45%VirustotalBrowse
                  LETTER OF AUTHORIZATION.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  reallyfreegeoip.org0%VirustotalBrowse
                  checkip.dyndns.com0%VirustotalBrowse
                  checkip.dyndns.org1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://upx.sf.net0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://checkip.dyndns.org0%Avira URL Cloudsafe
                  http://checkip.dyndns.com0%Avira URL Cloudsafe
                  https://reallyfreegeoip.org0%Avira URL Cloudsafe
                  https://reallyfreegeoip.org/xml/8.46.123.330%Avira URL Cloudsafe
                  http://checkip.dyndns.org/0%Avira URL Cloudsafe
                  https://reallyfreegeoip.org/xml/8.46.123.33$0%Avira URL Cloudsafe
                  http://checkip.dyndns.org/q0%Avira URL Cloudsafe
                  http://checkip.dyndns.com0%VirustotalBrowse
                  http://reallyfreegeoip.org0%Avira URL Cloudsafe
                  http://checkip.dyndns.org1%VirustotalBrowse
                  https://reallyfreegeoip.org/xml/0%Avira URL Cloudsafe
                  http://reallyfreegeoip.org0%VirustotalBrowse
                  http://checkip.dyndns.org/q0%VirustotalBrowse
                  https://reallyfreegeoip.org0%VirustotalBrowse
                  http://checkip.dyndns.org/1%VirustotalBrowse
                  https://reallyfreegeoip.org/xml/0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		188.114.96.3
                  		truetrueunknown
                  checkip.dyndns.com
                  		132.226.8.169
                  		truefalseunknown
                  checkip.dyndns.org
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/false
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/8.46.123.33false
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://reallyfreegeoip.orgInstallUtil.exe, 00000002.00000002.4543065876.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B24000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://upx.sf.netAmcache.hve.6.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.orgInstallUtil.exe, 00000002.00000002.4543065876.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B3F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002A63000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://checkip.dyndns.comInstallUtil.exe, 00000002.00000002.4543065876.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B24000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/8.46.123.33$InstallUtil.exe, 00000002.00000002.4543065876.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B24000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000002.00000002.4543065876.00000000029B1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.org/qLETTER OF AUTHORIZATION.exe, 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://reallyfreegeoip.orgInstallUtil.exe, 00000002.00000002.4543065876.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002B24000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/LETTER OF AUTHORIZATION.exe, 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.4543065876.0000000002A76000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  132.226.8.169
                  		checkip.dyndns.comUnited States
                  		16989UTMEMUSfalse
                  188.114.96.3
                  		reallyfreegeoip.orgEuropean Union
                  		13335CLOUDFLARENETUStrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1464858
                  Start date and time:2024-06-30 16:23:06 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 29s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:13
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:LETTER OF AUTHORIZATION.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.expl.evad.winEXE@6/5@2/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 91%
                  • Number of executed functions: 118
                  • Number of non-executed functions: 53
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 52.182.143.212
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  10:23:55API Interceptor13322783x Sleep call for process: InstallUtil.exe modified
                  10:23:58API Interceptor1x Sleep call for process: WerFault.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  132.226.8.169Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  Find-DscResource_QoS.ps1Get hashmaliciousUnknownBrowse
                  • checkip.dyndns.org/
                  MT STENA IMPRESSION Vessel Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  LAQ-PO088PDF.batGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • checkip.dyndns.org/
                  MT STENA IMPRESSION Vessel Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  MT Sea Gull 9 Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  MT Sea Gull 9 Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  Commodity Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  188.114.96.3cL7A9wGE3w.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • 445798cm.nyashka.top/ProviderEternalLinephpRequestSecurePacketprocessauthwordpress.php
                  http://www.youkonew.anakembok.de/Get hashmaliciousHTMLPhisherBrowse
                  • www.youkonew.anakembok.de/cdn-cgi/challenge-platform/h/g/jsd/r/89b98144d9c843b7
                  hnCn8gE6NH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • yenot.top/providerlowAuthApibigloadprotectflower.php
                  288292021 ABB.exeGet hashmaliciousFormBookBrowse
                  • www.oc7o0.top/2zff/?Hp=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk6zzmBcbZOQR3Nr9VCMayuUBptQdoGcq8y485hKv0f5POEUdLprTAYpXY&5H=CtUlKhgP42a
                  eiqj38BeRo.rtfGet hashmaliciousFormBookBrowse
                  • www.liposuctionclinics2.today/btrd/?OR-TJfQ=g2Awi9g0RhXmDXdNu5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5szlP5E4EhRYb22U+Mw==&2dc=kvXd-rKHCF
                  Purchase Order -JJ023639-PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • filetransfer.io/data-package/9a4iHwft/download
                  Techno_PO LV12406-00311.xla.xlsxGet hashmaliciousUnknownBrowse
                  • qr-in.com/cpGHnqq
                  Techno_PO LV12406-00311.xla.xlsxGet hashmaliciousUnknownBrowse
                  • qr-in.com/cpGHnqq
                  QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • filetransfer.io/data-package/ygivXnVx/download
                  NGL 3200-Phase 2- Strainer.exeGet hashmaliciousFormBookBrowse
                  • www.oc7o0.top/2zff/?oH=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk7xznBNrfJyFZcb5vCPyKuUBo+l90Wdia8Y821KfsfreAbg==&ML=uVzXijwPkXTxAbN

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  reallyfreegeoip.orgMT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  new order.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  LETTER OF AUTHORIZATION.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  IMG_2007_520073.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 188.114.96.3
                  PRODUCTS LIST.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  PRODUCTS LIST.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  z1MB267382625AE.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  Official PO.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  Prouduct list Specifictions.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  checkip.dyndns.comMT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 158.101.44.242
                  vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  new order.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.8.169
                  LETTER OF AUTHORIZATION.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.130.0
                  IMG_2007_520073.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 158.101.44.242
                  Find-DscResource_QoS.ps1Get hashmaliciousUnknownBrowse
                  • 132.226.8.169
                  PRODUCTS LIST.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 158.101.44.242
                  PRODUCTS LIST.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.130.0
                  z1MB267382625AE.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  UTMEMUSOrder Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.8.169
                  Find-DscResource_QoS.ps1Get hashmaliciousUnknownBrowse
                  • 132.226.8.169
                  LEpsypIZxU.elfGet hashmaliciousMirai, MoobotBrowse
                  • 128.169.91.82
                  itinerary_1719382117.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  Halkbank_Ekstre_20240625_082306_910668.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  242010.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  MT STENA IMPRESSION Vessel Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.8.169
                  Baltic questionnaire.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.23220.28486.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  LAQ-PO088PDF.batGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 132.226.8.169
                  CLOUDFLARENETUScL7A9wGE3w.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • 188.114.96.3
                  https://bit.ly/3RPGSFw?lBj=IgAqyyGiOF?ehd=cNhnM3Ug7IGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  a.exeGet hashmaliciousUnknownBrowse
                  • 104.16.184.241
                  exeGet hashmaliciousUnknownBrowse
                  • 172.67.159.30
                  https://fhdqc8.fi59.fdske.com/ec/gAAAAABmfF3sPeQKBD_Act5bCCrkUMkGrd87GXE85ptSvU0h8H9S97li_YZ1W2sNi71P90U8x627NEH6e-kCa62tjlvXVsamrSGp1TAMFtfgRydM8D-QFp4rxbgAeEilnkMUdRVDSB2T_2Qfh0hQuA2S3kIGAGxxOhLGRZlimak4HvWAhPpr3cGXO1dkFMRkycppPQIWKMCxf7zn-Sf2FKVlkV3bIiKpv65JecmpKmv7K1YnibkbTtyYKjzM0RBpe8SGtfO5gpSHLvPTYqZjsrGpeXbXcWmlaR9PZhWomJ586b1OeF7psyrkOXu7PHMFbYVK6t7rkfnsF9FVAXEF_z9qYdd6yq7sZRqhCkgEwDqZaPg8lBDqiVI04is9Ux1ckCdi1zoggbpZr_i4tJ1iUVNzVnpUh4z0GQ==Get hashmaliciousHTMLPhisherBrowse
                  • 104.17.2.184
                  https://carsales.au1.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAfnb-qPSyZecO9B5ZfywmNLbpLvp031ot7ln8fPgu7eWwZ19_ZPQHTOqDMGxjirJcrmCsSaiIDmPdIRas_zn4z1go8wNiaf6T7KGdMemdAI87j-2cWRTSM8MgKsIEHUt-&Get hashmaliciousUnknownBrowse
                  • 162.247.243.29
                  j05KsN2280.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • 188.114.97.3
                  FIX_0x80070643_(Need_reboot).regGet hashmaliciousUnknownBrowse
                  • 172.67.201.134
                  azl7lFUQ86.exeGet hashmaliciousDCRatBrowse
                  • 104.20.3.235
                  Evo Resou_nls..scr.exeGet hashmaliciousAsyncRATBrowse
                  • 172.67.75.40

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  54328bd36c14bd82ddaa0c04b25ed9adMT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  new order.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  LETTER OF AUTHORIZATION.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  IMG_2007_520073.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 188.114.96.3
                  30 - 3050324.scr.exeGet hashmaliciousRemcosBrowse
                  • 188.114.96.3
                  PRODUCTS LIST.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  PRODUCTS LIST.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  z1MB267382625AE.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  data-sheet.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                  • 188.114.96.3

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LETTER OF AUTHOR_329154322c784dbb2b1b7cad391c25af57eb70_fa2d1c6a_5a9197ca-ebb7-4c17-b016-25b978ac7f2a\Report.wer

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):1.010831241850549
                  Encrypted:false
                  SSDEEP:96:b8Fk//RKBVsm+SboNy/qXQXIDcQqc6jcEOcw3WTiY+BHUHZ0ownOgFkEwH3d2FY9:Yq0Vz0UnU9aWB9fOzuiFhZ24lO8ELb
                  MD5:2EC21C28BCA1F985F78358FBDD64D21F
                  SHA1:9473C19C8359B0E9679550ABCCBE931653204022
                  SHA-256:C5AED082AE721FD0A17F28E9C2D0A2C60C850118BEED6AB832A5EC58F54B4015
                  SHA-512:FABD15E2E1D1F5C267FE0CF0669A84816F3B5396E55911B80AF89D2D0B16C9CA27E718EB7908788A8025AD56768A659DD4C6345B262699EE6B473F96DAD56086
                  Malicious:false
                  Reputation:low
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.2.3.1.0.3.3.3.6.2.7.7.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.2.3.1.0.3.4.0.9.7.1.3.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.9.1.9.7.c.a.-.e.b.b.7.-.4.c.1.7.-.b.0.1.6.-.2.5.b.9.7.8.a.c.7.f.2.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.a.7.c.0.d.6.-.3.a.5.b.-.4.7.6.2.-.8.d.b.4.-.0.1.a.0.b.6.f.8.7.8.d.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.L.E.T.T.E.R. .O.F. .A.U.T.H.O.R.I.Z.A.T.I.O.N...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.m.u.x.i.n.a.q.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.9.0.-.0.0.0.1.-.0.0.1.5.-.e.1.3.e.-.9.a.2.1.f.9.c.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.d.c.f.2.1.f.3.8.b.5.4.c.e.9.1.3.e.d.b.1.1.1.2.b.c.6.a.4.b.f.b.0.0.0.0.0.0.0.0.!.0.0.0.0.d.8.e.e.b.1.c.8.e.4.5.3.0.d.6.1.9.c.7.a.5.9.2.7.f.e.c.5.f.c.c.8.9.2.e.0.b.2.4.f.!.L.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F83.tmp.dmp

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:Mini DuMP crash report, 16 streams, Sun Jun 30 14:23:53 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):385355
                  Entropy (8bit):3.2845824508548898
                  Encrypted:false
                  SSDEEP:3072:36IrvJew/42G/d1mQrFY1CCq6m3+vldBB744jQGMcSpcKz:36IjJew/cZ8q6m3QP7Sf1
                  MD5:0F27DED7686BCD34C61D92485BFB7BB6
                  SHA1:5516BD601FFF7B127393E2327BE7E2D642E94ED0
                  SHA-256:F734F18D20EC6C96C18AC15C52BFED59D6F56AC00884365DEF766DE57661AD6A
                  SHA-512:680E618839A931F47277928685A4F50B655C5FDA28E6731814E27AA9CE34DD8848B5090C4D3FD9293A62842CC31B5EE466870C0DB8948FC116A0DE0EE257EF8D
                  Malicious:false
                  Reputation:low
                  Preview:MDMP..a..... .......yj.f....................................$........................D..rs..........l.......8...........T...........`(.............\6..........H8..............................................................................eJ.......8......Lw......................T...........xj.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3188.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8652
                  Entropy (8bit):3.719240005697245
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJ24k6Y2DZKZgmfdLKprB89bhMffMrm:R6lXJRk6YkKZgmfdLhhMfN
                  MD5:E8045ABE8DA12CC701DA5D0FB27C203E
                  SHA1:896568BA97D87407C054A3EE175823876B1AF4EE
                  SHA-256:592A150D134F3A9B7C3C3F99E2104562AE6313C4F37FFBC1784C718AACEC1BD2
                  SHA-512:56066B36061EEBE46C0BA3FE59E7F962274C891C537BEC20EB5A259A37A2E1F4DB2A64E768FF097DED683BF5487227880EAC77C8AF327F3CB084AD8E064188C6
                  Malicious:false
                  Reputation:low
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.7.6.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER31B8.tmp.xml

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4825
                  Entropy (8bit):4.582662103240114
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zshJg771I9KVWpW8VYOYm8M4JxDFejmyq85IwkBWfoEd:uIjfzI75k7V2JSCxkfoEd
                  MD5:88CF66DD862B13015FAA9834128BD129
                  SHA1:C6208717FA6CCE0A1E15973C2B5FC5BA77FDE2B5
                  SHA-256:79CD164FF5A07F94B99F5ABF1515E0BBCB653F72C28BB09BB0BB44EAF48110B0
                  SHA-512:2B41FA5791FE918A515F5B480C6A798ACAD502019FDCD63BE0ADD95D45F5601573BA20DEEF8C32F46A7E6E56AD3AFD14A320358D10C2C7CCFD4B19D51749F303
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="390566" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\Windows\appcompat\Programs\Amcache.hve

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):1835008
                  Entropy (8bit):4.46900801247698
                  Encrypted:false
                  SSDEEP:6144:FzZfpi6ceLPx9skLmb0f2ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNTjDH5S:9ZHt2ZWOKnMM6bFpxj4
                  MD5:470D51641D9D26D9D51A7C84DE2B715D
                  SHA1:EC6D545E14E79009201B7F9DD1BF6FCFD995AA6A
                  SHA-256:8F8E10FA33861C4AD6C42170C982CAC68DCC351F1A40E665BFB14FEC9C0C07A4
                  SHA-512:1825633F1EFF664FDB438BABB30CADCB769D2B1D57058C17C8E07BDBBE9921ACAD0E8D4574831C544CEEB02A228FF10B90FAC0521389D0F3F1AECA73BFE519E3
                  Malicious:false
                  Reputation:low
                  Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..>"..................................................................................................................................................................................................................................................................................................................................................).........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):4.17071387961605
                  TrID:
                  • Win64 Executable GUI (202006/5) 92.65%
                  • Win64 Executable (generic) (12005/4) 5.51%
                  • Generic Win/DOS Executable (2004/3) 0.92%
                  • DOS Executable Generic (2002/1) 0.92%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:LETTER OF AUTHORIZATION.exe
                  File size:3'097'248 bytes
                  MD5:57cb0d1fbbe7e57e906d9bec624ff50f
                  SHA1:d8eeb1c8e4530d619c7a5927fec5fcc892e0b24f
                  SHA256:235feecbf39c506144e406ee52d764d830e5124d113280a5e339bf3bdee978a5
                  SHA512:7d0be14e10f4174648cb597b9f8b32883088b9fed59cd4812339cdb379746e49b58dfb357d733fcb9b73c725451b64f6588e328518091b6311ef38c1dc41d886
                  SSDEEP:12288:RaoerDVWSJRvp61xGNoQOgR4FeGQ5fzF2M9PbxyWnnMRGIliKj:RinVl1Yeo0R4FeHX2qwRFj
                  TLSH:37E51282B8A35D1BFC650234C5D332F16DFDAE9332F2855FEF955D89240267CA522AB0
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..3............... ....@...... ....................................`................................

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x400000
                  Entrypoint Section:
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x840105AF [Tue Mar 6 15:11:43 2040 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:

                  Entrypoint Preview

                  Instruction
                  dec ebp
                  pop edx
                  nop
                  add byte ptr [ebx], al
                  add byte ptr [eax], al
                  add byte ptr [eax+eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x9b4.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x53920x1c.text
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x33ae0x3400a4a2cdc9df72d7d8408c9c6737f107fcFalse0.6467848557692307data6.1944655722108IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x60000x9b40xa00d4d1a80e40a3a7dc14842f9e0ea5ba1cFalse0.31015625data4.215990068227885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0x60b80x388data0.4911504424778761
                  RT_VERSION0x64400x388dataEnglishUnited States0.4922566371681416
                  RT_MANIFEST0x67c80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jun 30, 2024 16:23:54.481656075 CEST4970080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:54.486485004 CEST8049700132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:54.486573935 CEST4970080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:54.486789942 CEST4970080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:54.491558075 CEST8049700132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:55.289753914 CEST8049700132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:55.312232018 CEST4970080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:55.317486048 CEST8049700132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:55.573235989 CEST8049700132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:55.621259928 CEST4970080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:55.639023066 CEST49701443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:55.639069080 CEST44349701188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:55.639130116 CEST49701443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:55.645484924 CEST49701443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:55.645507097 CEST44349701188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:56.127690077 CEST44349701188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:56.127840042 CEST49701443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:56.132344007 CEST49701443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:56.132355928 CEST44349701188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:56.132690907 CEST44349701188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:56.172832012 CEST49701443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:56.220501900 CEST44349701188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:56.601824045 CEST44349701188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:56.601922989 CEST44349701188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:56.602132082 CEST49701443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:56.607372046 CEST49701443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:56.610258102 CEST4970080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:56.615066051 CEST8049700132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:56.870302916 CEST8049700132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:56.873667002 CEST49704443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:56.873707056 CEST44349704188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:56.873773098 CEST49704443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:56.874245882 CEST49704443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:56.874259949 CEST44349704188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:56.918131113 CEST4970080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:57.343919992 CEST44349704188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:57.386918068 CEST49704443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:57.416734934 CEST49704443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:57.416771889 CEST44349704188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:57.526449919 CEST44349704188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:57.526546001 CEST44349704188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:57.526592016 CEST49704443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:57.527146101 CEST49704443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:57.532984018 CEST4970080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:57.534104109 CEST4970680192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:57.540525913 CEST8049706132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:57.540579081 CEST4970680192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:57.540734053 CEST4970680192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:57.541224003 CEST8049700132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:57.541280031 CEST4970080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:57.545576096 CEST8049706132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:58.337528944 CEST8049706132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:58.339306116 CEST49708443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:58.339370966 CEST44349708188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:58.339469910 CEST49708443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:58.339879990 CEST49708443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:58.339903116 CEST44349708188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:58.386923075 CEST4970680192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:58.811244011 CEST44349708188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:58.820616007 CEST49708443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:58.820647955 CEST44349708188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:58.965055943 CEST44349708188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:58.965296984 CEST44349708188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:58.965389013 CEST49708443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:58.966039896 CEST49708443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:58.973440886 CEST4971080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:58.979120016 CEST8049710132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:58.979201078 CEST4971080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:58.979296923 CEST4971080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:23:58.985553026 CEST8049710132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:59.787322998 CEST8049710132.226.8.169192.168.2.6
                  Jun 30, 2024 16:23:59.813589096 CEST49713443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:59.813704014 CEST44349713188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:59.813787937 CEST49713443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:59.814426899 CEST49713443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:23:59.814461946 CEST44349713188.114.96.3192.168.2.6
                  Jun 30, 2024 16:23:59.840003967 CEST4971080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:00.314718962 CEST44349713188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:00.339340925 CEST49713443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:00.339400053 CEST44349713188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:00.521290064 CEST44349713188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:00.521385908 CEST44349713188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:00.521440029 CEST49713443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:00.522042036 CEST49713443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:00.525669098 CEST4971080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:00.526345015 CEST4971480192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:00.530980110 CEST8049710132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:00.531044960 CEST4971080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:00.531157970 CEST8049714132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:00.531219006 CEST4971480192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:00.531339884 CEST4971480192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:00.536143064 CEST8049714132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:01.342286110 CEST8049714132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:01.345330000 CEST49715443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:01.345367908 CEST44349715188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:01.345443964 CEST49715443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:01.345792055 CEST49715443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:01.345804930 CEST44349715188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:01.386934996 CEST4971480192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:01.827716112 CEST44349715188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:01.833679914 CEST49715443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:01.833718061 CEST44349715188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:01.976455927 CEST44349715188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:01.976600885 CEST44349715188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:01.976700068 CEST49715443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:01.977574110 CEST49715443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:01.981628895 CEST4971480192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:01.982223034 CEST4971680192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:01.987135887 CEST8049716132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:01.987225056 CEST4971680192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:01.987386942 CEST8049714132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:01.987421036 CEST4971680192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:01.987449884 CEST4971480192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:01.992893934 CEST8049716132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:02.833487034 CEST8049716132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:02.835372925 CEST49717443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:02.835405111 CEST44349717188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:02.835479021 CEST49717443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:02.835767984 CEST49717443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:02.835778952 CEST44349717188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:02.886929989 CEST4971680192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:03.101833105 CEST8049716132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:03.101902008 CEST4971680192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:03.557184935 CEST44349717188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:03.559020042 CEST49717443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:03.559052944 CEST44349717188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:03.709003925 CEST44349717188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:03.709129095 CEST44349717188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:03.709186077 CEST49717443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:03.709772110 CEST49717443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:03.713406086 CEST4971680192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:03.714744091 CEST4971880192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:03.718672037 CEST8049716132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:03.718730927 CEST4971680192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:03.719660997 CEST8049718132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:03.719829082 CEST4971880192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:03.719947100 CEST4971880192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:03.725676060 CEST8049718132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:04.508342981 CEST8049718132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:04.509819984 CEST49719443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:04.509907961 CEST44349719188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:04.509996891 CEST49719443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:04.510293961 CEST49719443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:04.510330915 CEST44349719188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:04.558784008 CEST4971880192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:05.009772062 CEST44349719188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:05.011980057 CEST49719443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:05.012042046 CEST44349719188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:05.149638891 CEST44349719188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:05.149949074 CEST44349719188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:05.150115967 CEST49719443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:05.150403023 CEST49719443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:05.153940916 CEST4971880192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:05.154968023 CEST4972080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:05.159545898 CEST8049718132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:05.159603119 CEST4971880192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:05.159837961 CEST8049720132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:05.159898996 CEST4972080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:05.159986019 CEST4972080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:05.164876938 CEST8049720132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:05.972330093 CEST8049720132.226.8.169192.168.2.6
                  Jun 30, 2024 16:24:05.973949909 CEST49721443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:05.973994017 CEST44349721188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:05.974078894 CEST49721443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:05.974420071 CEST49721443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:05.974435091 CEST44349721188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:06.027556896 CEST4972080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:24:06.441863060 CEST44349721188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:06.443754911 CEST49721443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:06.443775892 CEST44349721188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:06.600174904 CEST44349721188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:06.600250959 CEST44349721188.114.96.3192.168.2.6
                  Jun 30, 2024 16:24:06.600298882 CEST49721443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:24:06.600863934 CEST49721443192.168.2.6188.114.96.3
                  Jun 30, 2024 16:25:03.338763952 CEST8049706132.226.8.169192.168.2.6
                  Jun 30, 2024 16:25:03.338910103 CEST4970680192.168.2.6132.226.8.169
                  Jun 30, 2024 16:25:11.676615953 CEST8049720132.226.8.169192.168.2.6
                  Jun 30, 2024 16:25:11.676697969 CEST4972080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:25:11.676701069 CEST8049720132.226.8.169192.168.2.6
                  Jun 30, 2024 16:25:11.676749945 CEST4972080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:25:11.676825047 CEST8049720132.226.8.169192.168.2.6
                  Jun 30, 2024 16:25:11.676877022 CEST4972080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:25:45.982181072 CEST4972080192.168.2.6132.226.8.169
                  Jun 30, 2024 16:25:45.987735033 CEST8049720132.226.8.169192.168.2.6

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jun 30, 2024 16:23:54.459386110 CEST6082953192.168.2.61.1.1.1
                  Jun 30, 2024 16:23:54.468234062 CEST53608291.1.1.1192.168.2.6
                  Jun 30, 2024 16:23:55.629904985 CEST5270553192.168.2.61.1.1.1
                  Jun 30, 2024 16:23:55.637643099 CEST53527051.1.1.1192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jun 30, 2024 16:23:54.459386110 CEST192.168.2.61.1.1.10x9417Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                  Jun 30, 2024 16:23:55.629904985 CEST192.168.2.61.1.1.10x11e0Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jun 30, 2024 16:23:54.468234062 CEST1.1.1.1192.168.2.60x9417No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                  Jun 30, 2024 16:23:54.468234062 CEST1.1.1.1192.168.2.60x9417No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                  Jun 30, 2024 16:23:54.468234062 CEST1.1.1.1192.168.2.60x9417No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                  Jun 30, 2024 16:23:54.468234062 CEST1.1.1.1192.168.2.60x9417No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                  Jun 30, 2024 16:23:54.468234062 CEST1.1.1.1192.168.2.60x9417No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                  Jun 30, 2024 16:23:54.468234062 CEST1.1.1.1192.168.2.60x9417No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                  Jun 30, 2024 16:23:55.637643099 CEST1.1.1.1192.168.2.60x11e0No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                  Jun 30, 2024 16:23:55.637643099 CEST1.1.1.1192.168.2.60x11e0No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • reallyfreegeoip.org
                  • checkip.dyndns.org

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.649700132.226.8.169802432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  Jun 30, 2024 16:23:54.486789942 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jun 30, 2024 16:23:55.289753914 CEST320INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:23:55 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 0f5f305219c90c3f8763a3db717a4f98
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jun 30, 2024 16:23:55.312232018 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jun 30, 2024 16:23:55.573235989 CEST320INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:23:55 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 6b647a698d042a7747d7265deddb91b1
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jun 30, 2024 16:23:56.610258102 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jun 30, 2024 16:23:56.870302916 CEST320INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:23:56 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 0f8ee2b1a30eb138d587bd0992656191
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.649706132.226.8.169802432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  Jun 30, 2024 16:23:57.540734053 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jun 30, 2024 16:23:58.337528944 CEST320INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:23:58 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 8fd17d444f014c0a1536441192b8bea7
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.649710132.226.8.169802432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  Jun 30, 2024 16:23:58.979296923 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jun 30, 2024 16:23:59.787322998 CEST320INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:23:59 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 1e06c3896ee9d2f8edc4ba5622321ff6
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.649714132.226.8.169802432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  Jun 30, 2024 16:24:00.531339884 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jun 30, 2024 16:24:01.342286110 CEST320INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:24:01 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 35a491eb1ab3ce0ecbd1a19bff5d7867
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.649716132.226.8.169802432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  Jun 30, 2024 16:24:01.987421036 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jun 30, 2024 16:24:02.833487034 CEST320INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:24:02 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 5ed1f29d2ee4a75fe9bb2c3dba245b36
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jun 30, 2024 16:24:03.101833105 CEST320INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:24:02 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 5ed1f29d2ee4a75fe9bb2c3dba245b36
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.649718132.226.8.169802432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  Jun 30, 2024 16:24:03.719947100 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jun 30, 2024 16:24:04.508342981 CEST320INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:24:04 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 2c7be51425733c486078ee8f5b5be0fe
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.649720132.226.8.169802432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  Jun 30, 2024 16:24:05.159986019 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jun 30, 2024 16:24:05.972330093 CEST320INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:24:05 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 4c4b49438902d64352986b01dd99c8a2
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.649701188.114.96.34432432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  2024-06-30 14:23:56 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-06-30 14:23:56 UTC708INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:23:56 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: EXPIRED
                  Last-Modified: Fri, 28 Jun 2024 23:11:33 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1T6xl%2F8lr2Y3vtulq%2BwkQF%2BFBCQn0vAuTOGyy7%2FDPZJ5psC6cmifWxneTcYc36vIfKcnscZvU%2FfgccP%2Bharc1GBlhC67V0o3BntEt8%2FKUTzjW0Q8yLxiSZl9qTzMDmE%2ByFEOD0wL"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89bed128487b1a48-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-06-30 14:23:56 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-06-30 14:23:56 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.649704188.114.96.34432432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  2024-06-30 14:23:57 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-06-30 14:23:57 UTC714INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:23:57 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 1
                  Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gPV3GSWH4meC5C23FqrEKbeDWIXK3fP59K%2BFaTCU5n2pQ6ehoFi%2B%2F5ULv%2FypieJrWVf%2FedJ9qT%2FACO9N0U5Ncf5RAblSFCdu61fdWWVPOPukHm%2BR88naP%2BhWbzX%2Bic4tSqgEoEfJ"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89bed130181b4267-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-06-30 14:23:57 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-06-30 14:23:57 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.649708188.114.96.34432432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  2024-06-30 14:23:58 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-06-30 14:23:58 UTC698INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:23:58 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 2
                  Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h98JeW3SYh9HJ%2Bi6eEhANpltFcmRMiplNQ2g8DRxY4h82JORCuNDGVATXSylulcAcp54F2217q4EPrwoC296MAsKKgH7z0FJ2WmuxktO9GgQ6jtSSLWttwaPOhA6pjiSTjp4RcUn"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89bed1390ef9c3fa-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-06-30 14:23:58 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-06-30 14:23:58 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.649713188.114.96.34432432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  2024-06-30 14:24:00 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-06-30 14:24:00 UTC708INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:24:00 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 4
                  Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qAL0K8p%2F0MtVgDKoCIvf3%2BWQC6FT1FRrtmrOk9%2BDQVp52RzXCup%2BQLdniZ3ZdPIDo19ilm9e%2BTQThkwN966G%2BKILuxl4pFW6ViyF84qezwi9EoRtT5ubvjMQ8ryV9L0RjwyXxqcC"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89bed1428d280c8e-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-06-30 14:24:00 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-06-30 14:24:00 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.649715188.114.96.34432432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  2024-06-30 14:24:01 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-06-30 14:24:01 UTC702INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:24:01 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 5
                  Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2fmX8dVBAFpjl6bS%2FYodboeYbRKUmJ8nodQT7BOadZt7bIieF7W0hUyGl%2F5DA9DcZsE72qHwjlcXf3IUquSN93LK3hPXTLZPUdR6gxBs0GwCN0gnhxk7aDfZeFlzXQG%2BcV2JU2uk"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89bed14beede1819-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-06-30 14:24:01 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-06-30 14:24:01 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.649717188.114.96.34432432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  2024-06-30 14:24:03 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-06-30 14:24:03 UTC706INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:24:03 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 7
                  Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u5mzzVQJk7dC6dnFtErMqoMJbW%2FXUImDJaDls8AbIStHsLwlf5bHvz6Nxm2r%2BzOBsWQ2kBQOrD%2F59rKSIjrBxwFTwAKVxJ09xmYW3ziZ2tyPqSXU3jaFIDVlljRN%2F2Ns%2FnIl4BSd"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89bed156b9cc19cb-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-06-30 14:24:03 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-06-30 14:24:03 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.649719188.114.96.34432432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  2024-06-30 14:24:05 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-06-30 14:24:05 UTC700INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:24:05 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 9
                  Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WnEIYpxY0hLqHZRdkka9IuYns%2BL5AdUcGE0RASHf3OkzKAwh1iVDVTlOrMdC5hLuZs2s2sH508AmREbo2jdVJXoOKBo4KuKD2qyLc%2BTx42O2o1y2iRl0zJEbeU700hcvaCclgvG2"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89bed15fbce5c33a-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-06-30 14:24:05 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-06-30 14:24:05 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.649721188.114.96.34432432C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  TimestampBytes transferredDirectionData
                  2024-06-30 14:24:06 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-06-30 14:24:06 UTC711INHTTP/1.1 200 OK
                  Date: Sun, 30 Jun 2024 14:24:06 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 10
                  Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=deYSVdZP%2BZJAYmHipQwlDXW%2BXmNT%2Fv4u9URLX%2BRPHtrdSf4gl8Fb4ubwiiYBpts0hz6kny92Vz8P5iWSpUHBhyfIKuLNADzTw69ado2%2B6V%2FmRRq4XTxMaD1%2BS1meVpBA7ddk4Nbd"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89bed168cf3e8c7b-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-06-30 14:24:06 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-06-30 14:24:06 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:10:23:52
                  Start date:30/06/2024
                  Path:C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exe"
                  Imagebase:0x118fea80000
                  File size:3'097'248 bytes
                  MD5 hash:57CB0D1FBBE7E57E906D9BEC624FF50F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2147880002.0000011881763000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2148277244.000001189170D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:10:23:52
                  Start date:30/06/2024
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                  Imagebase:0x700000
                  File size:42'064 bytes
                  MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.4541927175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4543065876.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4543065876.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:moderate
                  Has exited:false

                  General

                  Target ID:3
                  Start time:10:23:52
                  Start date:30/06/2024
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  Wow64 process (32bit):
                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                  Imagebase:
                  File size:42'064 bytes
                  MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:false

                  General

                  Target ID:6
                  Start time:10:23:53
                  Start date:30/06/2024
                  Path:C:\Windows\System32\WerFault.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\WerFault.exe -u -p 5776 -s 1008
                  Imagebase:0x7ff71ecf0000
                  File size:570'736 bytes
                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:9.9%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:3
                    Total number of Limit Nodes:0
                    execution_graph 15227 7ffd348a7829 15228 7ffd348a783f VirtualProtect 15227->15228 15230 7ffd348a78e1 15228->15230

                    Executed Functions

                    Function 00007FFD348937DC Relevance: 3.0, Strings: 2, Instructions: 468COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID: X]w4$fish
                    • API String ID: 0-2113251362
                    • Opcode ID: 04c7caa3e04a4ea39d679faca622a0b77b82bb7b9019c37d77d9c237fedf4e23
                    • Instruction ID: f59ff52e9800b0b5b9610624e999989156840d2641e1e4f1fc1d5f013e4eeaa3
                    • Opcode Fuzzy Hash: 04c7caa3e04a4ea39d679faca622a0b77b82bb7b9019c37d77d9c237fedf4e23
                    • Instruction Fuzzy Hash: 69D11931B1CE4A0FE75DAB2898A55B57BE1EF9B210B04417ED58BC3192DE28AC468781
                    Function 00007FFD3489E1E9 Relevance: 2.9, Strings: 1, Instructions: 1668COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4N_L
                    • API String ID: 0-1715493888
                    • Opcode ID: 6681173384cf607a8d1688ea91d407b6198ad96d8e680cb21d1d42c4972eebf1
                    • Instruction ID: 79b0d8dac4cb99b3a027476a28554e8509a55628e3630275cd71b108ab8b7a6f
                    • Opcode Fuzzy Hash: 6681173384cf607a8d1688ea91d407b6198ad96d8e680cb21d1d42c4972eebf1
                    • Instruction Fuzzy Hash: 96B2573160CB854FD359DB28C4A14B5BFE2FF96301B1445BEE48AC72A6DE39E846C781
                    Function 00007FFD34898B40 Relevance: 2.1, Strings: 1, Instructions: 866COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 523 7ffd34898b40-7ffd3489c5b5 525 7ffd3489c5b7-7ffd3489c5fe 523->525 526 7ffd3489c5ff-7ffd3489c629 523->526 525->526 529 7ffd3489c62b-7ffd3489c640 526->529 530 7ffd3489c642 526->530 531 7ffd3489c644-7ffd3489c649 529->531 530->531 533 7ffd3489c746-7ffd3489c766 531->533 534 7ffd3489c64f-7ffd3489c65e 531->534 536 7ffd3489c7b7-7ffd3489c7c2 533->536 540 7ffd3489c668-7ffd3489c669 534->540 541 7ffd3489c660-7ffd3489c666 534->541 538 7ffd3489c768-7ffd3489c76e 536->538 539 7ffd3489c7c4-7ffd3489c7d3 536->539 542 7ffd3489cc32-7ffd3489cc4a 538->542 543 7ffd3489c774-7ffd3489c795 call 7ffd34898b20 538->543 549 7ffd3489c7d5-7ffd3489c7e7 539->549 550 7ffd3489c7e9 539->550 544 7ffd3489c66b-7ffd3489c68e 540->544 541->544 552 7ffd3489cc4c-7ffd3489cc87 call 7ffd34898020 542->552 553 7ffd3489cc94-7ffd3489ccc1 call 7ffd34893e60 542->553 560 7ffd3489c79a-7ffd3489c7b4 543->560 551 7ffd3489c6e3-7ffd3489c6ee 544->551 555 7ffd3489c7eb-7ffd3489c7f0 549->555 550->555 556 7ffd3489c690-7ffd3489c696 551->556 557 7ffd3489c6f0-7ffd3489c707 551->557 603 7ffd3489cc89-7ffd3489cc92 552->603 604 7ffd3489ccd1-7ffd3489ccdb 552->604 598 7ffd3489cccc-7ffd3489cccf 553->598 599 7ffd3489ccc3-7ffd3489cccb 553->599 558 7ffd3489c7f6-7ffd3489c818 call 7ffd34898b20 555->558 559 7ffd3489c87c-7ffd3489c890 555->559 556->542 561 7ffd3489c69c-7ffd3489c6e0 call 7ffd34898b20 556->561 568 7ffd3489c736-7ffd3489c741 call 7ffd34898c38 557->568 569 7ffd3489c709-7ffd3489c72f call 7ffd34898b20 557->569 593 7ffd3489c846-7ffd3489c847 558->593 594 7ffd3489c81a-7ffd3489c844 558->594 564 7ffd3489c8e0-7ffd3489c8ef 559->564 565 7ffd3489c892-7ffd3489c898 559->565 560->536 561->551 587 7ffd3489c8fc 564->587 588 7ffd3489c8f1-7ffd3489c8fa 564->588 572 7ffd3489c8b7-7ffd3489c8cf 565->572 573 7ffd3489c89a-7ffd3489c8b5 565->573 568->559 569->568 583 7ffd3489c8d8-7ffd3489c8db 572->583 573->572 592 7ffd3489ca88-7ffd3489ca9d 583->592 597 7ffd3489c8fe-7ffd3489c903 587->597 588->597 610 7ffd3489cadd 592->610 611 7ffd3489ca9f-7ffd3489cadb 592->611 605 7ffd3489c849-7ffd3489c850 593->605 594->605 606 7ffd3489c909-7ffd3489c90c 597->606 607 7ffd3489cc0f-7ffd3489cc10 597->607 598->604 599->598 603->553 608 7ffd3489cce6-7ffd3489ccf7 604->608 609 7ffd3489ccdd-7ffd3489cce5 604->609 605->559 614 7ffd3489c852-7ffd3489c877 call 7ffd34898b48 605->614 615 7ffd3489c90e-7ffd3489c92b call 7ffd34890248 606->615 616 7ffd3489c954 606->616 613 7ffd3489cc13-7ffd3489cc22 607->613 618 7ffd3489ccf9-7ffd3489cd01 608->618 619 7ffd3489cd02-7ffd3489cd0e 608->619 609->608 623 7ffd3489cadf-7ffd3489cae4 610->623 611->623 642 7ffd3489cc23-7ffd3489cc2b 613->642 614->559 637 7ffd3489cbfe-7ffd3489cc0e 614->637 615->616 646 7ffd3489c92d-7ffd3489c952 615->646 622 7ffd3489c956-7ffd3489c95b 616->622 618->619 627 7ffd3489ca5c-7ffd3489ca7f 622->627 628 7ffd3489c961-7ffd3489c96d 622->628 629 7ffd3489cae6-7ffd3489cb43 call 7ffd34893d98 623->629 630 7ffd3489cb54-7ffd3489cb5e 623->630 639 7ffd3489ca85-7ffd3489ca86 627->639 628->542 635 7ffd3489c973-7ffd3489c982 628->635 668 7ffd3489cb45-7ffd3489cb4e 629->668 669 7ffd3489cbc4 629->669 632 7ffd3489cb60-7ffd3489cb95 call 7ffd34893d98 630->632 659 7ffd3489cb9a-7ffd3489cba2 632->659 643 7ffd3489c995-7ffd3489c9a2 call 7ffd34890248 635->643 644 7ffd3489c984-7ffd3489c993 635->644 639->592 642->542 652 7ffd3489c9a8-7ffd3489c9ae 643->652 644->652 646->622 657 7ffd3489c9b0-7ffd3489c9dd 652->657 658 7ffd3489c9e3-7ffd3489c9e8 652->658 657->658 658->542 663 7ffd3489c9ee-7ffd3489ca0e 658->663 659->613 664 7ffd3489cba4-7ffd3489cba7 659->664 671 7ffd3489ca10-7ffd3489ca21 663->671 672 7ffd3489ca22-7ffd3489ca52 call 7ffd34898710 663->672 664->642 667 7ffd3489cba9 664->667 673 7ffd3489cbab-7ffd3489cbbe 667->673 674 7ffd3489cbf0-7ffd3489cbfb 667->674 668->630 669->632 669->669 671->672 678 7ffd3489ca57-7ffd3489ca5a 672->678 673->669 674->637 678->592
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID: YY_L
                    • API String ID: 0-3060123179
                    • Opcode ID: c52890d7fb6f2ff8cc3575318a27b7265a2dd3649ef51755880f144a546b4803
                    • Instruction ID: d5d5473a06f7df4e9b4e8d1e647c590f4ffc1713ebd0838a5bf84065011209d4
                    • Opcode Fuzzy Hash: c52890d7fb6f2ff8cc3575318a27b7265a2dd3649ef51755880f144a546b4803
                    • Instruction Fuzzy Hash: CD42B730B18A494FDB68DF2CD4A56797BE1FF5A301F1401BEE48EC7292DE29AC429741
                    Function 00007FFD34891608 Relevance: 2.0, Strings: 1, Instructions: 700COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 679 7ffd34891608-7ffd348940c1 call 7ffd34893b70 686 7ffd348940e4-7ffd348940f3 679->686 687 7ffd348940f5-7ffd3489410f call 7ffd34893b70 call 7ffd34893bc0 686->687 688 7ffd348940c3-7ffd348940d9 call 7ffd34893b70 call 7ffd34893bc0 686->688 697 7ffd348940db-7ffd348940e2 688->697 698 7ffd34894110-7ffd34894160 688->698 697->686 702 7ffd3489416c-7ffd348941a3 698->702 703 7ffd34894162-7ffd34894167 call 7ffd34892dd8 698->703 706 7ffd348941a9-7ffd348941b4 702->706 707 7ffd3489439f-7ffd34894409 702->707 703->702 708 7ffd348941b6-7ffd348941c4 706->708 709 7ffd34894228-7ffd3489422d 706->709 739 7ffd34894426-7ffd34894433 707->739 740 7ffd3489440b-7ffd34894411 707->740 708->707 710 7ffd348941ca-7ffd348941d9 708->710 711 7ffd3489422f-7ffd3489423b 709->711 712 7ffd348942a0-7ffd348942aa 709->712 715 7ffd348941db-7ffd3489420b 710->715 716 7ffd3489420d-7ffd34894218 710->716 711->707 719 7ffd34894241-7ffd34894254 711->719 717 7ffd348942cc-7ffd348942d4 712->717 718 7ffd348942ac-7ffd348942b9 call 7ffd34892df8 712->718 715->716 724 7ffd34894259-7ffd3489425c 715->724 716->707 721 7ffd3489421e-7ffd34894226 716->721 722 7ffd348942d7-7ffd348942e2 717->722 734 7ffd348942be-7ffd348942ca 718->734 719->722 721->708 721->709 722->707 726 7ffd348942e8-7ffd348942f8 722->726 727 7ffd3489425e-7ffd3489426e 724->727 728 7ffd34894272-7ffd3489427a 724->728 726->707 729 7ffd348942fe-7ffd3489430b 726->729 727->728 728->707 733 7ffd34894280-7ffd3489429f 728->733 729->707 732 7ffd34894311-7ffd34894331 729->732 732->707 741 7ffd34894333-7ffd34894342 732->741 734->717 742 7ffd34894451-7ffd348944a5 739->742 740->742 743 7ffd34894413-7ffd34894424 740->743 745 7ffd3489438d-7ffd3489439e 741->745 746 7ffd34894344-7ffd3489434f 741->746 754 7ffd348944a7-7ffd348944b7 742->754 755 7ffd348944b9-7ffd348944c7 742->755 743->739 743->740 746->745 750 7ffd34894351-7ffd34894369 746->750 754->754 754->755 758 7ffd34894517-7ffd3489453e 755->758 759 7ffd348944c9-7ffd348944f1 755->759 762 7ffd34894541-7ffd34894546 758->762 763 7ffd34894548-7ffd3489454f 759->763 764 7ffd348944f3-7ffd348944f9 759->764 762->763 765 7ffd348944ff-7ffd34894502 762->765 769 7ffd34894551-7ffd34894552 763->769 770 7ffd34894592-7ffd348945af 763->770 764->763 766 7ffd348944fb-7ffd348944fc 764->766 767 7ffd34894508-7ffd34894515 765->767 768 7ffd348945bc-7ffd348945d1 765->768 766->765 767->758 767->762 777 7ffd348945db-7ffd348945e8 768->777 778 7ffd348945d3-7ffd348945da 768->778 771 7ffd34894555-7ffd34894558 769->771 782 7ffd348945b0-7ffd348945bb 770->782 771->768 773 7ffd3489455a-7ffd3489456b 771->773 775 7ffd34894589-7ffd34894590 773->775 776 7ffd3489456d-7ffd34894573 773->776 775->770 775->771 776->768 780 7ffd34894575-7ffd34894585 776->780 781 7ffd348945ea-7ffd34894661 777->781 777->782 778->777 780->775
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID: d
                    • API String ID: 0-2564639436
                    • Opcode ID: 83fe1ddf8d3141b7921383e04812966117c42e986a8c4e76a7de230ace652286
                    • Instruction ID: f6cd3a58138d27837bb856011ca111854a369f6a47e41a2cd395dbda65e02230
                    • Opcode Fuzzy Hash: 83fe1ddf8d3141b7921383e04812966117c42e986a8c4e76a7de230ace652286
                    • Instruction Fuzzy Hash: 53125431B1CE4A4FE759DB6898E25B17BD0FF46314B1442BAD58EC7197EE28F8428780
                    Function 00007FFD348A31C7 Relevance: 1.8, Strings: 1, Instructions: 599COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 790 7ffd348a31c7-7ffd348a3260 797 7ffd348a3262-7ffd348a3264 790->797 798 7ffd348a32d1-7ffd348a32db 790->798 800 7ffd348a3266 797->800 801 7ffd348a32e0-7ffd348a32eb 797->801 799 7ffd348a32dd-7ffd348a32de 798->799 799->801 802 7ffd348a3268-7ffd348a326c 800->802 803 7ffd348a32ac-7ffd348a32af 800->803 809 7ffd348a32ed-7ffd348a32f5 801->809 802->799 805 7ffd348a326e-7ffd348a3271 802->805 806 7ffd348a332b-7ffd348a3337 803->806 807 7ffd348a32b1 803->807 805->809 810 7ffd348a3273 805->810 808 7ffd348a3338-7ffd348a3348 806->808 811 7ffd348a32f7-7ffd348a32fd 807->811 812 7ffd348a32b3-7ffd348a32b7 807->812 824 7ffd348a3349-7ffd348a3352 808->824 809->811 814 7ffd348a32b9-7ffd348a32bc 810->814 815 7ffd348a3275-7ffd348a32ab 810->815 816 7ffd348a336e-7ffd348a3377 811->816 817 7ffd348a32ff-7ffd348a3303 811->817 813 7ffd348a3328-7ffd348a332a 812->813 812->814 813->806 814->808 818 7ffd348a32be 814->818 815->803 830 7ffd348a331c-7ffd348a3326 815->830 819 7ffd348a337a-7ffd348a3388 816->819 823 7ffd348a3304-7ffd348a3309 817->823 817->824 822 7ffd348a32c0-7ffd348a32cf 818->822 818->823 833 7ffd348a338a-7ffd348a339a 819->833 822->798 823->819 829 7ffd348a330b-7ffd348a330e 823->829 827 7ffd348a33ce 824->827 828 7ffd348a3353 824->828 832 7ffd348a33d0-7ffd348a33d2 827->832 834 7ffd348a33c4-7ffd348a33cd 828->834 835 7ffd348a3354-7ffd348a3355 828->835 829->833 836 7ffd348a3310 829->836 830->813 837 7ffd348a33d3-7ffd348a33d8 832->837 838 7ffd348a339c-7ffd348a339e 833->838 839 7ffd348a340b-7ffd348a3414 833->839 834->827 840 7ffd348a3356-7ffd348a3357 835->840 836->840 841 7ffd348a3312-7ffd348a3319 836->841 843 7ffd348a33d9-7ffd348a33de 837->843 844 7ffd348a341a-7ffd348a341f 838->844 845 7ffd348a339f 838->845 860 7ffd348a3417-7ffd348a3419 839->860 840->837 846 7ffd348a3358 840->846 841->830 848 7ffd348a345a-7ffd348a345b 843->848 849 7ffd348a33df 843->849 847 7ffd348a3420-7ffd348a3425 844->847 845->847 850 7ffd348a33a0 845->850 846->843 851 7ffd348a3359 846->851 853 7ffd348a3426 847->853 854 7ffd348a34a1 847->854 858 7ffd348a345c-7ffd348a345e 848->858 855 7ffd348a33e0-7ffd348a33e3 849->855 856 7ffd348a33e6-7ffd348a33eb 850->856 857 7ffd348a33a1-7ffd348a33a6 850->857 851->845 859 7ffd348a335a-7ffd348a335f 851->859 861 7ffd348a3497-7ffd348a3499 853->861 862 7ffd348a3427-7ffd348a342a 853->862 867 7ffd348a34a3-7ffd348a34a5 854->867 863 7ffd348a33e5 855->863 864 7ffd348a345f-7ffd348a346b 855->864 856->858 865 7ffd348a33ed-7ffd348a33f0 856->865 857->860 866 7ffd348a33a8-7ffd348a33ab 857->866 858->864 859->832 868 7ffd348a3361-7ffd348a3364 859->868 860->844 871 7ffd348a349b-7ffd348a34a0 861->871 869 7ffd348a34a6-7ffd348a34aa 862->869 870 7ffd348a342b 862->870 863->856 863->870 872 7ffd348a346c 864->872 865->872 873 7ffd348a33f2 865->873 866->862 874 7ffd348a33ac 866->874 867->869 868->855 875 7ffd348a3366 868->875 869->871 880 7ffd348a34ac-7ffd348a34b2 869->880 870->880 881 7ffd348a342c 870->881 871->854 877 7ffd348a34e8 872->877 878 7ffd348a346d 872->878 882 7ffd348a3438 873->882 883 7ffd348a33f3-7ffd348a340a 873->883 884 7ffd348a342d-7ffd348a3432 874->884 885 7ffd348a33ad 874->885 875->874 879 7ffd348a3368-7ffd348a336b 875->879 895 7ffd348a34ea 877->895 886 7ffd348a34de-7ffd348a34e6 878->886 887 7ffd348a346e-7ffd348a3471 878->887 879->816 888 7ffd348a34b3-7ffd348a34b8 880->888 881->884 889 7ffd348a3472 881->889 891 7ffd348a34b9-7ffd348a34c2 882->891 892 7ffd348a3439 882->892 883->839 884->867 890 7ffd348a3434-7ffd348a3437 884->890 885->883 894 7ffd348a33ae-7ffd348a33c3 885->894 887->889 896 7ffd348a34ed-7ffd348a34f2 887->896 888->891 897 7ffd348a34f3-7ffd348a34f7 889->897 898 7ffd348a3473 889->898 890->882 890->888 899 7ffd348a34db-7ffd348a34dc 891->899 900 7ffd348a34c4-7ffd348a34c5 891->900 901 7ffd348a343a-7ffd348a3455 892->901 902 7ffd348a347f-7ffd348a3480 892->902 894->834 895->896 896->897 908 7ffd348a34fa-7ffd348a3547 call 7ffd348902b8 897->908 898->891 905 7ffd348a3474-7ffd348a3479 898->905 899->886 906 7ffd348a34c6-7ffd348a34d1 900->906 901->848 902->906 911 7ffd348a3481-7ffd348a3496 902->911 905->895 909 7ffd348a347b-7ffd348a347e 905->909 906->899 913 7ffd348a34d3-7ffd348a34d9 906->913 918 7ffd348a354c-7ffd348a356c 908->918 909->902 909->908 911->861 913->899 919 7ffd348a368f-7ffd348a36ae 918->919 920 7ffd348a3572-7ffd348a361c 918->920 924 7ffd348a3649-7ffd348a364c call 7ffd348976f8 919->924 925 7ffd348a36b0-7ffd348a36c7 call 7ffd34890308 919->925 920->918 929 7ffd348a3651-7ffd348a3660 924->929 930 7ffd348a36ce-7ffd348a36e2 call 7ffd34897720 925->930 929->918 932 7ffd348a36e7-7ffd348a36f8 930->932
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID: v^
                    • API String ID: 0-1724403811
                    • Opcode ID: f8458dd686604f496d654094c10e93b04a3125c1c772f5beea7c4a928e966b2d
                    • Instruction ID: bb44a5c8767804c974c5354ac97919348da574b386b48305fb9f503ff50cdd31
                    • Opcode Fuzzy Hash: f8458dd686604f496d654094c10e93b04a3125c1c772f5beea7c4a928e966b2d
                    • Instruction Fuzzy Hash: 3F025C31B0FA454FE3E9C76C94A657477D1FF9A320B1402BED94DC7292DE9CA8068391
                    Function 00007FFD34898B48 Relevance: 1.6, Instructions: 1634COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 26909a3c4b419b1b4cbfb0b9f4f20d41b963f19fa9b13a74fbf76696fb2ac907
                    • Instruction ID: 8e9a10ab055cef324573e1072921921d21a48c231de86c33acc4abfbc1665246
                    • Opcode Fuzzy Hash: 26909a3c4b419b1b4cbfb0b9f4f20d41b963f19fa9b13a74fbf76696fb2ac907
                    • Instruction Fuzzy Hash: 3AC2D331A0AA498FDB99DF28C4A56B877E1FF56300F1400BED04EC72A2DE79AC45DB51
                    Function 00007FFD3489B661 Relevance: 1.1, Instructions: 1133COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1836 7ffd3489b661-7ffd3489b69b 1838 7ffd3489b72c-7ffd3489b73f 1836->1838 1839 7ffd3489b6a1-7ffd3489b6e6 call 7ffd3489a740 call 7ffd34896640 1836->1839 1843 7ffd3489b781-7ffd3489b784 1838->1843 1844 7ffd3489b741-7ffd3489b759 1838->1844 1839->1838 1852 7ffd3489b6e8-7ffd3489b706 1839->1852 1848 7ffd3489b826-7ffd3489b837 1843->1848 1849 7ffd3489b785-7ffd3489b7a1 1843->1849 1846 7ffd3489b75b-7ffd3489b77f 1844->1846 1847 7ffd3489b7a3-7ffd3489b7ba call 7ffd34896640 call 7ffd34896da0 1844->1847 1846->1843 1847->1848 1864 7ffd3489b7bc-7ffd3489b7ce 1847->1864 1856 7ffd3489b879-7ffd3489b886 1848->1856 1857 7ffd3489b839-7ffd3489b847 1848->1857 1849->1847 1852->1838 1855 7ffd3489b708-7ffd3489b72b 1852->1855 1861 7ffd3489b887-7ffd3489b891 1856->1861 1862 7ffd3489b923-7ffd3489b931 1856->1862 1859 7ffd3489b84a 1857->1859 1863 7ffd3489b84b-7ffd3489b859 1859->1863 1865 7ffd3489b897-7ffd3489b8a1 1861->1865 1866 7ffd3489b893-7ffd3489b894 1861->1866 1874 7ffd3489b936-7ffd3489b954 1862->1874 1875 7ffd3489b933-7ffd3489b935 1862->1875 1867 7ffd3489b8a3-7ffd3489b8c5 call 7ffd3489a740 1863->1867 1872 7ffd3489b85b-7ffd3489b85e 1863->1872 1864->1859 1873 7ffd3489b7d0 1864->1873 1865->1867 1866->1865 1867->1862 1883 7ffd3489b8c7-7ffd3489b8d9 1867->1883 1878 7ffd3489b862-7ffd3489b878 1872->1878 1879 7ffd3489b816-7ffd3489b825 1873->1879 1880 7ffd3489b7d2-7ffd3489b7da 1873->1880 1876 7ffd3489b955-7ffd3489b959 1874->1876 1875->1874 1881 7ffd3489b95b-7ffd3489b986 1876->1881 1882 7ffd3489b9a3-7ffd3489b9e3 call 7ffd3489a740 * 2 call 7ffd34896640 1876->1882 1878->1856 1880->1863 1884 7ffd3489b7dc-7ffd3489b7e1 1880->1884 1885 7ffd3489ba7c-7ffd3489ba8f 1881->1885 1886 7ffd3489b98c-7ffd3489b990 1881->1886 1882->1885 1914 7ffd3489b9e9-7ffd3489ba0d 1882->1914 1883->1876 1891 7ffd3489b8db 1883->1891 1884->1878 1889 7ffd3489b7e3-7ffd3489b804 call 7ffd348969e0 1884->1889 1902 7ffd3489bad1 1885->1902 1903 7ffd3489ba91-7ffd3489baa6 1885->1903 1890 7ffd3489b992-7ffd3489b9a0 1886->1890 1889->1848 1899 7ffd3489b806-7ffd3489b814 1889->1899 1890->1882 1895 7ffd3489b8dd-7ffd3489b8fb call 7ffd348969e0 1891->1895 1896 7ffd3489b921-7ffd3489b922 1891->1896 1895->1862 1909 7ffd3489b8fd-7ffd3489b920 1895->1909 1899->1879 1904 7ffd3489bad2-7ffd3489bad9 1902->1904 1908 7ffd3489badb-7ffd3489bade 1903->1908 1911 7ffd3489baa8 1903->1911 1904->1908 1912 7ffd3489bae0-7ffd3489baf0 1908->1912 1913 7ffd3489baf2-7ffd3489bafe 1908->1913 1909->1896 1915 7ffd3489baab-7ffd3489babe 1911->1915 1916 7ffd3489bb0e-7ffd3489bb17 1912->1916 1913->1916 1917 7ffd3489bb00-7ffd3489bb0b 1913->1917 1914->1890 1922 7ffd3489ba0f-7ffd3489ba1c 1914->1922 1915->1904 1919 7ffd3489bac0-7ffd3489bac1 1915->1919 1920 7ffd3489bb88-7ffd3489bbc1 call 7ffd3489a740 call 7ffd34896640 1916->1920 1921 7ffd3489bb19-7ffd3489bb1d 1916->1921 1917->1916 1923 7ffd3489bac2-7ffd3489bad0 1919->1923 1936 7ffd3489bc05-7ffd3489bc17 1920->1936 1941 7ffd3489bbc3-7ffd3489bbdc call 7ffd34898c20 1920->1941 1929 7ffd3489bb1f-7ffd3489bb37 call 7ffd348969e0 1921->1929 1930 7ffd3489bb63-7ffd3489bb7b 1921->1930 1926 7ffd3489ba65-7ffd3489ba6e 1922->1926 1927 7ffd3489ba1e-7ffd3489ba3a 1922->1927 1923->1916 1928 7ffd3489ba70-7ffd3489ba7b 1926->1928 1927->1915 1934 7ffd3489ba3c-7ffd3489ba41 1927->1934 1929->1930 1930->1936 1937 7ffd3489bb81-7ffd3489bb85 1930->1937 1934->1923 1939 7ffd3489ba43-7ffd3489ba63 1934->1939 1945 7ffd3489bc59-7ffd3489bcce call 7ffd348975d0 1936->1945 1946 7ffd3489bc19-7ffd3489bc27 1936->1946 1937->1920 1939->1928 1947 7ffd3489bbe1-7ffd3489bbf1 1941->1947 1957 7ffd3489bdc9-7ffd3489bdd3 1945->1957 1946->1945 1950 7ffd3489bbf3-7ffd3489bc04 1947->1950 1958 7ffd3489bdd9-7ffd3489bddf 1957->1958 1959 7ffd3489bcd3-7ffd3489bcde 1957->1959 1960 7ffd3489bde0-7ffd3489c027 1959->1960 1961 7ffd3489bce4-7ffd3489bd2d 1959->1961 1970 7ffd3489bd4a-7ffd3489bd4c 1961->1970 1971 7ffd3489bd2f-7ffd3489bd48 1961->1971 1972 7ffd3489bd4f-7ffd3489bd5c 1970->1972 1971->1972 1975 7ffd3489bd5e-7ffd3489bd5f 1972->1975 1976 7ffd3489bdc1-7ffd3489bdc6 1972->1976 1979 7ffd3489bd67-7ffd3489bdbc call 7ffd34898ee0 1975->1979 1976->1957 1979->1976
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c02537ae722e63b6971960d31be37cdbbb37c90306cbcbc482d48420adf29ec6
                    • Instruction ID: 0f3a25f7a442e6b7b10aafc9df030f988cf02c33fa7303ae894b833046deaffa
                    • Opcode Fuzzy Hash: c02537ae722e63b6971960d31be37cdbbb37c90306cbcbc482d48420adf29ec6
                    • Instruction Fuzzy Hash: 0B72F131A0DB8A4FE756CB3888A44A47FF1FF57200B1941FED589CB1A3DA2DA846C741
                    Function 00007FFD3489FE00 Relevance: .8, Instructions: 804COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8ba4563c08cd0d5bf44534a7d33e457caf966b4a638bb0139f39d3baaf020888
                    • Instruction ID: a7159af9fc50b4395ce5dfaa7620bf0075ae056b5949c18a42bd6b56160b2a0c
                    • Opcode Fuzzy Hash: 8ba4563c08cd0d5bf44534a7d33e457caf966b4a638bb0139f39d3baaf020888
                    • Instruction Fuzzy Hash: 99426831A0DB4A4FE3A9DF2884A15B577E1FF97304B1041BED58AC7292DE29E846C781
                    Function 00007FFD3489B280 Relevance: .4, Instructions: 436COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dd482d4d2a61e506f0be553ebfb898f729fbbc8871656dcd8038b4b51cc9780d
                    • Instruction ID: e575f684d81e8e177a68979f581625d0e3c3efd2e5854c345df3c39b7dfdb4ed
                    • Opcode Fuzzy Hash: dd482d4d2a61e506f0be553ebfb898f729fbbc8871656dcd8038b4b51cc9780d
                    • Instruction Fuzzy Hash: B4D1193160CF854FE359CB2D84E51B5BBE2FF96301B14867EE5C6C72A1DA28E842D781
                    Function 00007FFD3489AEBF Relevance: .3, Instructions: 308COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 742b256138c46a605541d5a94aaeb126684361781ec5d62f15f77370f1f950fb
                    • Instruction ID: a1afb68465b3461b5a780d75967b0296ce010005144d5f00d1b1620b7efa1f19
                    • Opcode Fuzzy Hash: 742b256138c46a605541d5a94aaeb126684361781ec5d62f15f77370f1f950fb
                    • Instruction Fuzzy Hash: 2D915C71B1CBC60BE75DCB2D84E11B5BBD2EFC6301B04857ED9DAC32D5D928A8029781
                    Function 00007FFD348A41F9 Relevance: .2, Instructions: 194COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4de6dcd4ec5e6fe43fcbe4964cbc5971cb7a8a874f04ddbf1e8ef6b9b7660160
                    • Instruction ID: 4214d0ff5d828b6c96bd25a3b3aa0d8579e44803844d196ce07e7461192aaea5
                    • Opcode Fuzzy Hash: 4de6dcd4ec5e6fe43fcbe4964cbc5971cb7a8a874f04ddbf1e8ef6b9b7660160
                    • Instruction Fuzzy Hash: 5F515831B0D7490FE75E8B6888651A57BE1EB87320B15C2BFD48AC7197DD38A8468392
                    Function 00007FFD3496026B Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 933 7ffd3496026b-7ffd3496026d 934 7ffd349603b1-7ffd349603b7 933->934 935 7ffd3496026e-7ffd3496027c 933->935 938 7ffd349603b9-7ffd349603c8 934->938 937 7ffd34960284-7ffd34960286 935->937 939 7ffd34960288-7ffd34960289 937->939 940 7ffd349602f7-7ffd34960306 937->940 942 7ffd349603c9-7ffd34960427 938->942 943 7ffd3496024f-7ffd34960255 939->943 944 7ffd3496028b 939->944 941 7ffd34960307-7ffd34960309 940->941 941->934 945 7ffd3496030a-7ffd34960348 941->945 957 7ffd34960429-7ffd34960440 942->957 958 7ffd3496045c-7ffd34960474 942->958 943->944 948 7ffd34960257-7ffd3496026a 943->948 944->941 947 7ffd3496028d 944->947 945->938 970 7ffd3496034a-7ffd3496034d 945->970 951 7ffd349602d4 947->951 952 7ffd3496028f-7ffd349602a0 947->952 948->933 951->934 956 7ffd349602da-7ffd349602f5 951->956 959 7ffd349602a2-7ffd349602b8 952->959 960 7ffd34960236-7ffd3496024e 952->960 956->940 963 7ffd34960442-7ffd34960445 957->963 964 7ffd349604b1-7ffd349604b8 957->964 959->934 966 7ffd349602be-7ffd349602d1 959->966 960->943 968 7ffd349604c6-7ffd349604d0 963->968 969 7ffd34960447-7ffd3496045a 963->969 964->968 966->951 972 7ffd349604d1-7ffd34960500 968->972 969->958 969->972 970->942 973 7ffd3496034f 970->973 980 7ffd34960502-7ffd34960505 972->980 981 7ffd34960571-7ffd34960578 972->981 975 7ffd34960351-7ffd3496035f 973->975 976 7ffd34960396-7ffd349603b0 973->976 975->976 983 7ffd34960586-7ffd34960590 980->983 984 7ffd34960507-7ffd34960534 980->984 981->983 986 7ffd34960592-7ffd34960595 983->986 987 7ffd34960597-7ffd349605c0 983->987 986->987 991 7ffd349605c2-7ffd349605c5 987->991 992 7ffd34960631-7ffd34960638 987->992 993 7ffd34960646-7ffd34960668 991->993 994 7ffd349605c7-7ffd349605f4 991->994 992->993 999 7ffd3496069d-7ffd349606a8 993->999 1000 7ffd3496066a-7ffd3496067e 993->1000 1005 7ffd349606aa-7ffd349606b9 999->1005 1006 7ffd349606bc-7ffd349606c5 999->1006 1003 7ffd34960680 1000->1003 1004 7ffd349606fa-7ffd34960708 1000->1004 1007 7ffd34960682-7ffd3496069c 1003->1007 1008 7ffd349606c6-7ffd349606c7 1003->1008 1005->1006 1006->1008 1007->999
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150887416.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34960000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID: A
                    • API String ID: 0-3554254475
                    • Opcode ID: 8948f4708215054b352b8edb35a9b6a0d2a3ee4e59d9e1105810a0545d5853e4
                    • Instruction ID: 245cc93f6b62ed46b8ddde5ee121cb4e3974e268f98a6f4d832018d07b0f954d
                    • Opcode Fuzzy Hash: 8948f4708215054b352b8edb35a9b6a0d2a3ee4e59d9e1105810a0545d5853e4
                    • Instruction Fuzzy Hash: 74D13B72A0D6864FE765DB2888E55A87BE0FF97330F0505BED588CB0D6DB2C68069351
                    Function 00007FFD348A7829 Relevance: 1.6, APIs: 1, Instructions: 120memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1453 7ffd348a7829-7ffd348a78df VirtualProtect 1457 7ffd348a78e7-7ffd348a790f 1453->1457 1458 7ffd348a78e1 1453->1458 1458->1457
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 75f555cc976e19688d4bdde7c5be042c5fdd866d2fae12b490ad4ef1aa982af1
                    • Instruction ID: ea637dd4fab57719c51f200260c3764145f9fad9e33d64e71fc7ba8cf1dd0d3a
                    • Opcode Fuzzy Hash: 75f555cc976e19688d4bdde7c5be042c5fdd866d2fae12b490ad4ef1aa982af1
                    • Instruction Fuzzy Hash: E131D430A0CB5C5FDB18DFA898466F97BF1EB5A321F04426FD049D3152DB74A846CB91
                    Function 00007FFD34961091 Relevance: .2, Instructions: 198COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150887416.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34960000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 637db4fcca9bd3f4b6d71d1d60084a1dd9f931d48b725b637560d15fd98a947f
                    • Instruction ID: df8f289f1dfcc74226c414a988ee2e4bab23d50c0bc2d763e3d0316e76f10b72
                    • Opcode Fuzzy Hash: 637db4fcca9bd3f4b6d71d1d60084a1dd9f931d48b725b637560d15fd98a947f
                    • Instruction Fuzzy Hash: E451593160DAC94FDB16DB2888A34E87BA0FF57330B1501FEC589CB09BCA1DA846D791
                    Function 00007FFD349610FC Relevance: .1, Instructions: 123COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150887416.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34960000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7f96c75b200b97bbfc21da21b6d265d75d61b49833b4fe8930ddd30937ca86b3
                    • Instruction ID: 3d57ecbbb31b6d65dea2b3ce6b14d9d74d93d8e6026366964a83de6ef490f1f6
                    • Opcode Fuzzy Hash: 7f96c75b200b97bbfc21da21b6d265d75d61b49833b4fe8930ddd30937ca86b3
                    • Instruction Fuzzy Hash: 9A416B35A0CA8D4FDB56DF14C8E64A87BF0FF56324B0501BEC18ACB19ACE2DA841D790

                    Non-executed Functions

                    Function 00007FFD348A3B39 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID: :32;$gfff
                    • API String ID: 0-1317646537
                    • Opcode ID: e8b4d00b497fd8b8243c6b314141aa32840210e1bb0dc05d1137ab8a04462d6f
                    • Instruction ID: 04cfe6b59d59116e3e26c73c95d08d06fbf229213646e76e553f21e38c8947b6
                    • Opcode Fuzzy Hash: e8b4d00b497fd8b8243c6b314141aa32840210e1bb0dc05d1137ab8a04462d6f
                    • Instruction Fuzzy Hash: 2451293260E7D50FD31B86799C664A17FE5DB8722070982FBD582CB1E3E9596C0BC392
                    Function 00007FFD34899B2C Relevance: 1.0, Instructions: 1028COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: af5945139cd397e6f452734002e2c62c3e57875e7bca25cad5f898fd4dd63cc0
                    • Instruction ID: 34051b6025f2603b4eba2373a4f09c2b735ac80033c32b6518aa19beccd86790
                    • Opcode Fuzzy Hash: af5945139cd397e6f452734002e2c62c3e57875e7bca25cad5f898fd4dd63cc0
                    • Instruction Fuzzy Hash: FC427B16A8EBC60FE75357744CB50A47FB49E2365071E51EBC6C5CB1E3EA0D280AE722
                    Function 00007FFD34896F18 Relevance: .7, Instructions: 659COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1ece43c7a59ccbb3da2cfd3409c78e2ae1955fd8e6dba33718c83be7576d1ee2
                    • Instruction ID: 56ddfeabec820e471d6018840dfbd1886ad55a7b9e78969413013fea714345de
                    • Opcode Fuzzy Hash: 1ece43c7a59ccbb3da2cfd3409c78e2ae1955fd8e6dba33718c83be7576d1ee2
                    • Instruction Fuzzy Hash: 5E027F21A4EBC60FE3678B7848710A57FE0AF5321071A41FBC599CB1E3DA1DA84BD752
                    Function 00007FFD348A6A89 Relevance: .5, Instructions: 452COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 225588b0ae73dcbf8340f901fd9cb6d6ba8ec48f80445befe4f0db53ef2047e7
                    • Instruction ID: b3a662d7a62337a56a28626c66342d6a575261f29ebd9cd94dd7ef0f3f690130
                    • Opcode Fuzzy Hash: 225588b0ae73dcbf8340f901fd9cb6d6ba8ec48f80445befe4f0db53ef2047e7
                    • Instruction Fuzzy Hash: 97E1153070DA894FD799DF28C4A497977E1FF96300B0441BEE48AC72A6DE29EC46C751
                    Function 00007FFD348996A6 Relevance: .4, Instructions: 441COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 21efa8a61c57bc19dd1d52200e2b57acfb2d72054cc4f1ea512ec4716c7cdf0d
                    • Instruction ID: 7edf1143ed084b664a4ac016af31c7e6efc9caa4dfd58d0eb0e110ce6a13b3f4
                    • Opcode Fuzzy Hash: 21efa8a61c57bc19dd1d52200e2b57acfb2d72054cc4f1ea512ec4716c7cdf0d
                    • Instruction Fuzzy Hash: 71B16726A8EBC60FE7134B744CB50A47FB49E2365071E51EBC5C5CB1E3DA1D580AEB22
                    Function 00007FFD3489BE38 Relevance: .2, Instructions: 246COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fe3db549b929373e6f8f03c76b9e3c3c31a38852830adb0da0c5e4a7bed7c5a5
                    • Instruction ID: 92aaf4d167e40be58781b5d254dc89695f50b31a7686eb2f4da0357036f789b1
                    • Opcode Fuzzy Hash: fe3db549b929373e6f8f03c76b9e3c3c31a38852830adb0da0c5e4a7bed7c5a5
                    • Instruction Fuzzy Hash: F3517725A8E7D60FE7234A750CB14997FB0AA2355070E51EBC684CF4E3DA0D580EE762
                    Function 00007FFD34897DFB Relevance: .2, Instructions: 240COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 17b1c8b8f37d90f55d9005ef606cf48e58e3a9462ed033ec5c0d77c57b512d69
                    • Instruction ID: 76010824f42768f0ad941fd552dbf9fb15a0728e27ddfbaae07143b92be691fb
                    • Opcode Fuzzy Hash: 17b1c8b8f37d90f55d9005ef606cf48e58e3a9462ed033ec5c0d77c57b512d69
                    • Instruction Fuzzy Hash: 77715212A0D7A25BD712B7FC68B61EA7FA49F0332870C45B7D1C8DA093FD7C644A9285
                    Function 00007FFD34898261 Relevance: .2, Instructions: 173COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2150688844.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34890000_LETTER OF AUTHORIZATION.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9bf87ac59869ebf25371503e2b7626511ebebfc700be5cec1f507cbf01f0060c
                    • Instruction ID: 6dd9d82fb3151fd7917b7c3d1f79419046565fdf14fbc650e3d5fe28b1426b93
                    • Opcode Fuzzy Hash: 9bf87ac59869ebf25371503e2b7626511ebebfc700be5cec1f507cbf01f0060c
                    • Instruction Fuzzy Hash: 2E51EC12A0D7D22BE72277FC69B60EA7FA49F0332870C55B7D1C89A093ED6C64469285

                    Execution Graph

                    Execution Coverage:12.4%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:18.4%
                    Total number of Nodes:38
                    Total number of Limit Nodes:5
                    execution_graph 24494 299ced8 24495 299cee4 24494->24495 24499 6598608 24495->24499 24506 6598602 24495->24506 24496 299d0b7 24500 659862a 24499->24500 24501 659873c 24500->24501 24513 55f8174 24500->24513 24519 55f7b60 24500->24519 24525 55f7b70 24500->24525 24529 55f7d90 24500->24529 24501->24496 24507 659862a 24506->24507 24508 659873c 24507->24508 24509 55f8174 2 API calls 24507->24509 24510 55f7d90 2 API calls 24507->24510 24511 55f7b70 LdrInitializeThunk 24507->24511 24512 55f7b60 2 API calls 24507->24512 24508->24496 24509->24508 24510->24508 24511->24508 24512->24508 24518 55f802b 24513->24518 24514 55f816c LdrInitializeThunk 24516 55f82c9 24514->24516 24516->24501 24517 55f7b70 LdrInitializeThunk 24517->24518 24518->24514 24518->24517 24520 55f7b82 24519->24520 24524 55f7b87 24519->24524 24520->24501 24521 55f816c LdrInitializeThunk 24521->24520 24523 55f7b70 LdrInitializeThunk 24523->24524 24524->24520 24524->24521 24524->24523 24526 55f7b87 24525->24526 24527 55f7b82 24525->24527 24526->24527 24528 55f82b1 LdrInitializeThunk 24526->24528 24527->24501 24528->24527 24533 55f7dc1 24529->24533 24530 55f7f21 24530->24501 24531 55f816c LdrInitializeThunk 24531->24530 24533->24530 24533->24531 24534 55f7b70 LdrInitializeThunk 24533->24534 24534->24533 24535 55f8460 24536 55f8467 24535->24536 24538 55f846d 24535->24538 24537 55f7b70 LdrInitializeThunk 24536->24537 24536->24538 24540 55f87ee 24536->24540 24537->24540 24539 55f7b70 LdrInitializeThunk 24539->24540 24540->24538 24540->24539

                    Executed Functions

                    Function 055F7B70 Relevance: 2.0, APIs: 1, Instructions: 532COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 983 55f7b70-55f7b80 984 55f7b87-55f7b93 983->984 985 55f7b82 983->985 988 55f7b9a-55f7baf 984->988 989 55f7b95 984->989 986 55f7cb3-55f7cbd 985->986 992 55f7bb5-55f7bc0 988->992 993 55f7cc3-55f7d03 988->993 989->986 996 55f7cbe 992->996 997 55f7bc6-55f7bcd 992->997 1009 55f7d0a-55f7dbf 993->1009 996->993 998 55f7bcf-55f7be6 997->998 999 55f7bfa-55f7c05 997->999 1008 55f7bec-55f7bef 998->1008 998->1009 1004 55f7c07-55f7c0f 999->1004 1005 55f7c12-55f7c1c 999->1005 1004->1005 1014 55f7ca6-55f7cab 1005->1014 1015 55f7c22-55f7c2c 1005->1015 1008->996 1012 55f7bf5-55f7bf8 1008->1012 1041 55f7dc6-55f7e5c 1009->1041 1042 55f7dc1 1009->1042 1012->998 1012->999 1014->986 1015->996 1019 55f7c32-55f7c4e 1015->1019 1025 55f7c52-55f7c55 1019->1025 1026 55f7c50 1019->1026 1028 55f7c5c-55f7c5f 1025->1028 1029 55f7c57-55f7c5a 1025->1029 1026->986 1030 55f7c62-55f7c70 1028->1030 1029->1030 1030->996 1034 55f7c72-55f7c79 1030->1034 1034->986 1035 55f7c7b-55f7c81 1034->1035 1035->996 1037 55f7c83-55f7c88 1035->1037 1037->996 1038 55f7c8a-55f7c9d 1037->1038 1038->996 1043 55f7c9f-55f7ca2 1038->1043 1046 55f7efb-55f7f01 1041->1046 1042->1041 1043->1035 1044 55f7ca4 1043->1044 1044->986 1047 55f7f07-55f7f1f 1046->1047 1048 55f7e61-55f7e74 1046->1048 1049 55f7f33-55f7f46 1047->1049 1050 55f7f21-55f7f2e 1047->1050 1051 55f7e7b-55f7ecc 1048->1051 1052 55f7e76 1048->1052 1053 55f7f4d-55f7f69 1049->1053 1054 55f7f48 1049->1054 1055 55f82c9-55f83c6 1050->1055 1068 55f7edf-55f7ef1 1051->1068 1069 55f7ece-55f7edc 1051->1069 1052->1051 1058 55f7f6b 1053->1058 1059 55f7f70-55f7f94 1053->1059 1054->1053 1060 55f83ce-55f83d8 1055->1060 1061 55f83c8-55f83cd 1055->1061 1058->1059 1065 55f7f9b-55f7fcd 1059->1065 1066 55f7f96 1059->1066 1061->1060 1074 55f7fcf 1065->1074 1075 55f7fd4-55f8016 1065->1075 1066->1065 1071 55f7ef8 1068->1071 1072 55f7ef3 1068->1072 1069->1047 1071->1046 1072->1071 1074->1075 1077 55f801d-55f8026 1075->1077 1078 55f8018 1075->1078 1079 55f824e-55f8254 1077->1079 1078->1077 1080 55f802b-55f8050 1079->1080 1081 55f825a-55f826d 1079->1081 1084 55f8057-55f808e 1080->1084 1085 55f8052 1080->1085 1082 55f826f 1081->1082 1083 55f8274-55f828f 1081->1083 1082->1083 1086 55f8296-55f82aa 1083->1086 1087 55f8291 1083->1087 1093 55f8095-55f80c7 1084->1093 1094 55f8090 1084->1094 1085->1084 1090 55f82ac 1086->1090 1091 55f82b1-55f82c7 LdrInitializeThunk 1086->1091 1087->1086 1090->1091 1091->1055 1096 55f812b-55f813e 1093->1096 1097 55f80c9-55f80ee 1093->1097 1094->1093 1100 55f8145-55f816a 1096->1100 1101 55f8140 1096->1101 1098 55f80f5-55f8123 1097->1098 1099 55f80f0 1097->1099 1098->1096 1099->1098 1104 55f816c-55f816d 1100->1104 1105 55f8179-55f81b1 1100->1105 1101->1100 1104->1081 1106 55f81b8-55f8219 call 55f7b70 1105->1106 1107 55f81b3 1105->1107 1113 55f821b 1106->1113 1114 55f8220-55f8244 1106->1114 1107->1106 1113->1114 1117 55f824b 1114->1117 1118 55f8246 1114->1118 1117->1079 1118->1117
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 20b66be34a7378510d16235fa55435ca83528b642ca207c3ae47ca66cde24be9
                    • Instruction ID: a18e7d5abc0cc0067afab40955fb2d6647a6555d87bd19f41ea0b3f4986756bb
                    • Opcode Fuzzy Hash: 20b66be34a7378510d16235fa55435ca83528b642ca207c3ae47ca66cde24be9
                    • Instruction Fuzzy Hash: 44220874E00219CFDB14DFA9C884BADBBB2FF88304F1485A9D509AB355DB359986CF50
                    Function 02999858 Relevance: .9, Instructions: 862COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8f2c11272ec6072734bc99ba667a081f1492897fada273ee2e53c0b04fc018bd
                    • Instruction ID: 36165c1c7e04d94488b47bf3965cb87fe8161e1be5f60de9020bfa3eedb7813e
                    • Opcode Fuzzy Hash: 8f2c11272ec6072734bc99ba667a081f1492897fada273ee2e53c0b04fc018bd
                    • Instruction Fuzzy Hash: E5728D70A00209CFDF15CF69C984AAEBBB6FF88324F158569E8059B3A5D735ED41CB60
                    Function 065911A0 Relevance: .7, Instructions: 745COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1407 65911a0-65911c0 1408 65911c2 1407->1408 1409 65911c7-6591240 1407->1409 1408->1409 1413 659128e-65912e1 1409->1413 1414 6591242-6591289 1409->1414 1421 6591329-65913dd 1413->1421 1422 65912e3-6591328 1413->1422 1414->1421 1569 65913e3 call 2994db9 1421->1569 1570 65913e3 call 2994dc8 1421->1570 1422->1421 1432 65913e8-659140e 1434 6591fcf-6592004 1432->1434 1435 6591414-6591517 1432->1435 1445 6591fc2-6591fc8 1435->1445 1446 659151c-65915fa 1445->1446 1447 6591fce 1445->1447 1455 65915fc 1446->1455 1456 6591601-659166a 1446->1456 1447->1434 1455->1456 1460 659166c 1456->1460 1461 6591671-6591682 1456->1461 1460->1461 1462 6591688-6591692 1461->1462 1463 659170f-6591816 1461->1463 1464 6591699-659170e 1462->1464 1465 6591694 1462->1465 1481 6591818 1463->1481 1482 659181d-6591886 1463->1482 1464->1463 1465->1464 1481->1482 1486 6591888 1482->1486 1487 659188d-659189e 1482->1487 1486->1487 1488 659192b-6591adf 1487->1488 1489 65918a4-65918ae 1487->1489 1510 6591ae1 1488->1510 1511 6591ae6-6591b64 1488->1511 1490 65918b0 1489->1490 1491 65918b5-659192a 1489->1491 1490->1491 1491->1488 1510->1511 1515 6591b6b-6591b7c 1511->1515 1516 6591b66 1511->1516 1517 6591c09-6591ca2 1515->1517 1518 6591b82-6591b8c 1515->1518 1516->1515 1529 6591ca9-6591d21 1517->1529 1530 6591ca4 1517->1530 1519 6591b8e 1518->1519 1520 6591b93-6591c08 1518->1520 1519->1520 1520->1517 1536 6591d28-6591d39 1529->1536 1537 6591d23 1529->1537 1530->1529 1538 6591d3f-6591dd3 1536->1538 1539 6591e27-6591ebb 1536->1539 1537->1536 1553 6591dda-6591e26 1538->1553 1554 6591dd5 1538->1554 1548 6591fad-6591fb8 1539->1548 1549 6591ec1-6591fac 1539->1549 1551 6591fba 1548->1551 1552 6591fbf 1548->1552 1549->1548 1551->1552 1552->1445 1553->1539 1554->1553 1569->1432 1570->1432
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b6b90f056ba8c9fcb2c531c70e61638927948b51dde187a44a1150cbdc5f28e4
                    • Instruction ID: 8b31639489dc2096fba9efe34e69353112953977c34bab46930433f9039ccd0e
                    • Opcode Fuzzy Hash: b6b90f056ba8c9fcb2c531c70e61638927948b51dde187a44a1150cbdc5f28e4
                    • Instruction Fuzzy Hash: 8E826E74E01229CFDBA5DF69C998BDDBBB2BB89300F1481E9A40DA7254DB345E81CF50
                    Function 0299F007 Relevance: .7, Instructions: 720COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1571 299f007-299f038 1572 299f03a 1571->1572 1573 299f03f-299f0c1 1571->1573 1572->1573 1575 299f127-299f13d 1573->1575 1576 299f13f-299f189 call 2990364 1575->1576 1577 299f0c3-299f0cc 1575->1577 1588 299f18b-299f1cc call 2990384 1576->1588 1589 299f1f4-299f1f5 1576->1589 1578 299f0ce 1577->1578 1579 299f0d3-299f11d call 299bb4c 1577->1579 1578->1579 1586 299f11f 1579->1586 1587 299f124 1579->1587 1586->1587 1587->1575 1595 299f1ee-299f1ef 1588->1595 1596 299f1ce-299f1ec 1588->1596 1590 299f1f6-299f295 1589->1590 1603 299f29b-299f2bc 1590->1603 1604 299fbe7-299fc1d 1590->1604 1598 299f1f0-299f1f2 1595->1598 1596->1598 1598->1590 1607 299fbc4-299fbe0 1603->1607 1608 299f2c1-299f2ca 1607->1608 1609 299fbe6 1607->1609 1610 299f2cc 1608->1610 1611 299f2d1-299f337 call 299b020 1608->1611 1609->1604 1610->1611 1616 299f339 1611->1616 1617 299f33e-299f3c8 call 299b030 1611->1617 1616->1617 1624 299f3da-299f3e1 1617->1624 1625 299f3ca-299f3d1 1617->1625 1626 299f3e8-299f3f5 1624->1626 1627 299f3e3 1624->1627 1628 299f3d8 1625->1628 1629 299f3d3 1625->1629 1630 299f3fc-299f403 1626->1630 1631 299f3f7 1626->1631 1627->1626 1628->1626 1629->1628 1632 299f40a-299f461 1630->1632 1633 299f405 1630->1633 1631->1630 1636 299f468-299f47f 1632->1636 1637 299f463 1632->1637 1633->1632 1638 299f48a-299f492 1636->1638 1639 299f481-299f488 1636->1639 1637->1636 1640 299f493-299f49d 1638->1640 1639->1640 1641 299f49f 1640->1641 1642 299f4a4-299f4ad 1640->1642 1641->1642 1643 299fb94-299fb9a 1642->1643 1644 299fba0-299fbba 1643->1644 1645 299f4b2-299f4be 1643->1645 1651 299fbbc 1644->1651 1652 299fbc1 1644->1652 1646 299f4c0 1645->1646 1647 299f4c5-299f4ca 1645->1647 1646->1647 1649 299f50d-299f50f 1647->1649 1650 299f4cc-299f4d8 1647->1650 1653 299f515-299f529 1649->1653 1654 299f4da 1650->1654 1655 299f4df-299f4e4 1650->1655 1651->1652 1652->1607 1657 299f52f-299f544 1653->1657 1658 299fb72-299fb7f 1653->1658 1654->1655 1655->1649 1656 299f4e6-299f4f3 1655->1656 1659 299f4fa-299f50b 1656->1659 1660 299f4f5 1656->1660 1661 299f54b-299f5d1 1657->1661 1662 299f546 1657->1662 1663 299fb80-299fb8a 1658->1663 1659->1653 1660->1659 1670 299f5fb 1661->1670 1671 299f5d3-299f5f9 1661->1671 1662->1661 1664 299fb8c 1663->1664 1665 299fb91 1663->1665 1664->1665 1665->1643 1672 299f605-299f625 1670->1672 1671->1672 1674 299f62b-299f635 1672->1674 1675 299f7a4-299f7a9 1672->1675 1676 299f63c-299f665 1674->1676 1677 299f637 1674->1677 1678 299f7ab-299f7cb 1675->1678 1679 299f80d-299f80f 1675->1679 1681 299f67f-299f681 1676->1681 1682 299f667-299f671 1676->1682 1677->1676 1692 299f7cd-299f7f3 1678->1692 1693 299f7f5 1678->1693 1680 299f815-299f835 1679->1680 1684 299f83b-299f845 1680->1684 1685 299fb6c-299fb6d 1680->1685 1683 299f720-299f72f 1681->1683 1687 299f678-299f67e 1682->1687 1688 299f673 1682->1688 1694 299f731 1683->1694 1695 299f736-299f73b 1683->1695 1689 299f84c-299f875 1684->1689 1690 299f847 1684->1690 1691 299fb6e-299fb70 1685->1691 1687->1681 1688->1687 1699 299f88f-299f89d 1689->1699 1700 299f877-299f881 1689->1700 1690->1689 1691->1663 1696 299f7ff-299f80b 1692->1696 1693->1696 1694->1695 1697 299f73d-299f74d 1695->1697 1698 299f765-299f767 1695->1698 1696->1680 1701 299f74f 1697->1701 1702 299f754-299f763 1697->1702 1703 299f76d-299f781 1698->1703 1706 299f93c-299f94b 1699->1706 1704 299f888-299f88e 1700->1704 1705 299f883 1700->1705 1701->1702 1702->1703 1708 299f787-299f79f 1703->1708 1709 299f686-299f6a1 1703->1709 1704->1699 1705->1704 1710 299f94d 1706->1710 1711 299f952-299f957 1706->1711 1708->1691 1712 299f6a8-299f712 1709->1712 1713 299f6a3 1709->1713 1710->1711 1714 299f959-299f969 1711->1714 1715 299f981-299f983 1711->1715 1734 299f719-299f71f 1712->1734 1735 299f714 1712->1735 1713->1712 1717 299f96b 1714->1717 1718 299f970-299f97f 1714->1718 1716 299f989-299f99d 1715->1716 1719 299f9a3-299fa0c call 29959d0 * 2 1716->1719 1720 299f8a2-299f8bd 1716->1720 1717->1718 1718->1716 1732 299fa0e-299fa10 1719->1732 1733 299fa15-299fb68 1719->1733 1723 299f8bf 1720->1723 1724 299f8c4-299f92e 1720->1724 1723->1724 1739 299f930 1724->1739 1740 299f935-299f93b 1724->1740 1736 299fb69-299fb6a 1732->1736 1733->1736 1734->1683 1735->1734 1736->1644 1739->1740 1740->1706
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e52b2524dbcbdc7f5562a43b00036837674d73340ebb5018562cff4258fc5c47
                    • Instruction ID: 6735e5ed6fca335338369eae715dd52a0ee5aa27642a655ff92002b0f7401d89
                    • Opcode Fuzzy Hash: e52b2524dbcbdc7f5562a43b00036837674d73340ebb5018562cff4258fc5c47
                    • Instruction Fuzzy Hash: 9672CD74E00229CFDB64DF69C984BE9BBB2BB49314F1481EAD40CA7255EB349E81CF50
                    Function 02996108 Relevance: .5, Instructions: 515COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dd24ad86c5822c1fcbd6bd0cf0273fc2b39c368d563235f96d6285f8d20b185b
                    • Instruction ID: 64e81864b128b1617f38b7ebd4581b402396ba32456e2f33c5c8257b71bd6cb1
                    • Opcode Fuzzy Hash: dd24ad86c5822c1fcbd6bd0cf0273fc2b39c368d563235f96d6285f8d20b185b
                    • Instruction Fuzzy Hash: 1D12AE70A002198FDB14DFA9C954BAEBBFAFF88314F148569E409DB395DB359C42CB90
                    Function 02996730 Relevance: .5, Instructions: 471COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2533 2996730-2996766 2534 299676e-2996774 2533->2534 2664 2996768 call 2996108 2533->2664 2665 2996768 call 2996730 2533->2665 2666 2996768 call 2996880 2533->2666 2535 29967c4-29967c8 2534->2535 2536 2996776-299677a 2534->2536 2537 29967ca-29967d9 2535->2537 2538 29967df-29967f3 2535->2538 2539 2996789-2996790 2536->2539 2540 299677c-2996781 2536->2540 2541 29967db-29967dd 2537->2541 2542 2996805-299680f 2537->2542 2543 29967fb-2996802 2538->2543 2661 29967f5 call 2999858 2538->2661 2662 29967f5 call 2999854 2538->2662 2544 2996866-29968a3 2539->2544 2545 2996796-299679d 2539->2545 2540->2539 2541->2543 2546 2996819-299681d 2542->2546 2547 2996811-2996817 2542->2547 2554 29968ae-29968ce 2544->2554 2555 29968a5-29968ab 2544->2555 2545->2535 2548 299679f-29967a3 2545->2548 2549 2996825-299685f 2546->2549 2553 299681f 2546->2553 2547->2549 2551 29967b2-29967b9 2548->2551 2552 29967a5-29967aa 2548->2552 2549->2544 2551->2544 2556 29967bf-29967c2 2551->2556 2552->2551 2553->2549 2562 29968d0 2554->2562 2563 29968d5-29968dc 2554->2563 2555->2554 2556->2543 2564 2996c64-2996c6d 2562->2564 2565 29968de-29968e9 2563->2565 2567 29968ef-2996902 2565->2567 2568 2996c75-2996cb1 2565->2568 2572 2996918-2996933 2567->2572 2573 2996904-2996912 2567->2573 2576 2996cba-2996cbe 2568->2576 2577 2996cb3-2996cb8 2568->2577 2581 2996935-299693b 2572->2581 2582 2996957-299695a 2572->2582 2573->2572 2579 2996bec-2996bf3 2573->2579 2580 2996cc4-2996cc5 2576->2580 2577->2580 2579->2564 2587 2996bf5-2996bf7 2579->2587 2585 299693d 2581->2585 2586 2996944-2996947 2581->2586 2583 2996960-2996963 2582->2583 2584 2996ab4-2996aba 2582->2584 2583->2584 2590 2996969-299696f 2583->2590 2588 2996ac0-2996ac5 2584->2588 2589 2996ba6-2996ba9 2584->2589 2585->2584 2585->2586 2585->2589 2591 299697a-2996980 2585->2591 2586->2591 2592 2996949-299694c 2586->2592 2593 2996bf9-2996bfe 2587->2593 2594 2996c06-2996c0c 2587->2594 2588->2589 2597 2996baf-2996bb5 2589->2597 2598 2996c70 2589->2598 2590->2584 2596 2996975 2590->2596 2599 2996982-2996984 2591->2599 2600 2996986-2996988 2591->2600 2601 2996952 2592->2601 2602 29969e6-29969ec 2592->2602 2593->2594 2594->2568 2595 2996c0e-2996c13 2594->2595 2603 2996c58-2996c5b 2595->2603 2604 2996c15-2996c1a 2595->2604 2596->2589 2606 2996bda-2996bde 2597->2606 2607 2996bb7-2996bbf 2597->2607 2598->2568 2608 2996992-299699b 2599->2608 2600->2608 2601->2589 2602->2589 2605 29969f2-29969f8 2602->2605 2603->2598 2616 2996c5d-2996c62 2603->2616 2604->2598 2609 2996c1c 2604->2609 2610 29969fa-29969fc 2605->2610 2611 29969fe-2996a00 2605->2611 2606->2579 2615 2996be0-2996be6 2606->2615 2607->2568 2612 2996bc5-2996bd4 2607->2612 2613 299699d-29969a8 2608->2613 2614 29969ae-29969d6 2608->2614 2617 2996c23-2996c28 2609->2617 2618 2996a0a-2996a21 2610->2618 2611->2618 2612->2572 2612->2606 2613->2589 2613->2614 2636 2996aca-2996b00 2614->2636 2637 29969dc-29969e1 2614->2637 2615->2565 2615->2579 2616->2564 2616->2587 2619 2996c4a-2996c4c 2617->2619 2620 2996c2a-2996c2c 2617->2620 2630 2996a4c-2996a73 2618->2630 2631 2996a23-2996a3c 2618->2631 2619->2598 2627 2996c4e-2996c51 2619->2627 2624 2996c3b-2996c41 2620->2624 2625 2996c2e-2996c33 2620->2625 2624->2568 2629 2996c43-2996c48 2624->2629 2625->2624 2627->2603 2629->2619 2632 2996c1e-2996c21 2629->2632 2630->2598 2642 2996a79-2996a7c 2630->2642 2631->2636 2640 2996a42-2996a47 2631->2640 2632->2598 2632->2617 2643 2996b0d-2996b15 2636->2643 2644 2996b02-2996b06 2636->2644 2637->2636 2640->2636 2642->2598 2645 2996a82-2996aab 2642->2645 2643->2598 2648 2996b1b-2996b20 2643->2648 2646 2996b08-2996b0b 2644->2646 2647 2996b25-2996b29 2644->2647 2645->2636 2660 2996aad-2996ab2 2645->2660 2646->2643 2646->2647 2649 2996b48-2996b4c 2647->2649 2650 2996b2b-2996b31 2647->2650 2648->2589 2653 2996b4e-2996b54 2649->2653 2654 2996b56-2996b75 call 2996e58 2649->2654 2650->2649 2652 2996b33-2996b3b 2650->2652 2652->2598 2655 2996b41-2996b46 2652->2655 2653->2654 2657 2996b7b-2996b7f 2653->2657 2654->2657 2655->2589 2657->2589 2658 2996b81-2996b9d 2657->2658 2658->2589 2660->2636 2661->2543 2662->2543 2664->2534 2665->2534 2666->2534
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1d03d15e613605fa517553bfa2e594d3e1670691e688a03aa935c22016dfdddf
                    • Instruction ID: 8b70af0ad5360c2872a0b988c61e19dc8121c5d4a50030a715d9d271cbf84573
                    • Opcode Fuzzy Hash: 1d03d15e613605fa517553bfa2e594d3e1670691e688a03aa935c22016dfdddf
                    • Instruction Fuzzy Hash: 08123970A00209DFCF14CFADC984AADBBBAFF88364F158469E505AB265E735EC41CB50
                    Function 02993570 Relevance: .4, Instructions: 438COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2667 2993570-299358d 2668 299358f-2993591 2667->2668 2669 2993596-29935a6 2667->2669 2670 2993834-299383b 2668->2670 2671 29935a8 2669->2671 2672 29935ad-29935bd 2669->2672 2671->2670 2674 299381b-2993829 2672->2674 2675 29935c3-29935d1 2672->2675 2678 299383c-2993906 2674->2678 2680 299382b-299382f call 29902c8 2674->2680 2675->2678 2679 29935d7 2675->2679 2749 2993908-2993909 2678->2749 2750 299390a-2993922 2678->2750 2679->2678 2681 299361b-299363d 2679->2681 2682 29936da-2993702 2679->2682 2683 29935de-29935f0 2679->2683 2684 29935f5-2993616 2679->2684 2685 29936b4-29936d5 2679->2685 2686 2993734-2993771 2679->2686 2687 2993776-299379c 2679->2687 2688 2993668-2993689 2679->2688 2689 29937ec-299380d call 2992060 2679->2689 2690 29937cf-29937ea call 29902d8 2679->2690 2691 299380f-2993819 2679->2691 2692 299368e-29936af 2679->2692 2693 29937a1-29937cd 2679->2693 2694 2993642-2993663 2679->2694 2695 2993707-299372f 2679->2695 2680->2670 2681->2670 2682->2670 2683->2670 2684->2670 2685->2670 2686->2670 2687->2670 2688->2670 2689->2670 2690->2670 2691->2670 2692->2670 2693->2670 2694->2670 2695->2670 2749->2750 2751 2993929-2993a31 call 2991e14 call 2991e24 call 2991e34 call 2991e44 call 29902e4 2750->2751 2752 2993924 2750->2752 2770 2993a37-2993ac7 2751->2770 2752->2751
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1c9adc6a7a60c32a08d1255029104cb0bdc164a5234e25ac13e82e404a72c0aa
                    • Instruction ID: 70ac0de87351ca97fe6e081635f5093a62670f4cd382df896e6203588286b201
                    • Opcode Fuzzy Hash: 1c9adc6a7a60c32a08d1255029104cb0bdc164a5234e25ac13e82e404a72c0aa
                    • Instruction Fuzzy Hash: 04F15B74E01248DFDF08DFB9D4546AEBBB3BF88710B14896DE806AB354DB359812CB94
                    Function 0299B328 Relevance: .4, Instructions: 364COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 3201 299b328-299b33b 3202 299b47a-299b481 3201->3202 3203 299b341-299b34a 3201->3203 3204 299b350-299b354 3203->3204 3205 299b484 3203->3205 3206 299b36e-299b375 3204->3206 3207 299b356 3204->3207 3210 299b489-299b491 3205->3210 3206->3202 3209 299b37b-299b388 3206->3209 3208 299b359-299b364 3207->3208 3208->3205 3211 299b36a-299b36c 3208->3211 3209->3202 3214 299b38e-299b3a1 3209->3214 3210->3205 3215 299b493-299b4b0 3210->3215 3211->3206 3211->3208 3218 299b3a3 3214->3218 3219 299b3a6-299b3ae 3214->3219 3216 299b4dc 3215->3216 3217 299b4b2 3215->3217 3223 299b4de-299b4e2 3216->3223 3220 299b4b5-299b4ca 3217->3220 3218->3219 3221 299b41b-299b41d 3219->3221 3222 299b3b0-299b3b6 3219->3222 3233 299b4cc-299b4d1 3220->3233 3234 299b4d3-299b4d6 3220->3234 3221->3202 3224 299b41f-299b425 3221->3224 3222->3221 3225 299b3b8-299b3be 3222->3225 3224->3202 3226 299b427-299b431 3224->3226 3225->3210 3228 299b3c4-299b3dc 3225->3228 3226->3210 3229 299b433-299b44b 3226->3229 3239 299b409-299b40c 3228->3239 3240 299b3de-299b3e4 3228->3240 3241 299b44d-299b453 3229->3241 3242 299b470-299b473 3229->3242 3233->3223 3236 299b4d8-299b4da 3234->3236 3237 299b4e3 3234->3237 3236->3216 3236->3217 3244 299b4e4-299b4e7 3237->3244 3239->3205 3245 299b40e-299b411 3239->3245 3240->3210 3243 299b3ea-299b3fe 3240->3243 3241->3210 3246 299b455-299b469 3241->3246 3242->3205 3247 299b475-299b478 3242->3247 3243->3210 3254 299b404 3243->3254 3244->3220 3248 299b4e8-299b4f1 3244->3248 3245->3205 3249 299b413-299b419 3245->3249 3246->3210 3256 299b46b 3246->3256 3247->3202 3247->3226 3248->3244 3251 299b4f3-299b4f5 3248->3251 3249->3221 3249->3222 3251->3248 3252 299b4f6-299b4fe 3251->3252 3257 299b500-299b501 3252->3257 3258 299b502-299b520 3252->3258 3254->3239 3256->3242 3257->3258 3259 299b522 3258->3259 3260 299b527-299b604 call 2993908 call 2993428 3258->3260 3259->3260 3270 299b60b-299b62c call 2994dc8 3260->3270 3271 299b606 3260->3271 3273 299b631-299b63c 3270->3273 3271->3270 3274 299b63e 3273->3274 3275 299b643-299b647 3273->3275 3274->3275 3276 299b649-299b64a 3275->3276 3277 299b64c-299b653 3275->3277 3278 299b66b-299b6af 3276->3278 3279 299b65a-299b668 3277->3279 3280 299b655 3277->3280 3284 299b715-299b72c 3278->3284 3279->3278 3280->3279 3286 299b72e-299b753 3284->3286 3287 299b6b1-299b6c7 3284->3287 3294 299b76b-299b7e0 3286->3294 3295 299b755-299b76a 3286->3295 3291 299b6c9-299b6d5 3287->3291 3292 299b6f1 3287->3292 3296 299b6df-299b6e5 3291->3296 3297 299b6d7-299b6dd 3291->3297 3293 299b6f7-299b714 3292->3293 3293->3284 3304 299b7e2-299b7e3 3294->3304 3295->3294 3298 299b6ef 3296->3298 3297->3298 3298->3293
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 572049febc2186d008d75f16592baa5128fd9babc6b23fda4467c65360f6511e
                    • Instruction ID: aef0a819e58fbf06728ad6a0e04d97b875646510a5a041d68395230d029fd004
                    • Opcode Fuzzy Hash: 572049febc2186d008d75f16592baa5128fd9babc6b23fda4467c65360f6511e
                    • Instruction Fuzzy Hash: 0EE11A75E00218CFDF14CFA9D894A9DBBB6FF99328F158069E819AB361D734A841CF50
                    Function 06598608 Relevance: .3, Instructions: 296COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 3416 6598608-6598628 3417 659862a 3416->3417 3418 659862f-65986f1 3416->3418 3417->3418 3423 6598aba-6598bb8 3418->3423 3424 65986f7-6598735 3418->3424 3427 6598bba-6598bbf 3423->3427 3428 6598bc0-6598bc6 3423->3428 3475 6598737 call 55f8174 3424->3475 3476 6598737 call 55f7d90 3424->3476 3477 6598737 call 55f7b70 3424->3477 3478 6598737 call 55f7b60 3424->3478 3427->3428 3431 659873c-659875e 3433 6598760 3431->3433 3434 6598765-659876e 3431->3434 3433->3434 3435 6598aad-6598ab3 3434->3435 3436 6598ab9 3435->3436 3437 6598773-659880b 3435->3437 3436->3423 3442 6598811-659884d 3437->3442 3443 65988e3-6598944 3437->3443 3479 6598853 call 6598c51 3442->3479 3480 6598853 call 6598ec1 3442->3480 3454 6598945-659899a 3443->3454 3450 6598859-6598894 3452 65988de-65988e1 3450->3452 3453 6598896-65988b3 3450->3453 3452->3454 3457 65988b9-65988dd 3453->3457 3459 6598a91-6598aa3 3454->3459 3460 65989a0-6598a90 3454->3460 3457->3452 3461 6598aaa 3459->3461 3462 6598aa5 3459->3462 3460->3459 3461->3435 3462->3461 3475->3431 3476->3431 3477->3431 3478->3431 3479->3450 3480->3450
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 740ecea33664e5b630b6f1eee87cf3719a335be704d33d88281e9bc89e8f6368
                    • Instruction ID: aef16978c706c259685a296d8437152edb53ee83ec419b8b5b0874986bef8f6a
                    • Opcode Fuzzy Hash: 740ecea33664e5b630b6f1eee87cf3719a335be704d33d88281e9bc89e8f6368
                    • Instruction Fuzzy Hash: 4DE1D474E00218CFEB54DFA5C994B9DBBB2FF89304F2081A9D418AB395DB355A85CF60
                    Function 0659D670 Relevance: .2, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f2ec2ad2b6891c0596f7859f9b57226ba65a2527f46f01c683e837627dea27cd
                    • Instruction ID: 73c5c498c85d9d2eece9fec937a2e43a55cd0f19227cdd75e81aac8f9d4b3732
                    • Opcode Fuzzy Hash: f2ec2ad2b6891c0596f7859f9b57226ba65a2527f46f01c683e837627dea27cd
                    • Instruction Fuzzy Hash: 30A1A271E016188FEB68DF6AC944B9DBBF2BF89300F14C1AAD40CA7255DB345A85CF60
                    Function 0659B6E8 Relevance: .2, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 52430b8b6e1942d7060f0987569ec36c1256568306dbc9a4d9b91dec80e1467b
                    • Instruction ID: 6e9eacfde2388f9d711f9bea7af829335365bf3d4724b624556f05c1a1bb500b
                    • Opcode Fuzzy Hash: 52430b8b6e1942d7060f0987569ec36c1256568306dbc9a4d9b91dec80e1467b
                    • Instruction Fuzzy Hash: 3FA1A671E012188FEB58CF6AD944B9EBBF2BF89300F14C1AAD40CA7255DB345A85CF50
                    Function 0659C388 Relevance: .2, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f84dbd7b027269d6d9c0d9559817c5fa361a61d530e896fb0cbd21f4b70765b0
                    • Instruction ID: 616d89724202d491a318e41ea1dcc29a9f1d4ea4b308d5bd1b7f539f2baa4a1a
                    • Opcode Fuzzy Hash: f84dbd7b027269d6d9c0d9559817c5fa361a61d530e896fb0cbd21f4b70765b0
                    • Instruction Fuzzy Hash: 01A18275E012188FEB68CF6AD944B9DBBF2BF89304F14C0AAD40DA7255DB345A85CF60
                    Function 0659A408 Relevance: .2, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0883f8f432ce60e3a358ff2e0cb1d52e99d51a43a174855ba1d98d908ecfa4e1
                    • Instruction ID: 8cf6704e1090bb9a502c448ad8d6da4970cb934f5dc1814c26b6131a73c58245
                    • Opcode Fuzzy Hash: 0883f8f432ce60e3a358ff2e0cb1d52e99d51a43a174855ba1d98d908ecfa4e1
                    • Instruction Fuzzy Hash: F9A19275E012188FEB68CF6AC944B9DBBF2BF89300F14C1AAD40DA7255DB345A85CF60
                    Function 0659BD38 Relevance: .2, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7c9fafc960c178ab5dac64a516711cf6a0d4c2fff77da24f92e7fcc59d9b4814
                    • Instruction ID: 2878167582b685a799d9ebfed949663c62ab82694d1395366b621135a3786a39
                    • Opcode Fuzzy Hash: 7c9fafc960c178ab5dac64a516711cf6a0d4c2fff77da24f92e7fcc59d9b4814
                    • Instruction Fuzzy Hash: 8CA19575E012188FEB68CF6AD944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF50
                    Function 0659C9D8 Relevance: .2, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a18b758e11f3f59bffc6522b1dd3a598a49a00e07255172fc465a290ae815957
                    • Instruction ID: b129215ef654d13118f598ad1f051ee5bc9966efffaa23279a89aec7bdf51aef
                    • Opcode Fuzzy Hash: a18b758e11f3f59bffc6522b1dd3a598a49a00e07255172fc465a290ae815957
                    • Instruction Fuzzy Hash: 0DA18275E012188FEB68CF6AD944B9DBBF2BF89300F14C1AAD40DA7255DB345A85CF60
                    Function 0659AA58 Relevance: .2, Instructions: 218COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 408b67e0c80c2e6ec59514cc39b7a2101387d0fa0b7f8c66f4fc880f77b4430d
                    • Instruction ID: efc835815db9bceafd5ab4781631b2bcaa2da4e4da564e604c6fa0e4871edeb8
                    • Opcode Fuzzy Hash: 408b67e0c80c2e6ec59514cc39b7a2101387d0fa0b7f8c66f4fc880f77b4430d
                    • Instruction Fuzzy Hash: C1A18375E012188FEB68CF6AD944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF60
                    Function 0659D028 Relevance: .2, Instructions: 218COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8b568e282d039ba5e056156705f589585b7d0d4455318761b06bbcb01f1ed8ee
                    • Instruction ID: a73bb581c9b117c29583f3bf4adbfe465283aeca2442a680f707c9c3a8e1211b
                    • Opcode Fuzzy Hash: 8b568e282d039ba5e056156705f589585b7d0d4455318761b06bbcb01f1ed8ee
                    • Instruction Fuzzy Hash: F6A18175E016188FEB68CF6AC944B9DBBF2BF89300F14C1AAD40DA7255DB345A85CF60
                    Function 0659B0A0 Relevance: .2, Instructions: 218COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 03f5541824463280130b4004a880238e9237b2be4eb0e772bfe6d78eba89153f
                    • Instruction ID: f01372abbd432d3ac00a93eef224da55d8836a7bf5dab354e21d7e9298048e2e
                    • Opcode Fuzzy Hash: 03f5541824463280130b4004a880238e9237b2be4eb0e772bfe6d78eba89153f
                    • Instruction Fuzzy Hash: DAA19675E012188FEB68DF6AD944B9EBBF2BF89300F14C1AAD40CA7255DB345A85CF50
                    Function 0299BEB0 Relevance: .2, Instructions: 200COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cd4665d1707f07ed09b362e27c99f1d60c6a8e47d59d3e8ba5b1459a14618e59
                    • Instruction ID: f9f09702933dee4d0ff04799512392b7be72f1c6ed99b09aa7e0d9c95c5f0bc6
                    • Opcode Fuzzy Hash: cd4665d1707f07ed09b362e27c99f1d60c6a8e47d59d3e8ba5b1459a14618e59
                    • Instruction Fuzzy Hash: C981A174E00218CFDF18DFA9D994A9DBBB2BF89314F14C06AE419AB265DB349942CF50
                    Function 0299C751 Relevance: .2, Instructions: 195COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e323dfb43e743640920c4fcfc14b972f6cdf2fd9a91f363452f26a799a9fb23b
                    • Instruction ID: 6bf071648fc83094fecd427eee7f8d13a405dbf9b3205e1f50b29f2f0f9f8ccf
                    • Opcode Fuzzy Hash: e323dfb43e743640920c4fcfc14b972f6cdf2fd9a91f363452f26a799a9fb23b
                    • Instruction Fuzzy Hash: D281A374E00218DFDB18DFAAD994A9DBBF2BF89310F14C46AE419AB365DB309941CF50
                    Function 0299C190 Relevance: .2, Instructions: 194COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d2aad3ee71b2a40d90a726c78ff6409dfe174096392925925e1d5beaf4571ae8
                    • Instruction ID: a93f6a2552a67115f802ea868a4083a217245e235d5c8c8473acb6cb212d9de7
                    • Opcode Fuzzy Hash: d2aad3ee71b2a40d90a726c78ff6409dfe174096392925925e1d5beaf4571ae8
                    • Instruction Fuzzy Hash: B381C474E00208CFEB14DFAAD994A9DBBF2BF89314F14C46AE409AB365DB309941CF54
                    Function 0299BBD2 Relevance: .2, Instructions: 193COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a13789d2c5440026f6160c451ff233465ff17b44a0602b806b928a5e8e8c721d
                    • Instruction ID: b7b18061cc4ab5b50a6a8dee99ba4b03697072c3a74cee4354aad16a445cbd26
                    • Opcode Fuzzy Hash: a13789d2c5440026f6160c451ff233465ff17b44a0602b806b928a5e8e8c721d
                    • Instruction Fuzzy Hash: E881B2B4E00208CFEF18DFAAD994A9DBBB2BF89314F14C069D509AB365DB349941CF50
                    Function 0299C470 Relevance: .2, Instructions: 190COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 31cd50cba7b45e6fd92c45fc9bb1a821d5a6a1e3dc8cf3b23d479e8feed1fe31
                    • Instruction ID: 62c5bbaf8674f4d418bb65d3b475f50aecd70bd5a0ce7fd510bd4741bec9b562
                    • Opcode Fuzzy Hash: 31cd50cba7b45e6fd92c45fc9bb1a821d5a6a1e3dc8cf3b23d479e8feed1fe31
                    • Instruction Fuzzy Hash: 8881B474E00218DFDB14DFA9D994A9DBBF2BF88310F24D46AD419AB365DB309941CF10
                    Function 02994AD9 Relevance: .2, Instructions: 189COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5108a73be088f42a51a88d3ea434a80fa1a13327e44ec65c185a86409e5bb87d
                    • Instruction ID: 7a5ad8cb38ba3ae0a52724430fdbfb2c4f257924ef195b164bb0cca06ffb9811
                    • Opcode Fuzzy Hash: 5108a73be088f42a51a88d3ea434a80fa1a13327e44ec65c185a86409e5bb87d
                    • Instruction Fuzzy Hash: B781B374E00218DFDB15DFAAD984A9DBBF2BF88311F14D069D419AB365EB309942CF50
                    Function 0299CA31 Relevance: .2, Instructions: 189COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 630d89c94fcc86f4f1586ba2e4517c2995257ef99623fda95bcfe6f74f7c5b57
                    • Instruction ID: 95749202a94b5b185d18ca1edf9205dce298c5cdc00595f00d903ae1e335e080
                    • Opcode Fuzzy Hash: 630d89c94fcc86f4f1586ba2e4517c2995257ef99623fda95bcfe6f74f7c5b57
                    • Instruction Fuzzy Hash: 82818474E00218DFEB14DFA9D994A9DBBF2BF88314F14C46AD419AB365EB309941CF50
                    Function 06598C51 Relevance: .2, Instructions: 189COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a441525c3b145cab4300c83b93eeb6a82e272a1172bd32c727cc2f44b011efb1
                    • Instruction ID: ba42a4337e814f7552b086289410a1456daf23efe9ec26508bddd90016524d31
                    • Opcode Fuzzy Hash: a441525c3b145cab4300c83b93eeb6a82e272a1172bd32c727cc2f44b011efb1
                    • Instruction Fuzzy Hash: 4881E074E01218CFDF58CFAAD854BAEBBB2BF89300F20856AD419AB354DB345946CF50
                    Function 06591191 Relevance: .2, Instructions: 178COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 35ec0571f13b632eac1ca793984479ab2c3d650f619f792bcafacc3e86a33156
                    • Instruction ID: 090529871352fab6b8d4ea4b3aad235bba8cb5741e0ff82046db423a8c1a5e8b
                    • Opcode Fuzzy Hash: 35ec0571f13b632eac1ca793984479ab2c3d650f619f792bcafacc3e86a33156
                    • Instruction Fuzzy Hash: B581A174E012299FDBA5DF29D991BDDBBB2BB89300F1080EAD809A7254DB315E81CF50
                    Function 0659D018 Relevance: .2, Instructions: 170COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7ff3d66bce7dd4512ed6c737571e9262869366c913cdc5bdc4827c0daf1150eb
                    • Instruction ID: 81e12deddf67d1703fd39270607b5c5d19678174c8dd56e814a2236482c6067a
                    • Opcode Fuzzy Hash: 7ff3d66bce7dd4512ed6c737571e9262869366c913cdc5bdc4827c0daf1150eb
                    • Instruction Fuzzy Hash: 44719371E016188FEB68CF6AC954B9EBBF2BF89300F14C5AAD40DA7254DB344A85CF51
                    Function 0659B08F Relevance: .2, Instructions: 169COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 50e1cd4ec9490ce01d33b3e098635ba2130225b0b0adc3fadb8395ee51557ef2
                    • Instruction ID: 7ec313243e1a5d35275dc37130958cec6c908cdf16d4f958bfa03e0753016ccf
                    • Opcode Fuzzy Hash: 50e1cd4ec9490ce01d33b3e098635ba2130225b0b0adc3fadb8395ee51557ef2
                    • Instruction Fuzzy Hash: 42718571E016188FEB68CF6AD944B9EBBF2BF89300F14C5AAD40DA7255DB344A85CF50
                    Function 0659AA48 Relevance: .2, Instructions: 167COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0696ce8f1f60f5b465f9a4890db3d576ffe5a683e684867b796a1baf4b3ca13c
                    • Instruction ID: 78d7a7206ef7ffdfa1bcd64f1b2090e8c9d553052254896e680e67d07b698233
                    • Opcode Fuzzy Hash: 0696ce8f1f60f5b465f9a4890db3d576ffe5a683e684867b796a1baf4b3ca13c
                    • Instruction Fuzzy Hash: BE717471E016188FEB68CF6AC944B99BBF2BF89300F14C0AAD40DA7255DB344A85CF61
                    Function 0659C378 Relevance: .1, Instructions: 123COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ed85c4ea60238d04babf7b0b8f6154ed822897d70feaffc615d3674850e9cdc1
                    • Instruction ID: fdec761c25a05736020fe55e37c55a38f0abd2396a3a22e0fda208d8a031b374
                    • Opcode Fuzzy Hash: ed85c4ea60238d04babf7b0b8f6154ed822897d70feaffc615d3674850e9cdc1
                    • Instruction Fuzzy Hash: BB519B71D016189FEB58CF6BCD557DAFAF3AFC9200F14C0AAD40CAA255DB7409868F61
                    Function 0659C9C8 Relevance: .1, Instructions: 122COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: db4a1fed8888395619217ec22e796fa47f574bbbc970294d6f730ace479954d7
                    • Instruction ID: fa40fc74624782311e1d786192f2df30db90128de6e08f42c7f85ab5571883d0
                    • Opcode Fuzzy Hash: db4a1fed8888395619217ec22e796fa47f574bbbc970294d6f730ace479954d7
                    • Instruction Fuzzy Hash: 1A517971E016188BEB58CF6BDD547DAFAF3AFC9310F04C1AAC50CA6265DB340A868F51
                    Function 06598602 Relevance: .1, Instructions: 114COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b835b5e1c2e5456d9cfb1546b60f07a0ce2b36a4df0ee8f8b51e0f84bba98522
                    • Instruction ID: e339abbddea9660b44ae5cf9d4781b774509733472f90698171d3fda3892b977
                    • Opcode Fuzzy Hash: b835b5e1c2e5456d9cfb1546b60f07a0ce2b36a4df0ee8f8b51e0f84bba98522
                    • Instruction Fuzzy Hash: E141C2B0E006088BEB58DFAAD8547DEBBB2BF89300F14C469C418BB254DB754946CF64
                    Function 0659BD28 Relevance: .1, Instructions: 114COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5e4e8992da84010be3ac10447f5bb4315dc33763ea21ea7b0d54131973fe2f10
                    • Instruction ID: 90e7b023ae5246e3ec0acf52f21067a398087ac136ee8b040bcb859756c6d610
                    • Opcode Fuzzy Hash: 5e4e8992da84010be3ac10447f5bb4315dc33763ea21ea7b0d54131973fe2f10
                    • Instruction Fuzzy Hash: F64179B1D016188FEB58DF6BD9557DAFAF3AFC9310F14C0AAC50CA6255DB340A868F50
                    Function 0659D662 Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9bb4ed02dcb3f99d4765d87adc38e5cab1055808c1ce931301e4c065c6e9d667
                    • Instruction ID: 6d7aa54af685365ab7d3ecd6ae626d7f69914f68cc5a982cc09acd907dd863e5
                    • Opcode Fuzzy Hash: 9bb4ed02dcb3f99d4765d87adc38e5cab1055808c1ce931301e4c065c6e9d667
                    • Instruction Fuzzy Hash: 354178B1E016188BEB58CF6BCD447DAFAF3AFC9300F14C1AAD50CA6254DB740A858F50
                    Function 0659A3F8 Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9fc0105deb99f1f0bbb92e42ebe4f187366b7bc72af6943382ce8202e644a935
                    • Instruction ID: c68765ec776fcc7f57e6ede262a2d1311f3dc58efe556aa50f1f668f83286450
                    • Opcode Fuzzy Hash: 9fc0105deb99f1f0bbb92e42ebe4f187366b7bc72af6943382ce8202e644a935
                    • Instruction Fuzzy Hash: 604166B1E016188BEB58CF6BC9457CAFAF3AFC8300F14C1AAC50CA6265DB740A858F51
                    Function 0659B6D9 Relevance: .1, Instructions: 110COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d0d2c9199b83fd4e6fb196f6a9fe5b59d6784c1a6e9b6d06806c3f8014120321
                    • Instruction ID: e285cf29fce8a8b768c35b721e568a83fda762ceedd2c2f6ca9f12f989238e3b
                    • Opcode Fuzzy Hash: d0d2c9199b83fd4e6fb196f6a9fe5b59d6784c1a6e9b6d06806c3f8014120321
                    • Instruction Fuzzy Hash: FA4169B1D016188BEB58CF6BD9547DAFAF3AFC9310F14C1AAD50CA6264DB740A86CF50
                    Function 055F8174 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1119 55f8174 1120 55f8233-55f8244 1119->1120 1121 55f824b-55f8254 1120->1121 1122 55f8246 1120->1122 1124 55f802b-55f8050 1121->1124 1125 55f825a-55f826d 1121->1125 1122->1121 1128 55f8057-55f808e 1124->1128 1129 55f8052 1124->1129 1126 55f826f 1125->1126 1127 55f8274-55f828f 1125->1127 1126->1127 1130 55f8296-55f82aa 1127->1130 1131 55f8291 1127->1131 1138 55f8095-55f80c7 1128->1138 1139 55f8090 1128->1139 1129->1128 1134 55f82ac 1130->1134 1135 55f82b1-55f82c7 LdrInitializeThunk 1130->1135 1131->1130 1134->1135 1137 55f82c9-55f83c6 1135->1137 1141 55f83ce-55f83d8 1137->1141 1142 55f83c8-55f83cd 1137->1142 1144 55f812b-55f813e 1138->1144 1145 55f80c9-55f80ee 1138->1145 1139->1138 1142->1141 1149 55f8145-55f816a 1144->1149 1150 55f8140 1144->1150 1147 55f80f5-55f8123 1145->1147 1148 55f80f0 1145->1148 1147->1144 1148->1147 1153 55f816c-55f816d 1149->1153 1154 55f8179-55f81b1 1149->1154 1150->1149 1153->1125 1155 55f81b8-55f8219 call 55f7b70 1154->1155 1156 55f81b3 1154->1156 1162 55f821b 1155->1162 1163 55f8220-55f8232 1155->1163 1156->1155 1162->1163 1163->1120
                    APIs
                    • LdrInitializeThunk.NTDLL(00000000), ref: 055F82B6
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 3dd19e3a4ee5024c5e7940a5eaa7c02b1ab7646801921c38afd838303dfdd726
                    • Instruction ID: 814a8bb501da847ac00c5f8ca21d3404435bf1756d1a4867e4cba238d02c6967
                    • Opcode Fuzzy Hash: 3dd19e3a4ee5024c5e7940a5eaa7c02b1ab7646801921c38afd838303dfdd726
                    • Instruction Fuzzy Hash: A8114C74E012099FDB14DBE8D884EADB7F6FF89318F548165EA48E7345D730A941CB60
                    Function 029977F0 Relevance: .7, Instructions: 707COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1753 29977f0-2997cde 1828 2998230-2998265 1753->1828 1829 2997ce4-2997cf4 1753->1829 1833 2998271-299828f 1828->1833 1834 2998267-299826c 1828->1834 1829->1828 1830 2997cfa-2997d0a 1829->1830 1830->1828 1832 2997d10-2997d20 1830->1832 1832->1828 1835 2997d26-2997d36 1832->1835 1847 2998291-299829b 1833->1847 1848 2998306-2998312 1833->1848 1836 2998356-299835b 1834->1836 1835->1828 1837 2997d3c-2997d4c 1835->1837 1837->1828 1839 2997d52-2997d62 1837->1839 1839->1828 1840 2997d68-2997d78 1839->1840 1840->1828 1842 2997d7e-2997d8e 1840->1842 1842->1828 1843 2997d94-2997da4 1842->1843 1843->1828 1844 2997daa-2997dba 1843->1844 1844->1828 1846 2997dc0-299822f 1844->1846 1847->1848 1852 299829d-29982a9 1847->1852 1853 2998329-2998335 1848->1853 1854 2998314-2998320 1848->1854 1859 29982ab-29982b6 1852->1859 1860 29982ce-29982d1 1852->1860 1863 299834c-299834e 1853->1863 1864 2998337-2998343 1853->1864 1854->1853 1862 2998322-2998327 1854->1862 1859->1860 1873 29982b8-29982c2 1859->1873 1865 29982e8-29982f4 1860->1865 1866 29982d3-29982df 1860->1866 1862->1836 1863->1836 1944 2998350 call 29987e9 1863->1944 1864->1863 1875 2998345-299834a 1864->1875 1867 299835c-299837e 1865->1867 1868 29982f6-29982fd 1865->1868 1866->1865 1878 29982e1-29982e6 1866->1878 1879 299838e 1867->1879 1880 2998380 1867->1880 1868->1867 1872 29982ff-2998304 1868->1872 1872->1836 1873->1860 1882 29982c4-29982c9 1873->1882 1875->1836 1878->1836 1885 2998390-2998391 1879->1885 1880->1879 1883 2998387-299838c 1880->1883 1882->1836 1883->1885 1944->1836
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d38b04f83274c53de1f8d2e23096c3d0fe99df2e47cead9ba0be1ced6ad37603
                    • Instruction ID: b8bf6bca0db94076c46794e68eba29b582c64e12351704ce78aa6bc02589e9d3
                    • Opcode Fuzzy Hash: d38b04f83274c53de1f8d2e23096c3d0fe99df2e47cead9ba0be1ced6ad37603
                    • Instruction Fuzzy Hash: CE521D34A00218CFFB159FA4C860BAEBB76EF89710F1081ADD20AAB395DB359D45DF51
                    Function 029987E9 Relevance: .5, Instructions: 503COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2197 29987e9-2998805 2198 2998811-299881d 2197->2198 2199 2998807-299880c 2197->2199 2202 299882d-2998832 2198->2202 2203 299881f-2998821 2198->2203 2200 2998ba6-2998bab 2199->2200 2202->2200 2204 2998829-299882b 2203->2204 2204->2202 2205 2998837-2998843 2204->2205 2207 2998853-2998858 2205->2207 2208 2998845-2998851 2205->2208 2207->2200 2208->2207 2210 299885d-2998868 2208->2210 2212 299886e-2998879 2210->2212 2213 2998912-299891d 2210->2213 2218 299887b-299888d 2212->2218 2219 299888f 2212->2219 2216 29989c0-29989cc 2213->2216 2217 2998923-2998932 2213->2217 2226 29989dc-29989ee 2216->2226 2227 29989ce-29989da 2216->2227 2228 2998943-2998952 2217->2228 2229 2998934-299893e 2217->2229 2220 2998894-2998896 2218->2220 2219->2220 2224 2998898-29988a7 2220->2224 2225 29988b6-29988bb 2220->2225 2224->2225 2231 29988a9-29988b4 2224->2231 2225->2200 2244 29989f0-29989fc 2226->2244 2245 2998a12-2998a17 2226->2245 2227->2226 2236 2998a1c-2998a27 2227->2236 2237 2998954-2998960 2228->2237 2238 2998976-299897f 2228->2238 2229->2200 2231->2225 2242 29988c0-29988c9 2231->2242 2249 2998b09-2998b14 2236->2249 2250 2998a2d-2998a36 2236->2250 2247 299896c-2998971 2237->2247 2248 2998962-2998967 2237->2248 2251 2998981-2998993 2238->2251 2252 2998995 2238->2252 2257 29988cb-29988d0 2242->2257 2258 29988d5-29988e4 2242->2258 2262 2998a08-2998a0d 2244->2262 2263 29989fe-2998a03 2244->2263 2245->2200 2247->2200 2248->2200 2266 2998b3e-2998b4d 2249->2266 2267 2998b16-2998b20 2249->2267 2264 2998a38-2998a4a 2250->2264 2265 2998a4c 2250->2265 2254 299899a-299899c 2251->2254 2252->2254 2254->2216 2260 299899e-29989aa 2254->2260 2257->2200 2275 2998908-299890d 2258->2275 2276 29988e6-29988f2 2258->2276 2277 29989ac-29989b1 2260->2277 2278 29989b6-29989bb 2260->2278 2262->2200 2263->2200 2268 2998a51-2998a53 2264->2268 2265->2268 2282 2998b4f-2998b5e 2266->2282 2283 2998ba1 2266->2283 2280 2998b22-2998b2e 2267->2280 2281 2998b37-2998b3c 2267->2281 2273 2998a63 2268->2273 2274 2998a55-2998a61 2268->2274 2284 2998a68-2998a6a 2273->2284 2274->2284 2275->2200 2291 29988fe-2998903 2276->2291 2292 29988f4-29988f9 2276->2292 2277->2200 2278->2200 2280->2281 2294 2998b30-2998b35 2280->2294 2281->2200 2282->2283 2295 2998b60-2998b78 2282->2295 2283->2200 2285 2998a6c-2998a71 2284->2285 2286 2998a76-2998a89 2284->2286 2285->2200 2296 2998a8b 2286->2296 2297 2998ac1-2998acb 2286->2297 2291->2200 2292->2200 2294->2200 2307 2998b9a-2998b9f 2295->2307 2308 2998b7a-2998b98 2295->2308 2298 2998a8e-2998a9f call 2998258 2296->2298 2303 2998aea-2998af6 2297->2303 2304 2998acd-2998ad9 call 2998258 2297->2304 2309 2998aa1-2998aa4 2298->2309 2310 2998aa6-2998aab 2298->2310 2317 2998af8-2998afd 2303->2317 2318 2998aff 2303->2318 2314 2998adb-2998ade 2304->2314 2315 2998ae0-2998ae5 2304->2315 2307->2200 2308->2200 2309->2310 2313 2998ab0-2998ab3 2309->2313 2310->2200 2319 2998ab9-2998abf 2313->2319 2320 2998bac-2998bd4 2313->2320 2314->2303 2314->2315 2315->2200 2321 2998b04 2317->2321 2318->2321 2319->2297 2319->2298 2324 2998be0-2998beb 2320->2324 2325 2998bd6-2998bdb 2320->2325 2321->2200 2329 2998bf1-2998bfc 2324->2329 2330 2998c93-2998c9c 2324->2330 2327 2998d61-2998d65 2325->2327 2333 2998bfe-2998c10 2329->2333 2334 2998c12 2329->2334 2335 2998c9e-2998ca9 2330->2335 2336 2998ce7-2998cf2 2330->2336 2337 2998c17-2998c19 2333->2337 2334->2337 2343 2998d5f 2335->2343 2344 2998caf-2998cc1 2335->2344 2345 2998d08 2336->2345 2346 2998cf4-2998d06 2336->2346 2340 2998c1b-2998c2a 2337->2340 2341 2998c4e-2998c60 2337->2341 2340->2341 2353 2998c2c-2998c42 2340->2353 2341->2343 2352 2998c66-2998c74 2341->2352 2343->2327 2344->2343 2355 2998cc7-2998ccb 2344->2355 2347 2998d0d-2998d0f 2345->2347 2346->2347 2347->2343 2350 2998d11-2998d20 2347->2350 2361 2998d48 2350->2361 2362 2998d22-2998d2b 2350->2362 2365 2998c80-2998c83 2352->2365 2366 2998c76-2998c7b 2352->2366 2353->2341 2371 2998c44-2998c49 2353->2371 2357 2998ccd-2998cd2 2355->2357 2358 2998cd7-2998cda 2355->2358 2357->2327 2363 2998ce0-2998ce3 2358->2363 2364 2998d66-2998d96 call 2998378 2358->2364 2370 2998d4d-2998d4f 2361->2370 2376 2998d2d-2998d3f 2362->2376 2377 2998d41 2362->2377 2363->2355 2368 2998ce5 2363->2368 2384 2998d98-2998dac 2364->2384 2385 2998dad-2998db1 2364->2385 2365->2364 2369 2998c89-2998c8c 2365->2369 2366->2327 2368->2343 2369->2352 2374 2998c8e 2369->2374 2370->2343 2375 2998d51-2998d5d 2370->2375 2371->2327 2374->2343 2375->2327 2380 2998d46 2376->2380 2377->2380 2380->2370
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 86ae243a904dbf6eea9b839c0cd0c8d11cce1b801cb302c712127a5eea121f41
                    • Instruction ID: ea6b5e0dd53de47cbaa50d24883a09c0dfebcfb83130e736ab36cd34bc551fd5
                    • Opcode Fuzzy Hash: 86ae243a904dbf6eea9b839c0cd0c8d11cce1b801cb302c712127a5eea121f41
                    • Instruction Fuzzy Hash: E4F15B703152018FDF199A3EC958B39779ABF86625F1944AEE502CF3A2EB29CC42C751
                    Function 02996E58 Relevance: .5, Instructions: 478COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2387 2996e58-2996e8d 2388 29972bc-29972c0 2387->2388 2389 2996e93-2996eb6 2387->2389 2390 29972d9-29972e7 2388->2390 2391 29972c2-29972d6 2388->2391 2398 2996ebc-2996ec9 2389->2398 2399 2996f64-2996f68 2389->2399 2396 29972e9-29972fe 2390->2396 2397 2997358-299736d 2390->2397 2404 2997300-2997303 2396->2404 2405 2997305-2997312 2396->2405 2406 299736f-2997372 2397->2406 2407 2997374-2997381 2397->2407 2411 2996ed8 2398->2411 2412 2996ecb-2996ed6 2398->2412 2402 2996f6a-2996f78 2399->2402 2403 2996fb0-2996fb9 2399->2403 2402->2403 2423 2996f7a-2996f95 2402->2423 2408 29973cf 2403->2408 2409 2996fbf-2996fc9 2403->2409 2413 2997314-2997355 2404->2413 2405->2413 2414 2997383-29973be 2406->2414 2407->2414 2417 29973d4-2997404 2408->2417 2409->2388 2415 2996fcf-2996fd8 2409->2415 2418 2996eda-2996edc 2411->2418 2412->2418 2461 29973c5-29973cc 2414->2461 2421 2996fda-2996fdf 2415->2421 2422 2996fe7-2996ff3 2415->2422 2438 299741d-2997424 2417->2438 2439 2997406-299741c 2417->2439 2418->2399 2425 2996ee2-2996f44 2418->2425 2421->2422 2422->2417 2428 2996ff9-2996fff 2422->2428 2447 2996fa3 2423->2447 2448 2996f97-2996fa1 2423->2448 2473 2996f4a-2996f61 2425->2473 2474 2996f46 2425->2474 2430 2997005-2997015 2428->2430 2431 29972a6-29972aa 2428->2431 2445 2997029-299702b 2430->2445 2446 2997017-2997027 2430->2446 2431->2408 2435 29972b0-29972b6 2431->2435 2435->2388 2435->2415 2449 299702e-2997034 2445->2449 2446->2449 2450 2996fa5-2996fa7 2447->2450 2448->2450 2449->2431 2454 299703a-2997049 2449->2454 2450->2403 2455 2996fa9 2450->2455 2459 299704f 2454->2459 2460 29970f7-2997122 call 2996ca0 * 2 2454->2460 2455->2403 2463 2997052-2997063 2459->2463 2477 2997128-299712c 2460->2477 2478 299720c-2997226 2460->2478 2463->2417 2466 2997069-299707b 2463->2466 2466->2417 2468 2997081-2997099 2466->2468 2531 299709b call 2997438 2468->2531 2532 299709b call 2997428 2468->2532 2472 29970a1-29970b1 2472->2431 2476 29970b7-29970ba 2472->2476 2473->2399 2474->2473 2479 29970bc-29970c2 2476->2479 2480 29970c4-29970c7 2476->2480 2477->2431 2482 2997132-2997136 2477->2482 2478->2388 2500 299722c-2997230 2478->2500 2479->2480 2483 29970cd-29970d0 2479->2483 2480->2408 2480->2483 2485 2997138-2997145 2482->2485 2486 299715e-2997164 2482->2486 2487 29970d8-29970db 2483->2487 2488 29970d2-29970d6 2483->2488 2503 2997154 2485->2503 2504 2997147-2997152 2485->2504 2490 299719f-29971a5 2486->2490 2491 2997166-299716a 2486->2491 2487->2408 2489 29970e1-29970e5 2487->2489 2488->2487 2488->2489 2489->2408 2492 29970eb-29970f1 2489->2492 2494 29971b1-29971b7 2490->2494 2495 29971a7-29971ab 2490->2495 2491->2490 2493 299716c-2997175 2491->2493 2492->2460 2492->2463 2498 2997184-299719a 2493->2498 2499 2997177-299717c 2493->2499 2501 29971b9-29971bd 2494->2501 2502 29971c3-29971c5 2494->2502 2495->2461 2495->2494 2498->2431 2499->2498 2508 299726c-2997270 2500->2508 2509 2997232-299723c call 2995b50 2500->2509 2501->2431 2501->2502 2505 29971fa-29971fc 2502->2505 2506 29971c7-29971d0 2502->2506 2507 2997156-2997158 2503->2507 2504->2507 2505->2431 2514 2997202-2997209 2505->2514 2512 29971df-29971f5 2506->2512 2513 29971d2-29971d7 2506->2513 2507->2431 2507->2486 2508->2461 2516 2997276-299727a 2508->2516 2509->2508 2519 299723e-2997253 2509->2519 2512->2431 2513->2512 2516->2461 2518 2997280-299728d 2516->2518 2522 299729c 2518->2522 2523 299728f-299729a 2518->2523 2519->2508 2528 2997255-299726a 2519->2528 2525 299729e-29972a0 2522->2525 2523->2525 2525->2431 2525->2461 2528->2388 2528->2508 2531->2472 2532->2472
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 75dc7f425b2daa4f3687173772cb7b73f8824aaff4ee37522e5cc7550d1285f1
                    • Instruction ID: a746463732a9da469310bf6e948e27601b6e6d9ac8c056367b14e88ce09e81f8
                    • Opcode Fuzzy Hash: 75dc7f425b2daa4f3687173772cb7b73f8824aaff4ee37522e5cc7550d1285f1
                    • Instruction Fuzzy Hash: A6125A70A10209DFCF14DFA9D884A9EBBF6FF88324F148569E8099B261DB31ED41CB50
                    Function 0299A818 Relevance: .4, Instructions: 414COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2778 299a818-299a842 call 299a7c0 2782 299a848-299a84d 2778->2782 2783 299a90b 2778->2783 2782->2783 2784 299a853-299a872 2782->2784 2785 299a910-299a94f 2783->2785 2787 299a8bb-299a8c0 2784->2787 2788 299a874-299a87c 2784->2788 2791 299a951-299a954 2785->2791 2792 299a957-299a95f 2785->2792 2796 299a8c8-299a8cf 2787->2796 2788->2783 2790 299a882-299a885 2788->2790 2790->2783 2793 299a88b-299a8aa 2790->2793 2791->2792 2794 299a961-299a967 2792->2794 2795 299a9c7-299a9ce 2792->2795 2793->2783 2826 299a8ac-299a8b2 2793->2826 2794->2795 2799 299a969-299a96f 2794->2799 2797 299aad3-299aadc 2795->2797 2798 299a9d4-299a9db 2795->2798 2800 299a8fe-299a908 2796->2800 2801 299a8d1-299a8d7 2796->2801 2803 299aade-299aae4 2797->2803 2804 299aae6-299aae9 2797->2804 2805 299aa8a-299aa90 2798->2805 2806 299a9e1-299a9e9 2798->2806 2807 299abf9 2799->2807 2808 299a975-299a982 2799->2808 2801->2785 2809 299a8d9-299a8f6 2801->2809 2803->2804 2810 299ab00-299ab04 2803->2810 2811 299aaef-299aafd 2804->2811 2812 299abf4 2804->2812 2805->2807 2815 299aa96-299aaa0 2805->2815 2806->2812 2813 299a9ef-299a9f8 2806->2813 2821 299abfc-299abfd 2807->2821 2808->2807 2814 299a988-299a9b0 2808->2814 2809->2800 2819 299ab0a-299ab13 2810->2819 2820 299ab87-299ab8b 2810->2820 2811->2810 2812->2807 2813->2807 2818 299a9fe-299aa31 2813->2818 2814->2812 2856 299a9b6-299a9b9 2814->2856 2815->2807 2816 299aaa6-299aac2 2815->2816 2857 299aaca-299aacd 2816->2857 2859 299aa7b-299aa88 2818->2859 2860 299aa33 2818->2860 2819->2820 2830 299ab15-299ab1b 2819->2830 2828 299abea-299abf1 2820->2828 2829 299ab8d-299ab96 2820->2829 2823 299abcb-299abd8 2821->2823 2824 299abfe-299ac01 2821->2824 2848 299abe0-299abe3 2823->2848 2824->2812 2832 299ac03-299ac09 2824->2832 2826->2785 2835 299a8b4-299a8b8 2826->2835 2829->2812 2837 299ab98-299ab9f 2829->2837 2830->2807 2831 299ab21-299ab2b 2830->2831 2831->2807 2838 299ab31-299ab3e 2831->2838 2832->2821 2839 299ac0b-299ac2f 2832->2839 2835->2787 2837->2828 2842 299aba1 2837->2842 2838->2807 2843 299ab44-299ab6f 2838->2843 2854 299ac3e-299ac42 2839->2854 2855 299ac31-299ac3c 2839->2855 2846 299aba4-299abac 2842->2846 2843->2807 2879 299ab75-299ab7d 2843->2879 2847 299abae-299abba 2846->2847 2846->2848 2847->2807 2852 299abbc-299abca 2847->2852 2848->2812 2858 299abe5-299abe8 2848->2858 2852->2823 2862 299ac54 2854->2862 2863 299ac44-299ac52 2854->2863 2855->2854 2856->2812 2861 299a9bf-299a9c5 2856->2861 2857->2797 2857->2812 2858->2828 2858->2846 2859->2857 2864 299aa36-299aa3c 2860->2864 2861->2794 2861->2795 2868 299ac56-299ac58 2862->2868 2863->2868 2864->2807 2869 299aa42-299aa63 2864->2869 2870 299ac5a-299ac5c 2868->2870 2871 299ac5e-299ac66 2868->2871 2869->2812 2888 299aa69-299aa6d 2869->2888 2870->2871 2874 299ac89-299ac8b 2871->2874 2875 299ac68-299ac7a 2871->2875 2876 299acb9-299acca 2874->2876 2877 299ac8d-299ac9a call 299a340 2874->2877 2875->2874 2884 299ac7c-299ac87 2875->2884 2877->2876 2887 299ac9c-299acab 2877->2887 2879->2812 2882 299ab7f-299ab85 2879->2882 2882->2820 2882->2830 2884->2874 2887->2876 2892 299acad-299acb7 2887->2892 2888->2812 2890 299aa73-299aa79 2888->2890 2890->2859 2890->2864 2892->2876
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8ef673c546b2bcad0eeec06f012dcd63c78301cc82857b8cc8724ee2c8e8e49e
                    • Instruction ID: d1008273fabc7cb2990276d183bd6c87a000b2597f4b950ae2c6378340d271f2
                    • Opcode Fuzzy Hash: 8ef673c546b2bcad0eeec06f012dcd63c78301cc82857b8cc8724ee2c8e8e49e
                    • Instruction Fuzzy Hash: D7F10B75E001158FCB04DF6DC988AADBBF6FF88324B1A8069E519AB365DB35EC41CB50
                    Function 02990C8F Relevance: .4, Instructions: 405COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2894 2990c8f-2990c9e 2895 2990ca0-2990ca1 2894->2895 2896 2990ca2-2990cc0 2894->2896 2895->2896 2897 2990cc2 2896->2897 2898 2990cc7-2990d10 call 2990708 2896->2898 2897->2898 2905 2990d15 2898->2905 2906 2990d1e-2990eda call 2990708 * 7 2905->2906 2949 2990ee2-2990eeb 2906->2949 3035 2990eee call 2991f08 2949->3035 3036 2990eee call 2991f61 2949->3036 2950 2990ef4-2990f09 3037 2990f0c call 2993418 2950->3037 3038 2990f0c call 2993428 2950->3038 2952 2990f12-2990f1b 3039 2990f1e call 2993908 2952->3039 3040 2990f1e call 2993570 2952->3040 2953 2990f24-2990f4e 2956 2990f57-2990f5a call 2994ad9 2953->2956 2957 2990f60-2990f8a 2956->2957 2960 2990f93 2957->2960 3043 2990f96 call 299b318 2960->3043 3044 2990f96 call 299b328 2960->3044 2961 2990f9c-2990fc6 2964 2990fcf-2990fd5 call 299bbd2 2961->2964 2965 2990fdb-2991017 2964->2965 2968 2991023-2991029 call 299beb0 2965->2968 2969 299102f-299106b 2968->2969 2972 2991077-299107d call 299c190 2969->2972 2973 2991083-29910bf 2972->2973 2976 29910cb-29910d1 call 299c470 2973->2976 2977 29910d7-2991113 2976->2977 2980 299111f 2977->2980 3033 2991125 call 299c751 2980->3033 3034 2991125 call 299c470 2980->3034 2981 299112b-2991167 2984 2991173-2991179 call 299ca31 2981->2984 2985 299117f-299122a 2984->2985 2993 2991235-2991241 call 299cd10 2985->2993 2994 2991247-2991253 2993->2994 2995 299125e-299126a call 299cd10 2994->2995 2996 2991270-299127c 2995->2996 2997 2991287-2991293 call 299cd10 2996->2997 2998 2991299-29912a5 2997->2998 2999 29912b0-29912bc call 299cd10 2998->2999 3000 29912c2-29912ce 2999->3000 3001 29912d9-29912e5 call 299cd10 3000->3001 3002 29912eb-29912f7 3001->3002 3003 2991302-299130e call 299cd10 3002->3003 3004 2991314-2991320 3003->3004 3005 299132b-2991337 call 299cd10 3004->3005 3006 299133d-2991349 3005->3006 3007 2991354-2991360 call 299cd10 3006->3007 3008 2991366-2991372 3007->3008 3009 299137d-2991389 call 299cd10 3008->3009 3010 299138f-299139b 3009->3010 3011 29913a6-29913b2 call 299cd10 3010->3011 3012 29913b8-299146b 3011->3012 3033->2981 3034->2981 3035->2950 3036->2950 3037->2952 3038->2952 3039->2953 3040->2953 3043->2961 3044->2961
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fbf9a1b9b16a7bd18402ea394d8ea4a4c039166b4619ab7e2e6ab704c796082e
                    • Instruction ID: adece0c4a06ec17b6aeda90050876cd620d05afb0907da2567ceeaf9b2b50af3
                    • Opcode Fuzzy Hash: fbf9a1b9b16a7bd18402ea394d8ea4a4c039166b4619ab7e2e6ab704c796082e
                    • Instruction Fuzzy Hash: C3220874A0421ACFCB95EF65E995B9DBBB2FF48301F1086A9D409AB318EB306D45CF50
                    Function 02990CA0 Relevance: .4, Instructions: 395COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 3048 2990ca0-2990cc0 3050 2990cc2 3048->3050 3051 2990cc7-2990eeb call 2990708 * 8 3048->3051 3050->3051 3190 2990eee call 2991f08 3051->3190 3191 2990eee call 2991f61 3051->3191 3103 2990ef4-2990f09 3192 2990f0c call 2993418 3103->3192 3193 2990f0c call 2993428 3103->3193 3105 2990f12-2990f1b 3194 2990f1e call 2993908 3105->3194 3195 2990f1e call 2993570 3105->3195 3106 2990f24-2990f93 call 2994ad9 3198 2990f96 call 299b318 3106->3198 3199 2990f96 call 299b328 3106->3199 3114 2990f9c-299111f call 299bbd2 call 299beb0 call 299c190 call 299c470 3188 2991125 call 299c751 3114->3188 3189 2991125 call 299c470 3114->3189 3134 299112b-29913b2 call 299ca31 call 299cd10 * 10 3165 29913b8-299146b 3134->3165 3188->3134 3189->3134 3190->3103 3191->3103 3192->3105 3193->3105 3194->3106 3195->3106 3198->3114 3199->3114
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aa318ee4cda9e84bd54e00c080e3f955a6f2c229a45e556c213643f6f94ce276
                    • Instruction ID: cfb426704e690e9eee07082294b672882272609134627add27dc0f4151821283
                    • Opcode Fuzzy Hash: aa318ee4cda9e84bd54e00c080e3f955a6f2c229a45e556c213643f6f94ce276
                    • Instruction Fuzzy Hash: 5622F774A0421ACFCB95EF65E995B9DBBB2FF48301F1086A9D409AB318EB306D45CF50
                    Function 029956A8 Relevance: .3, Instructions: 329COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 3305 29956a8-29956ca 3306 29956cc-29956d0 3305->3306 3307 29956e0-29956eb 3305->3307 3308 29956f8-29956ff 3306->3308 3309 29956d2-29956de 3306->3309 3310 29956f1-29956f3 3307->3310 3311 2995793-29957bf 3307->3311 3312 299571f-2995728 3308->3312 3313 2995701-2995708 3308->3313 3309->3307 3309->3308 3314 299578b-2995790 3310->3314 3318 29957c6-299581e 3311->3318 3410 299572a call 2995698 3312->3410 3411 299572a call 29956a8 3312->3411 3313->3312 3315 299570a-2995715 3313->3315 3317 299571b-299571d 3315->3317 3315->3318 3317->3314 3337 299582d-299583f 3318->3337 3338 2995820-2995826 3318->3338 3319 2995730-2995732 3320 299573a-2995742 3319->3320 3321 2995734-2995738 3319->3321 3324 2995751-2995753 3320->3324 3325 2995744-2995749 3320->3325 3321->3320 3323 2995755-2995774 call 2996108 3321->3323 3331 2995789 3323->3331 3332 2995776-299577f 3323->3332 3324->3314 3325->3324 3331->3314 3408 2995781 call 299a70d 3332->3408 3409 2995781 call 299a650 3332->3409 3334 2995787 3334->3314 3340 29958d3-29958d5 3337->3340 3341 2995845-2995849 3337->3341 3338->3337 3406 29958d7 call 2995a70 3340->3406 3407 29958d7 call 2995a60 3340->3407 3342 2995859-2995866 3341->3342 3343 299584b-2995857 3341->3343 3349 2995868-2995872 3342->3349 3343->3349 3344 29958dd-29958e3 3347 29958ef-29958f6 3344->3347 3348 29958e5-29958eb 3344->3348 3350 29958ed 3348->3350 3351 2995951-299599f 3348->3351 3354 299589f-29958a3 3349->3354 3355 2995874-2995883 3349->3355 3350->3347 3412 29959a1 call 65925e8 3351->3412 3413 29959a1 call 65923d1 3351->3413 3414 29959a1 call 65923e0 3351->3414 3356 29958af-29958b3 3354->3356 3357 29958a5-29958ab 3354->3357 3366 2995893-299589d 3355->3366 3367 2995885-299588c 3355->3367 3356->3347 3361 29958b5-29958b9 3356->3361 3359 29958f9-299594a 3357->3359 3360 29958ad 3357->3360 3359->3351 3360->3347 3363 29958bf-29958d1 3361->3363 3364 29959b7-29959db 3361->3364 3363->3347 3374 29959dd-29959df 3364->3374 3375 29959e1-29959e3 3364->3375 3366->3354 3367->3366 3376 2995a59-2995a5c 3374->3376 3377 29959e5-29959e9 3375->3377 3378 29959f4-29959f6 3375->3378 3382 29959eb-29959ed 3377->3382 3383 29959ef-29959f2 3377->3383 3384 2995a09-2995a0f 3378->3384 3385 29959f8-29959fc 3378->3385 3382->3376 3383->3376 3389 2995a3a-2995a3c 3384->3389 3390 2995a11-2995a38 3384->3390 3386 29959fe-2995a00 3385->3386 3387 2995a02-2995a07 3385->3387 3386->3376 3387->3376 3393 2995a43-2995a45 3389->3393 3390->3393 3396 2995a4b-2995a4d 3393->3396 3397 2995a47-2995a49 3393->3397 3394 29959a7-29959b0 3394->3364 3399 2995a4f-2995a54 3396->3399 3400 2995a56 3396->3400 3397->3376 3399->3376 3400->3376 3406->3344 3407->3344 3408->3334 3409->3334 3410->3319 3411->3319 3412->3394 3413->3394 3414->3394
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 38696041848d66bcf7adfceddcb2e92af064d2a6b6d2b1959bbda6ca60e1dd4a
                    • Instruction ID: 514e3cb255b70de4de4216f67eb104d7b2195a8a7d631cad47304503d61b0738
                    • Opcode Fuzzy Hash: 38696041848d66bcf7adfceddcb2e92af064d2a6b6d2b1959bbda6ca60e1dd4a
                    • Instruction Fuzzy Hash: E5B1BE707042108FDF169F7AC894B7F7BA6EB88225F568969E506CB395DB35CC01CB90
                    Function 065923E0 Relevance: .2, Instructions: 239COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 20629550978f3d577c62a5e75d12826ae35b68eddf4bc3fc50235886a53b2827
                    • Instruction ID: 611e618b42a1d2143dee65794efad8e9b381470dc963d09d417eb83af8a67986
                    • Opcode Fuzzy Hash: 20629550978f3d577c62a5e75d12826ae35b68eddf4bc3fc50235886a53b2827
                    • Instruction Fuzzy Hash: F581BF30B211069FCB48EF39D85496E77B6FF89610B1581AAE419DB3A5EB31DD01CBA0
                    Function 02995C08 Relevance: .2, Instructions: 232COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9ae8b2a47822eb6b28d95955640a89cd8d76bb43a3a766dc9f09f3fb20444195
                    • Instruction ID: e62448dff82c0d6e5d668dffa4e47e3c6832c3930451cee6c8fc5d34b046c48a
                    • Opcode Fuzzy Hash: 9ae8b2a47822eb6b28d95955640a89cd8d76bb43a3a766dc9f09f3fb20444195
                    • Instruction Fuzzy Hash: 8E819F30A00105DFDF15DFADC488A6AB7BAFF89224B968169D405EB365D731E841CBA0
                    Function 06599510 Relevance: .2, Instructions: 210COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7afbe33136d2dd7f5a50c30923827f81f644cc6e3565b49c91bdf4670c445e37
                    • Instruction ID: 1869939d84f55340fb8d21e8b88212dab3de27d0a71f6f95353ab6f5ef358222
                    • Opcode Fuzzy Hash: 7afbe33136d2dd7f5a50c30923827f81f644cc6e3565b49c91bdf4670c445e37
                    • Instruction Fuzzy Hash: AF719131F002199BDF59DFA9C8546AEBBB2BFC9710F144529D406AB380EF319D42CBA5
                    Function 02997438 Relevance: .2, Instructions: 201COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fa03f3097dc10d774d7a85b0efd5e729a5ebdc0ee165fcd80d810c015e54601b
                    • Instruction ID: 168e077a74d562ba0d3ade580720b8175217067886fabaaf1f74c526ccc12f94
                    • Opcode Fuzzy Hash: fa03f3097dc10d774d7a85b0efd5e729a5ebdc0ee165fcd80d810c015e54601b
                    • Instruction Fuzzy Hash: 487119747102058FCF54DFADC884AADBBEAAF49625B1940A5E405CB371DF74EC41CBA1
                    Function 0299CEC7 Relevance: .2, Instructions: 177COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1d7ca6df2e36c071ad52016f2e98c0d1638881cf1ca88960efe1df9a0fcf568b
                    • Instruction ID: 75a8933f331fa12fcbb0bba063e620eba9ae23145e5bd5d171f1815c1be8d57e
                    • Opcode Fuzzy Hash: 1d7ca6df2e36c071ad52016f2e98c0d1638881cf1ca88960efe1df9a0fcf568b
                    • Instruction Fuzzy Hash: 8051AE74861307CFD7463B63F9ADA7EBBA5FB1F327780AD04B01E890199B395859CA10
                    Function 0299CED8 Relevance: .2, Instructions: 167COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ed960ea9d5b7f91ea944215eff7d7c2cb21c7c9f2167749c922065ce025b7b5e
                    • Instruction ID: 8ee3fa2a926ca3a9ac6849845e3a8fb73f9e29cb0f6b841cc0075bca22b935f4
                    • Opcode Fuzzy Hash: ed960ea9d5b7f91ea944215eff7d7c2cb21c7c9f2167749c922065ce025b7b5e
                    • Instruction Fuzzy Hash: E4518E70861307CFD7423B63F9ADA7EBBA5FB5F327780AD04B01E894199B395859CA10
                    Function 0299E2D9 Relevance: .2, Instructions: 157COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 96d86ad025676b2e8e3ad22d87433a0ba74c4437cfd4f24df2b31974d8c695d5
                    • Instruction ID: a608380628d80a7d48a30ebb451c27d37b903a2ccf3bdcd01b6cf9ea5e799bd9
                    • Opcode Fuzzy Hash: 96d86ad025676b2e8e3ad22d87433a0ba74c4437cfd4f24df2b31974d8c695d5
                    • Instruction Fuzzy Hash: D6516370D00209DFEB15DFA5D894AADBBB2FF88304F208529E809AB354DB399D46CF40
                    Function 0299CD10 Relevance: .1, Instructions: 143COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f410e9b1ecb5693c82ae8e8866f53c7a17180b5edc5df1acf5522225fead4bfb
                    • Instruction ID: d91b8b354a1655b8004f856013cb371111b93b4c54ffba4d89ca825b184051bc
                    • Opcode Fuzzy Hash: f410e9b1ecb5693c82ae8e8866f53c7a17180b5edc5df1acf5522225fead4bfb
                    • Instruction Fuzzy Hash: 3D518274E01218DFDB44DFA9D99499DBBF2BF89310F20816AE419AB365DB31A901CF50
                    Function 0659DCC0 Relevance: .1, Instructions: 136COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e9b6079ba1863f24200c949006b0205fa88bb0651ef7f064de5fb7771c1bfac
                    • Instruction ID: af2a3eda1dee2912e82cfc528081ab382cb2f025a4b384b7055b319257d270b0
                    • Opcode Fuzzy Hash: 2e9b6079ba1863f24200c949006b0205fa88bb0651ef7f064de5fb7771c1bfac
                    • Instruction Fuzzy Hash: 3D413A31D41319CFDB05AFA4D45CBEE7BB1FB9A312F908929D10167294CB790A44CFA0
                    Function 02993908 Relevance: .1, Instructions: 134COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 231d042c1e990126b7bdae1c0bcfb8c204502be2d0f7b70f9529d0fa847e493f
                    • Instruction ID: 4d71a82cf707dec89a135478dc4f887bf661869b62cff57660fcefd72b5a9704
                    • Opcode Fuzzy Hash: 231d042c1e990126b7bdae1c0bcfb8c204502be2d0f7b70f9529d0fa847e493f
                    • Instruction Fuzzy Hash: 48519374E01208CFCF48DFA9D59099DBBB2FF89710B209469E819AB364DB35AC46CF54
                    Function 06599A49 Relevance: .1, Instructions: 132COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6d48810301cb751586e1da4214415a22390b19710e803f0bd529b298964a1960
                    • Instruction ID: b13f7d7a7d132be1663f8a0098d537e4433050b48d8ff301331ae434ca34a46c
                    • Opcode Fuzzy Hash: 6d48810301cb751586e1da4214415a22390b19710e803f0bd529b298964a1960
                    • Instruction Fuzzy Hash: B751F379D00209CFDB04DFA5E594AEDBBF2FB49310F24802AD415A7294DB385A46CF60
                    Function 0299A650 Relevance: .1, Instructions: 128COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 98b0e4e1a49d5b99b955dd8429047ed43fd2c3be4c649cae20d2d16a42615415
                    • Instruction ID: 4336a67b05b39384e114bfcdf85ace8644c2004ab7b84c03f50cbb98656ce169
                    • Opcode Fuzzy Hash: 98b0e4e1a49d5b99b955dd8429047ed43fd2c3be4c649cae20d2d16a42615415
                    • Instruction Fuzzy Hash: 4441E3317002049FDB15AF6AD8556AE7BF7EFC8221F148479E506EB391DE359C06CBA0
                    Function 02999A63 Relevance: .1, Instructions: 125COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 744b4639199cef4224b35219925332c360fa4061b9a07d412dfcdf29536ff3f5
                    • Instruction ID: def9a232f2e3682f35c9e53e086b88b47cc4e43c76829b82cbf91af9bd920f68
                    • Opcode Fuzzy Hash: 744b4639199cef4224b35219925332c360fa4061b9a07d412dfcdf29536ff3f5
                    • Instruction Fuzzy Hash: 1E41DF31A04249DFEF11CFA9C844B9DBFB6EF49324F048569E8159B295E335E950CBA0
                    Function 06599500 Relevance: .1, Instructions: 118COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 16e6b8c0193885f1c44793646c5cfe1daa5590d9507848e32c680b646f1c7e4c
                    • Instruction ID: 2fe4607763a37395113d914bf70436e164af11c0eef0eaa7d558cf73b42be156
                    • Opcode Fuzzy Hash: 16e6b8c0193885f1c44793646c5cfe1daa5590d9507848e32c680b646f1c7e4c
                    • Instruction Fuzzy Hash: 46413031E0031A9BDF54DFA5C880ADEB7F5BF89710F198529E415B7380EB70A945CBA0
                    Function 0299E134 Relevance: .1, Instructions: 113COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7b2ad0b43e8654ce963af74756e56ae0253951c1104391ee57268b5769c1baf0
                    • Instruction ID: d0c13155a0f843eec28870a047c1790469502fe2c8b3b6def9a6b913f92d9b9c
                    • Opcode Fuzzy Hash: 7b2ad0b43e8654ce963af74756e56ae0253951c1104391ee57268b5769c1baf0
                    • Instruction Fuzzy Hash: 0B414870D09208CBDF14DFACD484AEDBBB2FF49324F20941AD489AB254DB759842CF64
                    Function 0299D7CE Relevance: .1, Instructions: 113COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bb37e7d16050f60d855fad6af77817bf1400b9c5aed745bf6374daa07342f737
                    • Instruction ID: ef3ecc5c84233e7c3bc2debfceac2cbc46ba0e5428816a19b6408a2b67503d64
                    • Opcode Fuzzy Hash: bb37e7d16050f60d855fad6af77817bf1400b9c5aed745bf6374daa07342f737
                    • Instruction Fuzzy Hash: A34112B4D04208CBCF00EFADD4C4AADBBB2FB49325F609519E40AAB245D7369842CF64
                    Function 02993428 Relevance: .1, Instructions: 112COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8e2577a7ac71d1c206ef1381a274f8c223dbe7be7d9f17c58fcedee5713a455b
                    • Instruction ID: 8aeb273d10d4acea484e0d3c9c3a5bf22237300d694aae8f2b53c0a54e76a60d
                    • Opcode Fuzzy Hash: 8e2577a7ac71d1c206ef1381a274f8c223dbe7be7d9f17c58fcedee5713a455b
                    • Instruction Fuzzy Hash: 8431F531B003158BEF1D9E7E999437E66DAABC9224F19447DD80AC7380DB74CC0086A9
                    Function 06599A58 Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eabc0ef7fe2c8f47207b12b2d1ae431793a5fa763bf288ee5e5cfcc968730970
                    • Instruction ID: 7eb015a3c09f66713661902ddf461f7bd85f468068876a3391adc6c5727d1ecd
                    • Opcode Fuzzy Hash: eabc0ef7fe2c8f47207b12b2d1ae431793a5fa763bf288ee5e5cfcc968730970
                    • Instruction Fuzzy Hash: 1441CE74E00208CFDF44DFA9D594AEDBBF2FB89300F24812AD415AB294EB785A46CF50
                    Function 0299E0D4 Relevance: .1, Instructions: 107COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aa01cf463f8a6a3b0bf65b50f4ec6be8b4e8dada346993950a730e51ef700a3e
                    • Instruction ID: a7ee2e8535e65496a937d06d3f75b0a8429dd837df02a10462c8578e56a7bed8
                    • Opcode Fuzzy Hash: aa01cf463f8a6a3b0bf65b50f4ec6be8b4e8dada346993950a730e51ef700a3e
                    • Instruction Fuzzy Hash: 53413670D09208CFDF14DFACD584AEDB7B6BF49324F20952AE849AB250D7759841CF64
                    Function 0299D76E Relevance: .1, Instructions: 107COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 24b01dca93e6e87bc81cfc98b484e8dc959df8a18c14e61cdc45160989ee140e
                    • Instruction ID: e260896c21dcedbbb29592f189f55ee394db3a0bd6137dcd0f5be6c187e63685
                    • Opcode Fuzzy Hash: 24b01dca93e6e87bc81cfc98b484e8dc959df8a18c14e61cdc45160989ee140e
                    • Instruction Fuzzy Hash: CF41EFB0D05208CFDF00EFADE584AEDBBB2FB49325F209529E409AB255D7759842CF64
                    Function 0299D620 Relevance: .1, Instructions: 103COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d0591f1fc10061747ed031a7b39153553c33034d65fa419072538149b768a86d
                    • Instruction ID: 623f5224a98a09f49c60c635666bc46775f22865e520c332c719a277b49204e0
                    • Opcode Fuzzy Hash: d0591f1fc10061747ed031a7b39153553c33034d65fa419072538149b768a86d
                    • Instruction Fuzzy Hash: DC4104B0D00208CFDB04EFAED484AEEFBB2BB89315F14D529D408AB255DB759842CF64
                    Function 0299DF88 Relevance: .1, Instructions: 103COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fc30942bf40fd45dd35a09eb822cc512583c8fc292c716f221bc1314475742ab
                    • Instruction ID: 0a928e3d166d742d2f63d55b04089890db31f8104de34213558ce1bc7857c549
                    • Opcode Fuzzy Hash: fc30942bf40fd45dd35a09eb822cc512583c8fc292c716f221bc1314475742ab
                    • Instruction Fuzzy Hash: 8D313770D052088BDF18EFAED484AEEB7B6BF89314F14D52AD804AB254DB719842CF64
                    Function 02994DC8 Relevance: .1, Instructions: 101COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 395840b63d59a91769780789bc7be5b8ec4be1db362ce462e1fdd6ee3cb1521b
                    • Instruction ID: 477c8a14f7be3b7f42a0fa88f55b636c8db55fbb8e0b96481af29122fc2eff89
                    • Opcode Fuzzy Hash: 395840b63d59a91769780789bc7be5b8ec4be1db362ce462e1fdd6ee3cb1521b
                    • Instruction Fuzzy Hash: FF31B5716041099FDF069FAAD454ABF7BABFF88325F004468F9058B254CB35DC22CBA0
                    Function 0659DCB1 Relevance: .1, Instructions: 93COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 023ccd3874819bdf413201a71ce2673d7ab5d982bc96cf08efa54fc17f6b08b5
                    • Instruction ID: f0798331921a75fb8b598dad1fad7e18b40227f90e480d39c43845014cfd6a7a
                    • Opcode Fuzzy Hash: 023ccd3874819bdf413201a71ce2673d7ab5d982bc96cf08efa54fc17f6b08b5
                    • Instruction Fuzzy Hash: EB316930D41309DFDB05AFA5D468BEEBBB1FF4A312F408969D1116A391CBB80A44CFA0
                    Function 029976D0 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e9ab4e617c94762cc5d389e8e1e395f0d8d8841b05b8847dd9c44cc8ff4756fe
                    • Instruction ID: 6f625314c9687e82d2ef0d023fa359e8184290d207a172802a2a1c46e3b54f4b
                    • Opcode Fuzzy Hash: e9ab4e617c94762cc5d389e8e1e395f0d8d8841b05b8847dd9c44cc8ff4756fe
                    • Instruction Fuzzy Hash: EC21F5743242009BEF25567E8894BFDB79B9FC4629B184079D502CBB55EF2BCC42D781
                    Function 0299A809 Relevance: .1, Instructions: 91COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3b1e1fd8aa0ca627c13d38b0ee334d0d7286be7b358803d703d7af6e880d17e8
                    • Instruction ID: e7d54e4e94b3fbb786f675551a37e63c681287a6732564e1c08b994c57019c6f
                    • Opcode Fuzzy Hash: 3b1e1fd8aa0ca627c13d38b0ee334d0d7286be7b358803d703d7af6e880d17e8
                    • Instruction Fuzzy Hash: D2318070A005198FCF08DF6DC8889AEBBB7FF88764B158169E5159B3A5CB35DC42CB90
                    Function 029976E0 Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 810e9fb833979ebdda27493614c28adf974dc3bcdf9953f10fbddd1e4fec4eac
                    • Instruction ID: e3b34c729557c563a34515a9f8a0cf76bdefa650f6f0382a16a266deff8e7a31
                    • Opcode Fuzzy Hash: 810e9fb833979ebdda27493614c28adf974dc3bcdf9953f10fbddd1e4fec4eac
                    • Instruction Fuzzy Hash: C221B3783242005BEF14566E8894BBEB68B9FC4729F144079D502CB798EF2BCC41D381
                    Function 02995A60 Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3991416f9faf88e917bffa7475b70786184c07a03d43b86ed8ad41502a63dfe9
                    • Instruction ID: 82ff1485a96526f213590e637233dbfec37e3feb66947c94a42866df0dea884b
                    • Opcode Fuzzy Hash: 3991416f9faf88e917bffa7475b70786184c07a03d43b86ed8ad41502a63dfe9
                    • Instruction Fuzzy Hash: 592103313026118FDB16AA2AD4A453BB7A7EFC4621B4681BDE806DB354CF34DC06C7C0
                    Function 02992060 Relevance: .1, Instructions: 77COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 13f6bcf82bc5855a5db6966324bef22e8e411387955fde4b1885460c97c41ef0
                    • Instruction ID: c95b8b42b0eafb23144aca9b543322c615b739cd808dd057e0b51905c3a26b5c
                    • Opcode Fuzzy Hash: 13f6bcf82bc5855a5db6966324bef22e8e411387955fde4b1885460c97c41ef0
                    • Instruction Fuzzy Hash: 0121A475E00215EFCF14EF28C840AAE77A9EB99260F10C419DC09DB344EB36EA41CBD1
                    Function 027BD007 Relevance: .1, Instructions: 74COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4542782571.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_27bd000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 958f752eb63d4492e7a82da955e24f1e8c0cb31349ebf8f8d5a8b838423972b7
                    • Instruction ID: e997b2f3fd6a7b44b7c0fba274c436de38bc10c6a29892c00e6f01cb13dc35b2
                    • Opcode Fuzzy Hash: 958f752eb63d4492e7a82da955e24f1e8c0cb31349ebf8f8d5a8b838423972b7
                    • Instruction Fuzzy Hash: 34312F7550E3C48FCB13CB20C9A4755BF71AF47214F1985DBD8898F2A7C23A984ACB62
                    Function 027BD044 Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4542782571.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_27bd000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b6d6de567af25977787e698a218ec09b27110cd93d9550c675ebf3830a2b9180
                    • Instruction ID: d6626465aef268ad0dd807135eff27a5c75fdb49311a18083fd97ee7615f4743
                    • Opcode Fuzzy Hash: b6d6de567af25977787e698a218ec09b27110cd93d9550c675ebf3830a2b9180
                    • Instruction Fuzzy Hash: B0212671504208EFDB26DF24D9C0B66BB65FF88314F24C5ADE94A4B242C77AD447CB61
                    Function 0299215C Relevance: .1, Instructions: 71COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8125f454a9846b939fdadc492c1ce27ba2cc01d7526abca28e31d808b5e8527f
                    • Instruction ID: 0f082364be0a532834701684dde33cf76b1415183145914a72be5a8fa347d96c
                    • Opcode Fuzzy Hash: 8125f454a9846b939fdadc492c1ce27ba2cc01d7526abca28e31d808b5e8527f
                    • Instruction Fuzzy Hash: 55115932E0425D9FCF01EBF89C104DEBB74FF89220B258756D525B7151EA321906C7A0
                    Function 02991F08 Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 86ab32d2dd3c3f0ab4d6ac9612faf9a7c5e10cfd51e2b63c0298bc36d1372f70
                    • Instruction ID: d7c4a1928d777585ad24a2a0a5fb46554bc3eac60f7ec21df4114fea2f706ce6
                    • Opcode Fuzzy Hash: 86ab32d2dd3c3f0ab4d6ac9612faf9a7c5e10cfd51e2b63c0298bc36d1372f70
                    • Instruction Fuzzy Hash: F8214674C0420A8FCB11EFA9C8545EEBFF4FF49325F14456AD405A7218EB311A45CBA1
                    Function 02994DB9 Relevance: .1, Instructions: 69COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 50fd1ee848b9b3308044154a52aed480a7a750c822bb35e93deb492190ab0fcc
                    • Instruction ID: ce78087bcfe269256f0af3ae5ecf88498f6707715e3fd693c074b4cf56a5e02c
                    • Opcode Fuzzy Hash: 50fd1ee848b9b3308044154a52aed480a7a750c822bb35e93deb492190ab0fcc
                    • Instruction Fuzzy Hash: FB2102716081059FEF169FA9E454B7B7BABEF88325F005069F8098B254CB38DC56CBE1
                    Function 0299D60F Relevance: .1, Instructions: 67COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e4e04b8a71f053cca6af246105f4874920f94688f25a43d833934caa1690363e
                    • Instruction ID: 612ea8c702b23cd9838453b0d85e68f979d94f2208a43e19c996761b82ea5b53
                    • Opcode Fuzzy Hash: e4e04b8a71f053cca6af246105f4874920f94688f25a43d833934caa1690363e
                    • Instruction Fuzzy Hash: 76113AB1D002098FDF08EFAE98846EEB7F6ABC9311F04D035D418B7259D73049078A64
                    Function 065996F0 Relevance: .1, Instructions: 67COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eec6415c2a785a05518239bb873967cbbd15d734139d33a5d5daec9a3cd3d38c
                    • Instruction ID: dcde18112c99230e0b2693d5f156b87367949262c7590da8f0cbeb77cc4953f7
                    • Opcode Fuzzy Hash: eec6415c2a785a05518239bb873967cbbd15d734139d33a5d5daec9a3cd3d38c
                    • Instruction Fuzzy Hash: 32115C367042545FCF4B5FB858282AF3BE3EFC8260B54442AD909DB3C1DE354D1287A5
                    Function 0299E1F8 Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 810173e2e6a0571c31badb666bb710b87c213ccf501cf8d0e793172035b3e463
                    • Instruction ID: ef68f4453f5a264766fba3ad9c4f0f9de70704b42649af2d3c02bb7dd620d42d
                    • Opcode Fuzzy Hash: 810173e2e6a0571c31badb666bb710b87c213ccf501cf8d0e793172035b3e463
                    • Instruction Fuzzy Hash: F5214D70D0420ADFEB46EFB8D591B9EBBF2FB85304F0485AAD0549B355EB705A06CB81
                    Function 0659E0C0 Relevance: .1, Instructions: 62COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 951897b8c1c8cb50aeae51df68664217aad48914cd701a2bd477c265a929cd49
                    • Instruction ID: e204ec080a506acc3c7e749860b444983146605a6325df6438882a311f84be89
                    • Opcode Fuzzy Hash: 951897b8c1c8cb50aeae51df68664217aad48914cd701a2bd477c265a929cd49
                    • Instruction Fuzzy Hash: BF1104303052409FE7051B7B98285BBBBABFFCA311B188477F546C7286DD288C0693B0
                    Function 02995A70 Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 74985f73bebb19a63393ef518b0f9a4fc296a32bdb0fc35a85b0ffb6c3085543
                    • Instruction ID: 6a0820b626220fe1b5bfad731b1dc13e2ac80f93aaa531a11b0c53fcc7115eeb
                    • Opcode Fuzzy Hash: 74985f73bebb19a63393ef518b0f9a4fc296a32bdb0fc35a85b0ffb6c3085543
                    • Instruction Fuzzy Hash: 1411C2313025128BCB165A2AC4A893FB7AAFFC466174A41BDE806CB350DF35DC0287D0
                    Function 02991F61 Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 86384c69432fe00dd7acd79f31b409451130a664571589433430d2fb7527334b
                    • Instruction ID: 9b439884b64e7c90e67e6857276917a8ed85c7e042221d272e04777a2b871adb
                    • Opcode Fuzzy Hash: 86384c69432fe00dd7acd79f31b409451130a664571589433430d2fb7527334b
                    • Instruction Fuzzy Hash: E621EDB4C0420A8FCB00EFAAD8455EEBFF0FB0A311F10556AD809B7215EB345A85CBA1
                    Function 06592670 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9a585fc0f70bca053ceb37efc39374907b6fab009a5bd4c1259e7b5b16103f7a
                    • Instruction ID: 2992dc615fe5af9afec92ed0db95c4f3262486124c134b583b1f11b9bbba0365
                    • Opcode Fuzzy Hash: 9a585fc0f70bca053ceb37efc39374907b6fab009a5bd4c1259e7b5b16103f7a
                    • Instruction Fuzzy Hash: C011A175A102119FC790AF79E80899E7BF4FF89611B040569F409DB316EB35CD05CBE1
                    Function 06599350 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b84d320696f4a13300f9e59183d4b42a42a34a6bb92f83e49a30d7064c8ff7c
                    • Instruction ID: 81d1e02dfa99fd5de36c902368c6bc4e9a92af34efc75ce1126078057b6c19a2
                    • Opcode Fuzzy Hash: 5b84d320696f4a13300f9e59183d4b42a42a34a6bb92f83e49a30d7064c8ff7c
                    • Instruction Fuzzy Hash: 551153B2800249DFDF10DF99C844BEEBBF4FB48320F14841AEA18A7250C339A954CFA5
                    Function 06599999 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7c709af270932f88500c4aaa601e65d90e97aeea829661080591def95e701767
                    • Instruction ID: 7fdb1a7a445c440a0564ea8d4272fc86a72b3904a1dcb23a51eac500450f41bb
                    • Opcode Fuzzy Hash: 7c709af270932f88500c4aaa601e65d90e97aeea829661080591def95e701767
                    • Instruction Fuzzy Hash: 831126B6800249DFDF10DF99D945BEEBBF4EF48320F14841AE624A7250D339A554CFA0
                    Function 0299E208 Relevance: .1, Instructions: 54COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cbf4946d1ea12c7daa968227e3e10456b00d3038cf34d890c728596342cddc0b
                    • Instruction ID: 79e93a27d484c0691aaa6fe44888733de553b17d18e4db5056829973b57326c9
                    • Opcode Fuzzy Hash: cbf4946d1ea12c7daa968227e3e10456b00d3038cf34d890c728596342cddc0b
                    • Instruction Fuzzy Hash: E8114C70D0020ADFEB45EFB8D591B9EBBF2FB85304F00C5AAD0549B354EB705A068B80
                    Function 06598EC1 Relevance: .1, Instructions: 54COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f0154b9cb17cde9c56ed8ebdfef971a44ed25752216d370030d1a71a644c632e
                    • Instruction ID: c2dad79ae094ea95e221ffa039380be3acf80ee6490b0ecf951a821f3f115863
                    • Opcode Fuzzy Hash: f0154b9cb17cde9c56ed8ebdfef971a44ed25752216d370030d1a71a644c632e
                    • Instruction Fuzzy Hash: B211FE74E401498FEF14DBF8D850BAEBBB6BB49315F009455E908AB345E63199428B60
                    Function 02995607 Relevance: .1, Instructions: 51COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d388bd463534e80b457a51fb7274473ead45a0ec459dcdeca80853353564b0e0
                    • Instruction ID: a3ed26bfe0aaf5ed94cf816a6f580ad9886ba7fcc10ebb39e95a03c216fb823c
                    • Opcode Fuzzy Hash: d388bd463534e80b457a51fb7274473ead45a0ec459dcdeca80853353564b0e0
                    • Instruction Fuzzy Hash: 78012872B040146FDF039E6A9814AFF3FA7DBC8761B19806EF505D7284DA71CC028BA0
                    Function 0299D449 Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 46c865d22358160f7341c62fd67defa542fb710bc2825a5ed2a4dc7cc11e219e
                    • Instruction ID: c1bf5e08e9ad6b8f2fca14e865f256ae7aa47e0fbc7972c9c408ac9c00c85954
                    • Opcode Fuzzy Hash: 46c865d22358160f7341c62fd67defa542fb710bc2825a5ed2a4dc7cc11e219e
                    • Instruction Fuzzy Hash: 57E0E530D941058FEF09B96CA8466F9B3799787310F84B834C209F3581DB3091178A90
                    Function 0299DF08 Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5bf2018b8b52fd04f4bb56731fe6672be11e34124ce68ab230572d2c3b6b26e1
                    • Instruction ID: 58473dac530c9414c403162097814411df4e3471c33ec7cf6d0ce77c6f234384
                    • Opcode Fuzzy Hash: 5bf2018b8b52fd04f4bb56731fe6672be11e34124ce68ab230572d2c3b6b26e1
                    • Instruction Fuzzy Hash: 06E0ED30D241099FDB05BE6CA8567FAB374EB86301F80A835D101B3192EB70D52B89A0
                    Function 065925E8 Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4eed1e03eb91a49435a7b381e17af917f5b11d28964aaa7625924de03a7fb579
                    • Instruction ID: ef26afc4137147a492e19a5032e01d37b320d18a64e2e3ccc00c439465c646af
                    • Opcode Fuzzy Hash: 4eed1e03eb91a49435a7b381e17af917f5b11d28964aaa7625924de03a7fb579
                    • Instruction Fuzzy Hash: EA01E470E00219DFCF44EFB9C8006AEBBF5BF48200F50856AD419E7250EB349A01CBA0
                    Function 06599760 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e2c5865cb9721b311881628c1c38664dc565fd71de0f5da33d6fac5f4df96ac
                    • Instruction ID: 4e242b9bba35ed2c8cfbe9c105d3bd16e9978cdb6ada764de1f76c972faf7c8c
                    • Opcode Fuzzy Hash: 2e2c5865cb9721b311881628c1c38664dc565fd71de0f5da33d6fac5f4df96ac
                    • Instruction Fuzzy Hash: F2F0B4367001186B8F055E9898509AF7BABFBC8220B044429FA0987250CE325C1197A5
                    Function 0299DEB0 Relevance: .0, Instructions: 32COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 888cc7b88a649b97b2abd2abb3355d5aaaefc109ec447257e94474cece34b6c7
                    • Instruction ID: 5c9feec4ab6ba740b14ee6ec3e908041250a50058f0ed8f93144566007e251a2
                    • Opcode Fuzzy Hash: 888cc7b88a649b97b2abd2abb3355d5aaaefc109ec447257e94474cece34b6c7
                    • Instruction Fuzzy Hash: 46F03A70A11125CFCB84EFBCC48465E77F4AF0822072144E9D509DB321EB31D9008BD0
                    Function 02992010 Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 50bc0ea34030056b024b3c7687609ac9fd7bd6a9534e19534bee873613e06b78
                    • Instruction ID: cdb55d03e79a50a99387ffa9dbf0bdf75fe8febb444186a91c958bb391d9f701
                    • Opcode Fuzzy Hash: 50bc0ea34030056b024b3c7687609ac9fd7bd6a9534e19534bee873613e06b78
                    • Instruction Fuzzy Hash: D2E0D835D242975BCB01A7B19C440DDBB75ED972A0B414566D02077141FB79164BC391
                    Function 0299D4B4 Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 87c3dcc291105c9f8ef6a6cd3b2913c89058baa3b840117bb6e9a77345d628c9
                    • Instruction ID: 285bb5547e669ced54cbc3577f91667131c9c9d18d34f4019704d6453bb2e0d8
                    • Opcode Fuzzy Hash: 87c3dcc291105c9f8ef6a6cd3b2913c89058baa3b840117bb6e9a77345d628c9
                    • Instruction Fuzzy Hash: 25E068E3C08140CBEB106FAA54A2078BB34CED322474864C7C08CD7164D224D112C721
                    Function 02992020 Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fc33b1f63e250f3f22ed60c98e73c4a59f3ba0ff5cdb5f628e7c5aee39f4d27a
                    • Instruction ID: cadcff72579d7f552519d570ba00b008b5b76ef7f05123bd900fe4f392f2191d
                    • Opcode Fuzzy Hash: fc33b1f63e250f3f22ed60c98e73c4a59f3ba0ff5cdb5f628e7c5aee39f4d27a
                    • Instruction Fuzzy Hash: CED05E32E2022B97CB00EBA5EC048EFF738EED6661B908626D52537140FB713659C7E1
                    Function 02998258 Relevance: .0, Instructions: 18COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                    • Instruction ID: e8d3ced4851fe4f878e09899cfbcba468d331c0dcd1669c577e3f4a192917dfc
                    • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                    • Instruction Fuzzy Hash: B6C08C3320C1282AAA34108F7C41EB7BB8CE3C23F4A25013BF91CE3200A842AC8041F8
                    Function 0299A70D Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 58af214171ae02d9a2e6a0b2e7d4c14bdc7c56f4b8f579af4b3f4d0b546062f9
                    • Instruction ID: 05f7cd328fb2f934ccb7c7ae823ccefd7c527d56a5a32a42090db6f960cf8eb8
                    • Opcode Fuzzy Hash: 58af214171ae02d9a2e6a0b2e7d4c14bdc7c56f4b8f579af4b3f4d0b546062f9
                    • Instruction Fuzzy Hash: 94D0677AB01008DFCF049F99E8409DDB7B6FB9C222B048126F915A7264C6319925DB60
                    Function 02995EA8 Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d6c7b339051307f05b2e9b5f021a35314fb656fe42d465d37577d6855278a9c6
                    • Instruction ID: 4fd1beeab1eb5ef625b7cf757fdfff4a8f3df0e80173ab469d404adc67bdb38e
                    • Opcode Fuzzy Hash: d6c7b339051307f05b2e9b5f021a35314fb656fe42d465d37577d6855278a9c6
                    • Instruction Fuzzy Hash: 0BD012705083878BD706F771E5655583B22ABC1304B8482A9A9444D11AE97908468791
                    Function 02995EB8 Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1e9cfebdab62c591a60107fe98a05d1a04072c9a17730fd16f42ac10286948e0
                    • Instruction ID: e6904a90960378ccfd05f08c3d9beb32c3efb15dfd75c51c75e412d7cb107784
                    • Opcode Fuzzy Hash: 1e9cfebdab62c591a60107fe98a05d1a04072c9a17730fd16f42ac10286948e0
                    • Instruction Fuzzy Hash: 9FC0123010430B87D905FBB6FA59619772AEBC0300F449764B5090D119EE7828444B90

                    Non-executed Functions

                    Function 0299E528 Relevance: .6, Instructions: 596COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4543015571.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2990000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9008b6cf1176fcd8fee62ff62641ee6cc1504f14880d302cbe3b6b956d9d0b55
                    • Instruction ID: 0d18f414ec463b759c408076100e6ccd159e2e761ceeb5bd789e056d0ffaa978
                    • Opcode Fuzzy Hash: 9008b6cf1176fcd8fee62ff62641ee6cc1504f14880d302cbe3b6b956d9d0b55
                    • Instruction Fuzzy Hash: 7B52AC74E01229CFDB64DF69C884B9DBBB2BF89310F1085EAD449AB254DB359E81CF50
                    Function 055FB940 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: acbd799b0f91affad256ddc575e3bb63a35649cb753c49abd26d3724d086b25b
                    • Instruction ID: ab48af280513c97c86a693e6532fe355e909969bc1cebd7c3decaf8608e0089e
                    • Opcode Fuzzy Hash: acbd799b0f91affad256ddc575e3bb63a35649cb753c49abd26d3724d086b25b
                    • Instruction Fuzzy Hash: B3C1AF74E00218CFDB14DFA5D994BADBBB2FF88304F2481A9D909AB355DB359A81CF50
                    Function 055FED60 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 86151dff4ddd25c5312fbf4b76407299cb03fbf6f5bb430667d4c23f1a299313
                    • Instruction ID: e4a534cd6b1171e9546d8620a3ac4dd067d6eff5c205ec6d2858332ebf88e80a
                    • Opcode Fuzzy Hash: 86151dff4ddd25c5312fbf4b76407299cb03fbf6f5bb430667d4c23f1a299313
                    • Instruction Fuzzy Hash: 69C1CE74E00218CFDB54DFA5C994BADBBB2BF88304F2081A9D509AB365DB359A81CF50
                    Function 055F0D60 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7be7aec6424c7da7b40e584084e7f25cce70214b128d0be02ecbbeb994665474
                    • Instruction ID: 26fb0c87181edbd4dd6fecf686b4bc7d9b3649033ee2d44cecd8bbc51aac2051
                    • Opcode Fuzzy Hash: 7be7aec6424c7da7b40e584084e7f25cce70214b128d0be02ecbbeb994665474
                    • Instruction Fuzzy Hash: C4C19174E00218CFDB15DFA5D954BADBBB2FB89300F2481A9D809AB355DB359E81CF50
                    Function 055FE908 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a33661a87f6f27c2a43fef58fe9bec21cfebfa311fc1ce827b4308aa5fa79f6d
                    • Instruction ID: c6820164ad761e0474eb317c246cd75be2a05fc81cb46d09909fcd399a993469
                    • Opcode Fuzzy Hash: a33661a87f6f27c2a43fef58fe9bec21cfebfa311fc1ce827b4308aa5fa79f6d
                    • Instruction Fuzzy Hash: 2AC1BF74E00218CFDB54DFA5C994BADBBB2BF88304F2081A9D509AB365DB359E81CF50
                    Function 055F0900 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ccef93ea598c586be8eee206be94ea46f9aec88b4aacd516dd04b420bc95c8ea
                    • Instruction ID: 8c709a93e8e8e29cad3047de0ad8622f4a605d5095b841191f6a528f84d428d6
                    • Opcode Fuzzy Hash: ccef93ea598c586be8eee206be94ea46f9aec88b4aacd516dd04b420bc95c8ea
                    • Instruction Fuzzy Hash: 8FC1B174E00218CFDB15DFA5D994B9DBBB2FB88304F2481A9D809AB355DB359D81CF50
                    Function 055F11C0 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6f27c62cbb6339110ff6da8fc525a3fdc607308cf53f979371f7be9a96935af4
                    • Instruction ID: ba3eb30a3b9edcd594a309a907f74c30be84b76b552fd94cc417566ecac3468c
                    • Opcode Fuzzy Hash: 6f27c62cbb6339110ff6da8fc525a3fdc607308cf53f979371f7be9a96935af4
                    • Instruction Fuzzy Hash: 32C19174E00218CFDB55DFA5D994B9DBBB2FB89300F2081A9D809AB355DB359E81CF50
                    Function 055FC1F0 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0fecaeda5a199577e26f1c1dd2ed5d02fce2356aaf7dfe98aa8d45b07dbdd0ea
                    • Instruction ID: 30f1f2ff34a0547da5951082c16f010a2e308c5f4744f82e8a7d6130ca24f09a
                    • Opcode Fuzzy Hash: 0fecaeda5a199577e26f1c1dd2ed5d02fce2356aaf7dfe98aa8d45b07dbdd0ea
                    • Instruction Fuzzy Hash: B0C1AE74E00218CFDB15DFA9C994BADBBB2BF88304F2081A9D509AB355DB359E81CF50
                    Function 055FBD98 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 567a37e21aaeabee6da7ef6b8f9cbdb54e6c4f82a8f423c53873d39f2a43fe6c
                    • Instruction ID: 72fc766c330de05d9b89f6f1eceeca896655d70a99847db2946e90038f050939
                    • Opcode Fuzzy Hash: 567a37e21aaeabee6da7ef6b8f9cbdb54e6c4f82a8f423c53873d39f2a43fe6c
                    • Instruction Fuzzy Hash: 59C1AE74E00218CFEB55DFA5C994BADBBB2BF88304F2081A9D509AB355DB359E81CF50
                    Function 055FF1B8 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2c788e2967257ca24ce20662a377e775defeab6b719d336a337b2026df5dee64
                    • Instruction ID: 4d6e565f4f3d84daa64dc9a6116c9f209bb6ebc0dbc3f5a4cfa59e252701c622
                    • Opcode Fuzzy Hash: 2c788e2967257ca24ce20662a377e775defeab6b719d336a337b2026df5dee64
                    • Instruction Fuzzy Hash: 98C1AE74E00218CFDB15DFA5C994BADBBB2BF88304F2081A9D909AB355DB359E81CF50
                    Function 055FE058 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 33123632a1ef7f99f3d26072db2e80eaa9ceae6d87af50a368dcfd5bb5fdf3c2
                    • Instruction ID: 95a32814394eceab68de38e65682e9cb58e8e04d79839e3de31fac5caf0294c9
                    • Opcode Fuzzy Hash: 33123632a1ef7f99f3d26072db2e80eaa9ceae6d87af50a368dcfd5bb5fdf3c2
                    • Instruction Fuzzy Hash: A3C1BF74E00218CFDB54DFA5C994BADBBB2BF88304F2081A9D509AB365DB359E81CF50
                    Function 055F0040 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d998b85834ee80e028c14c38b7113b7d1c1c9f9c6c6ae85a70be84e8e964a0d8
                    • Instruction ID: a54a916f8144f0521bec32d10ce2013c153b530962ad92d5965a6571a107849b
                    • Opcode Fuzzy Hash: d998b85834ee80e028c14c38b7113b7d1c1c9f9c6c6ae85a70be84e8e964a0d8
                    • Instruction Fuzzy Hash: 67C1A174E00218CFDB15DFA5D994BADBBB2FB89300F2481A9D809AB355DB359D81CF50
                    Function 055FDC00 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bb4d5404ed76268c3f6191342334b935f9887ee3437f4f5a9d418dba0164d92f
                    • Instruction ID: 016f0a6fa14b400618e8289297d21ab71b83e1c7070adea37a204b1888226cd4
                    • Opcode Fuzzy Hash: bb4d5404ed76268c3f6191342334b935f9887ee3437f4f5a9d418dba0164d92f
                    • Instruction Fuzzy Hash: 89C1BE74E00218CFEB15DFA5C994BADBBB2BF88304F2481A9D509AB355DB359E81CF50
                    Function 055FB4E8 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 679017621a63028a03032c2eaff36074848b83c57fb516ce0cf2327b68768a07
                    • Instruction ID: e9e2234b8d9c89e89bd2597fb51409353e17461dc1ca13bd071aef05a73b8b53
                    • Opcode Fuzzy Hash: 679017621a63028a03032c2eaff36074848b83c57fb516ce0cf2327b68768a07
                    • Instruction Fuzzy Hash: 50C1AF74E00218CFDB14DFA5D994BADBBB2FF88304F2081A9D509AB355DB359A81CF50
                    Function 055FE4B0 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 399b9c5238e61bd5ed359aa3ec4c67fe7efd49d1be8cadb21a53f535b645e4f8
                    • Instruction ID: a6c45731445abe89bc334aa50053be047abf10ddcd03309ca5f43bce01ecb663
                    • Opcode Fuzzy Hash: 399b9c5238e61bd5ed359aa3ec4c67fe7efd49d1be8cadb21a53f535b645e4f8
                    • Instruction Fuzzy Hash: AEC1B074E00218CFDB54DFA5D994BADBBB2BF88304F2081A9D509AB365DB359E81CF50
                    Function 055F04A0 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ba647a040a94366cd763f4c76349171f13d543b08cd7bad9ffa3325bc0049d16
                    • Instruction ID: de0b4e0dd40e062f056a29d0d10e583c7a9c8eb9b468f6aa3685aa41ef53b6d5
                    • Opcode Fuzzy Hash: ba647a040a94366cd763f4c76349171f13d543b08cd7bad9ffa3325bc0049d16
                    • Instruction Fuzzy Hash: 54C1A174E00218CFDB15DFA5D954B9DBBB2FB89300F2481A9D809AB355DB359E81CF50
                    Function 055FD350 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 474331dd3d76393694f879e0d26858e48669974d2f20b0e828216b107e6d82b2
                    • Instruction ID: b6b2e0cbef7f6a1fa47aeb97426a75d76fc97f58e76d39ba12a0ef6a368e1e72
                    • Opcode Fuzzy Hash: 474331dd3d76393694f879e0d26858e48669974d2f20b0e828216b107e6d82b2
                    • Instruction Fuzzy Hash: 1EC1BF74E00218CFDB55DFA5C994BADBBB2BF88304F2081A9D909AB355DB359E81CF50
                    Function 055FD7A8 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8da6608abfc5aee049011c35cb376f2b8d3b99aac077237c26df771b80722e2a
                    • Instruction ID: 2c06954da6c120c86fd3787e610f5b40b9d234788aefa027f3ff57f029448b52
                    • Opcode Fuzzy Hash: 8da6608abfc5aee049011c35cb376f2b8d3b99aac077237c26df771b80722e2a
                    • Instruction Fuzzy Hash: 6BC1B074E00218CFDB15DFA5C994BADBBB2BF88304F2481A9D509AB355DB359E81CF50
                    Function 055FC648 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 84379ede342dab66aef04b21b01fdbe9fffc024a7a9970ca2b3a07b6e17eefa7
                    • Instruction ID: 2150234b8c9c21f117d23fd0385ddc6e1631c39d2413b2f712e4820d18c5b974
                    • Opcode Fuzzy Hash: 84379ede342dab66aef04b21b01fdbe9fffc024a7a9970ca2b3a07b6e17eefa7
                    • Instruction Fuzzy Hash: 9CC1BF74E00218CFDB54DFA9D994BADBBB2BF88304F2081A9D509AB355DB359E81CF50
                    Function 055FFA68 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c4c04624a4039bf47c1e7cb734041c522fdd24e37818e4d7f669b57260ac1d87
                    • Instruction ID: 6866ada29d5a4bace66b5d26ef8382364c05cfc3bf11698a23b0894a2c0d54b8
                    • Opcode Fuzzy Hash: c4c04624a4039bf47c1e7cb734041c522fdd24e37818e4d7f669b57260ac1d87
                    • Instruction Fuzzy Hash: 36C1BF74E00218CFDB54DFA5C994BADBBB2BF88304F2081A9D909AB355DB359E81CF50
                    Function 055FF610 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a8d4add79afafdb328da46a52c3bf8a6463190b405fcda4ec17bc00b27028fe9
                    • Instruction ID: 5cb65826e0d2b7ce281cb0ee71839f32d19dadf079c506032fd0adf47e452c3b
                    • Opcode Fuzzy Hash: a8d4add79afafdb328da46a52c3bf8a6463190b405fcda4ec17bc00b27028fe9
                    • Instruction Fuzzy Hash: 95C1BF74E00218CFEB14DFA5D994BADBBB2BF88304F2481A9D509AB355DB359E81CF50
                    Function 055FCEF8 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0d0a5d518322d29ae03e8c4663cc17ef37ac79036464d9af48a24ab305620e54
                    • Instruction ID: 0e5d76a414cdeaf6f2d54a101f91658d344569226444b2a42ef44d5fb5bf7db1
                    • Opcode Fuzzy Hash: 0d0a5d518322d29ae03e8c4663cc17ef37ac79036464d9af48a24ab305620e54
                    • Instruction Fuzzy Hash: 37C1BF74E00218CFEB14DFA5C994BADBBB2BF89304F2081A9D509AB355DB359E81CF50
                    Function 055FCAA0 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8f767be760b5046eb84efd7d3e637464214899d68d230d7341aeb028173cd6aa
                    • Instruction ID: ed3a940e791e14826a932e0a5a567a51c67b08d8c789411a53053d256a024383
                    • Opcode Fuzzy Hash: 8f767be760b5046eb84efd7d3e637464214899d68d230d7341aeb028173cd6aa
                    • Instruction Fuzzy Hash: ADC1CF74E00218CFEB15DFA5C994BADBBB2BF88304F2481A9D509AB355DB359E81CF50
                    Function 06595A70 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2dad412a6c6f7f480f1164ea6159bb3aafa6e9f0a7d05da6fc1470fb0ff2baa2
                    • Instruction ID: 80659ef51f3ddb0ced28b88e1d8a26de98d791385f028059d47a8687755edbdf
                    • Opcode Fuzzy Hash: 2dad412a6c6f7f480f1164ea6159bb3aafa6e9f0a7d05da6fc1470fb0ff2baa2
                    • Instruction Fuzzy Hash: 7CC1BF74E00218CFEB55DFA5C994BADBBB2BF88304F2481A9D409AB355EB355E81CF50
                    Function 06595618 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9fd5ec249a8b05aec0924fca60ba2554befead0e953130328a710013571be003
                    • Instruction ID: adfc44a305fbdd945e9a03a276e3a4d5ba76383c3b7881c0dfbb3da228e52358
                    • Opcode Fuzzy Hash: 9fd5ec249a8b05aec0924fca60ba2554befead0e953130328a710013571be003
                    • Instruction Fuzzy Hash: 39C1BF74E00218CFEB55DFA5C994BADBBB2FF88304F2081A9D409AB355EB355A81CF50
                    Function 06595EC8 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5ed8bb916ae46e9374f68ec9f25c25734c83c4b3c15126d165d74f36e16c8863
                    • Instruction ID: 1d727fea0c2a56be06bff0a90b2445107d52564aed3a958d875fa178f92effa7
                    • Opcode Fuzzy Hash: 5ed8bb916ae46e9374f68ec9f25c25734c83c4b3c15126d165d74f36e16c8863
                    • Instruction Fuzzy Hash: 44C1BF74E00218CFEB54DFA5C994BADBBB2FF89304F2081A9D409AB355DB355A85CF50
                    Function 06596778 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fc17865abd7be70aeeb3acde98205ae18191b967df3009634e9fc1cefdaafab7
                    • Instruction ID: b9320667a0aa7c97fb559db9e0628368e0ce4583fd3dc9483b98269da548b116
                    • Opcode Fuzzy Hash: fc17865abd7be70aeeb3acde98205ae18191b967df3009634e9fc1cefdaafab7
                    • Instruction Fuzzy Hash: 30C1AF74E00218CFEB54DFA5C994BADBBB2BF88304F2081A9D419AB355DB359E85CF50
                    Function 06596320 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5d8138f4379d4b5692c609f8b72ad9ccdb74003783d942ba116b681d1bfe123c
                    • Instruction ID: 8539618a043345a3f08ddb180bc65d3e891583484fb1fba85e946cba7926f530
                    • Opcode Fuzzy Hash: 5d8138f4379d4b5692c609f8b72ad9ccdb74003783d942ba116b681d1bfe123c
                    • Instruction Fuzzy Hash: 7AC1AE74E00218CFEB54DFA5D994BADBBB2BF88304F2081A9D409AB355DB359A85CF50
                    Function 06596BD0 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c4d053068d9511d536dcea4223e9a27b14a259485e1fd6f87898729c7585af46
                    • Instruction ID: b0ab21457f1d32ae7b43181002a342e49bd8eabace79fa8ca682184d79aeedfd
                    • Opcode Fuzzy Hash: c4d053068d9511d536dcea4223e9a27b14a259485e1fd6f87898729c7585af46
                    • Instruction Fuzzy Hash: BAC1BE74E00218CFEB54DFA5C994BADBBB2FF88304F2081A9D409AB355DB359A85CF50
                    Function 06597050 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ab9a30128f2310f7c64e1e63b771621eba445e7ce2159ba2186092028a1b9901
                    • Instruction ID: f2d22964dcfd24b24f882057f632a3b5ace7609de30400860093e2a953635363
                    • Opcode Fuzzy Hash: ab9a30128f2310f7c64e1e63b771621eba445e7ce2159ba2186092028a1b9901
                    • Instruction Fuzzy Hash: 6AC1AF74E00218CFEB54DFA5D994B9DBBB2BF88304F2481AAD409AB355DB355A81CF50
                    Function 06590040 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bdfe0e02b04528066dcb6cbbdb663fa34f66f1a70eeaa63977e7c6a6ef04c39b
                    • Instruction ID: 66e6029cb8d841739cea1cb8409c690cf2402e4c161a3c4ebf9b048e47704a95
                    • Opcode Fuzzy Hash: bdfe0e02b04528066dcb6cbbdb663fa34f66f1a70eeaa63977e7c6a6ef04c39b
                    • Instruction Fuzzy Hash: 58C1A074E00218CFEB54DFA5D994B9DBBB2FF88304F2481A9D409AB355DB359A81CF50
                    Function 065908F0 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: df48996f6f7c322b6ad1da967e3f0adc5e4791a1f42af693e9305e545884dfb8
                    • Instruction ID: a4045dbf4ffe77900e13fd5d3120e5fcdab025340be9e1114e75581e46745fae
                    • Opcode Fuzzy Hash: df48996f6f7c322b6ad1da967e3f0adc5e4791a1f42af693e9305e545884dfb8
                    • Instruction Fuzzy Hash: E7C1AF74E00218CFEB54DFA9C994BADBBB2BF88304F2081A9D419AB355DB355E81CF50
                    Function 06590498 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c119bb15c375a2d36af6883bce715a36b62c493ea48de105f240a83d2bcd8b0b
                    • Instruction ID: 8fd9d806071d6eca088703bd2083503fe3c40d4b1e39e5f83166d426ad01cc64
                    • Opcode Fuzzy Hash: c119bb15c375a2d36af6883bce715a36b62c493ea48de105f240a83d2bcd8b0b
                    • Instruction Fuzzy Hash: 34C1AF74E00218CFEB55DFA5C994BADBBB2BF88304F2081A9D419AB355DB359E81CF50
                    Function 065974A8 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1131c53af42f35813f1b66d6a11fb393b9a30e4557d1cc492940a988dfca7163
                    • Instruction ID: 43333b6c87105ed1df047bce4cd0fa2a4737cc804b3f4d5fe54dc68611755fb5
                    • Opcode Fuzzy Hash: 1131c53af42f35813f1b66d6a11fb393b9a30e4557d1cc492940a988dfca7163
                    • Instruction Fuzzy Hash: D6C19F74E00218CFEB54DFA5C994BADBBB2BF88304F2481A9D419AB355DB359A81CF50
                    Function 06597D58 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 320b3f6e429cf0cbe73faf20c7e107a408ce982d78f658c26bbf49eddf117046
                    • Instruction ID: 1ee27d056afe1af2050d2cb2adb01f8156e3433e561ab17639b3ae88a215421e
                    • Opcode Fuzzy Hash: 320b3f6e429cf0cbe73faf20c7e107a408ce982d78f658c26bbf49eddf117046
                    • Instruction Fuzzy Hash: EEC1BD74E00218CFEB54DFA5C994BADBBB2BF89304F2081A9D419AB355DB359E81CF50
                    Function 06590D48 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3410e3a104847aa91bd5dc81ad2d90d5add7b705e4288d97c808d70a13e385bc
                    • Instruction ID: f55e82c72cd36d01e336891563645be95c06273059d1e097381733af2488d521
                    • Opcode Fuzzy Hash: 3410e3a104847aa91bd5dc81ad2d90d5add7b705e4288d97c808d70a13e385bc
                    • Instruction Fuzzy Hash: 4EC1BE74E00219CFEB54DFA5C994BADBBB2BF89304F2081A9D409AB355DB359E81CF50
                    Function 06597900 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2d21a3eadce8574e2eb645d066a6f653a90e1689dcc726680ece1b1a7dea5777
                    • Instruction ID: 558bf965383bb8f399bff1ea655f2a315560a55351bf5f87f9f42e9aa095688a
                    • Opcode Fuzzy Hash: 2d21a3eadce8574e2eb645d066a6f653a90e1689dcc726680ece1b1a7dea5777
                    • Instruction Fuzzy Hash: FFC1A074E00218CFDB54DFA5D994BADBBB2FF88304F2481AAD409AB355DB359A81CF50
                    Function 06595198 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ed243ad8244f00f447f71d82e880b4e1abbec3f3d98108425a7cba8ed762f9fc
                    • Instruction ID: 9fb4cc390f13f12f1ef709bcc1df552a64a3fb4fda199785481a3815cb4d4a69
                    • Opcode Fuzzy Hash: ed243ad8244f00f447f71d82e880b4e1abbec3f3d98108425a7cba8ed762f9fc
                    • Instruction Fuzzy Hash: 58C1B074E00218CFDB55DFA5C994B9DBBB2FF88304F2481A9D409AB355EB359A81CF50
                    Function 065981B0 Relevance: .3, Instructions: 268COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 056c7d4dc59608c842923e42aae16ea6528138fffe67c59bb145a293926d6369
                    • Instruction ID: 96f8457960da6a5fb031f55359df3ff48eaec7ceda667cf3be9145cdfbb6e49a
                    • Opcode Fuzzy Hash: 056c7d4dc59608c842923e42aae16ea6528138fffe67c59bb145a293926d6369
                    • Instruction Fuzzy Hash: 68C1B074E00218CFEB54DFA5C994B9DBBB2FF89304F2481A9D409AB355DB359A81CF50
                    Function 055F1610 Relevance: .2, Instructions: 228COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e9406b0abcad415c5c2b3e34264347ec34c4db52f2b0dddcff80aea934d64d55
                    • Instruction ID: 2b83a3bf19833524e14cdad7bc623411dbad42bd426718e95768e1980d3af298
                    • Opcode Fuzzy Hash: e9406b0abcad415c5c2b3e34264347ec34c4db52f2b0dddcff80aea934d64d55
                    • Instruction Fuzzy Hash: 0FA11570D00208CFEB24DFA9C998BDDBBB1FF89304F248269E549AB291DB755985CF50
                    Function 065933B8 Relevance: .2, Instructions: 222COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d63ade275f7c58b0a039fe3defbe767ca6b0ee5017b97dc702e846c181144dfb
                    • Instruction ID: 8dc6faa7ff740b2bd4bc6b4f301fc760f2e352c107bbaeb8117c0ebc235346a4
                    • Opcode Fuzzy Hash: d63ade275f7c58b0a039fe3defbe767ca6b0ee5017b97dc702e846c181144dfb
                    • Instruction Fuzzy Hash: 70B1A674E00218CFDB54DFA9D894A9DBBB2FF89310F2481A9D819AB365DB30AD41CF50
                    Function 055F1620 Relevance: .2, Instructions: 220COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b7eb37ac9f8be030593f85026d242958796aea8a00bdec2200f1a168233d5e66
                    • Instruction ID: 12018e093b63c414709ce4e6f6c1b07e76e3883fc1c6672db746feaa62bc19c8
                    • Opcode Fuzzy Hash: b7eb37ac9f8be030593f85026d242958796aea8a00bdec2200f1a168233d5e66
                    • Instruction Fuzzy Hash: 79A11570D00208CFEB24DFA9C958BDDBBB1FF89314F248269E509AB291DB759985CF50
                    Function 055F1966 Relevance: .2, Instructions: 202COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4544994206.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_55f0000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 93fb8c916b9c3e0c20f0e5cfcf1b2e4204be8cebf3a8d9f9a5a2db38e05900a1
                    • Instruction ID: 2340525abcdc833508289587b134b948b1eb4b61df12acda9f4fef691261111c
                    • Opcode Fuzzy Hash: 93fb8c916b9c3e0c20f0e5cfcf1b2e4204be8cebf3a8d9f9a5a2db38e05900a1
                    • Instruction Fuzzy Hash: E3910470D00608CFEB10DFA9C588BDCBBB1FF49314F248269E549AB291DB759985CF64
                    Function 065933A8 Relevance: .1, Instructions: 132COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fb536dede8d8ee2df9eabc0eb9e9c0a6a16d0fca7c3f31e89ab9ae5acdb2462b
                    • Instruction ID: fec1483bbdfccd561ed3d6ea633c90d4fc79f0c7cee95f593026a054e277c608
                    • Opcode Fuzzy Hash: fb536dede8d8ee2df9eabc0eb9e9c0a6a16d0fca7c3f31e89ab9ae5acdb2462b
                    • Instruction Fuzzy Hash: CD518374E00608CFDB48DFAAD994A9DBBF2FF89300F148169D419AB365DB349942CF50
                    Function 065936CE Relevance: .0, Instructions: 17COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.4545524329.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_6590000_InstallUtil.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c0adde678cfa606d59b69c061f4bd94dd0efdd599b540b6fbb17e086d9b8de12
                    • Instruction ID: 7f485d7ee2ad4ac6e75d8902e800e5229f539dec4003e100462676a1ee7577a5
                    • Opcode Fuzzy Hash: c0adde678cfa606d59b69c061f4bd94dd0efdd599b540b6fbb17e086d9b8de12
                    • Instruction Fuzzy Hash: 02D06735D0425CCACF10EF58D8503ADB772FF86310F0024968508B7640D7305E508E16