Edit tour

Windows Analysis Report
hesaphareketi-01.pdf.exe

Overview

General Information

Sample name:	hesaphareketi-01.pdf.exe
Analysis ID:	1576521
MD5:	1182b118e3ef6a2bb23c1fa63421f415
SHA1:	4d79a5d3934bc88874532c7a370c3d29331c2b67
SHA256:	e6898cab171f9677ea94663fd86b9b4e5a7589d0f3557b54d99fb6eb2abd18bc
Tags:	exegeoSnakeKeyloggerTURuser-abuse_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Allocates memory in foreign processes

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

hesaphareketi-01.pdf.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe" MD5: 1182B118E3EF6A2BB23C1FA63421F415)

InstallUtil.exe (PID: 7388 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 7396 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

WerFault.exe (PID: 7504 cmdline: C:\Windows\system32\WerFault.exe -u -p 7268 -s 1016 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7125297965:AAFl6eQAjxqGeAfWHpfHbGAtADDAZUyFidM/sendMessage?chat_id=6367688286", "Token": "7125297965:AAFl6eQAjxqGeAfWHpfHbGAtADDAZUyFidM", "Chat_id": "6367688286", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14955:$a1: get_encryptedPassword 0x14c41:$a2: get_encryptedUsername 0x14761:$a3: get_timePasswordChanged 0x1485c:$a4: get_passwordField 0x1496b:$a5: set_encryptedPassword 0x1601b:$a7: get_logins 0x15f7e:$a10: KeyLoggerEventArgs 0x15be9:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19948:$x1: $%SMTPDV$ 0x1832c:$x2: $#TheHashHere%& 0x198f0:$x3: %FTPDV$ 0x182cc:$x4: $%TelegramDv$ 0x15be9:$x5: KeyLoggerEventArgs 0x15f7e:$x5: KeyLoggerEventArgs 0x19914:$m2: Clipboard Logs ID 0x19b52:$m2: Screenshot Logs ID 0x19c62:$m2: keystroke Logs ID 0x19f3c:$m3: SnakePW 0x19b2a:$m4: \SnakeKeylogger\
00000002.00000002.3844938865.00000000033E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3825d:$a1: get_encryptedPassword 0x58ea5:$a1: get_encryptedPassword 0x38549:$a2: get_encryptedUsername 0x59191:$a2: get_encryptedUsername 0x38069:$a3: get_timePasswordChanged 0x58cb1:$a3: get_timePasswordChanged 0x38164:$a4: get_passwordField 0x58dac:$a4: get_passwordField 0x38273:$a5: set_encryptedPassword 0x58ebb:$a5: set_encryptedPassword 0x39923:$a7: get_logins 0x5a56b:$a7: get_logins 0x39886:$a10: KeyLoggerEventArgs 0x5a4ce:$a10: KeyLoggerEventArgs 0x394f1:$a11: KeyLoggerEventArgsEventHandler 0x5a139:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3d250:$x1: $%SMTPDV$ 0x5de98:$x1: $%SMTPDV$ 0x3bc34:$x2: $#TheHashHere%& 0x5c87c:$x2: $#TheHashHere%& 0x3d1f8:$x3: %FTPDV$ 0x5de40:$x3: %FTPDV$ 0x3bbd4:$x4: $%TelegramDv$ 0x5c81c:$x4: $%TelegramDv$ 0x394f1:$x5: KeyLoggerEventArgs 0x39886:$x5: KeyLoggerEventArgs 0x5a139:$x5: KeyLoggerEventArgs 0x5a4ce:$x5: KeyLoggerEventArgs 0x3d21c:$m2: Clipboard Logs ID 0x3d45a:$m2: Screenshot Logs ID 0x3d56a:$m2: keystroke Logs ID 0x5de64:$m2: Clipboard Logs ID 0x5e0a2:$m2: Screenshot Logs ID 0x5e1b2:$m2: keystroke Logs ID 0x3d844:$m3: SnakePW 0x5e48c:$m3: SnakePW 0x3d432:$m4: \SnakeKeylogger\
00000002.00000002.3844938865.0000000003221000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1e432:$a1: get_encryptedPassword 0x1e714:$a2: get_encryptedUsername 0x1e248:$a3: get_timePasswordChanged 0x1e343:$a4: get_passwordField 0x1e448:$a5: set_encryptedPassword 0x2091f:$a7: get_logins 0x20882:$a10: KeyLoggerEventArgs 0x204ed:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x204ed:$x5: KeyLoggerEventArgs 0x20882:$x5: KeyLoggerEventArgs 0x20e58:$x5: KeyLoggerEventArgs 0x211b9:$x5: KeyLoggerEventArgs 0x22ab1:$m2: Clipboard Logs ID 0x22bb7:$m2: Screenshot Logs ID 0x22c0d:$m2: keystroke Logs ID 0x22d42:$m3: SnakePW 0x22ba3:$m4: \SnakeKeylogger\
Process Memory Space: InstallUtil.exe PID: 7388	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7388	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: InstallUtil.exe PID: 7388	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5f00:$a1: get_encryptedPassword 0x61e2:$a2: get_encryptedUsername 0x5d16:$a3: get_timePasswordChanged 0x5e11:$a4: get_passwordField 0x5f16:$a5: set_encryptedPassword 0x83ed:$a7: get_logins 0x8350:$a10: KeyLoggerEventArgs 0x7fbb:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 7388	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7fbb:$x5: KeyLoggerEventArgs 0x8350:$x5: KeyLoggerEventArgs 0x8926:$x5: KeyLoggerEventArgs 0x8c87:$x5: KeyLoggerEventArgs 0xa57f:$m2: Clipboard Logs ID 0xa685:$m2: Screenshot Logs ID 0xa6db:$m2: keystroke Logs ID 0xa810:$m3: SnakePW 0xa671:$m4: \SnakeKeylogger\
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d55:$a1: get_encryptedPassword 0x13041:$a2: get_encryptedUsername 0x12b61:$a3: get_timePasswordChanged 0x12c5c:$a4: get_passwordField 0x12d6b:$a5: set_encryptedPassword 0x1441b:$a7: get_logins 0x1437e:$a10: KeyLoggerEventArgs 0x13fe9:$a11: KeyLoggerEventArgsEventHandler
0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a70c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1993e:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d71:$a4: \Orbitum\User Data\Default\Login Data 0x1adb0:$a5: \Kometa\User Data\Default\Login Data
0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13943:$s1: UnHook 0x1394a:$s2: SetHook 0x13952:$s3: CallNextHook 0x1395f:$s4: _hook
0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d48:$x1: $%SMTPDV$ 0x1672c:$x2: $#TheHashHere%& 0x17cf0:$x3: %FTPDV$ 0x166cc:$x4: $%TelegramDv$ 0x13fe9:$x5: KeyLoggerEventArgs 0x1437e:$x5: KeyLoggerEventArgs 0x17d14:$m2: Clipboard Logs ID 0x17f52:$m2: Screenshot Logs ID 0x18062:$m2: keystroke Logs ID 0x1833c:$m3: SnakePW 0x17f2a:$m4: \SnakeKeylogger\
2.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.InstallUtil.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b55:$a1: get_encryptedPassword 0x14e41:$a2: get_encryptedUsername 0x14961:$a3: get_timePasswordChanged 0x14a5c:$a4: get_passwordField 0x14b6b:$a5: set_encryptedPassword 0x1621b:$a7: get_logins 0x1617e:$a10: KeyLoggerEventArgs 0x15de9:$a11: KeyLoggerEventArgsEventHandler
2.2.InstallUtil.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c50c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b73e:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb71:$a4: \Orbitum\User Data\Default\Login Data 0x1cbb0:$a5: \Kometa\User Data\Default\Login Data
2.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15743:$s1: UnHook 0x1574a:$s2: SetHook 0x15752:$s3: CallNextHook 0x1575f:$s4: _hook
2.2.InstallUtil.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b48:$x1: $%SMTPDV$ 0x1852c:$x2: $#TheHashHere%& 0x19af0:$x3: %FTPDV$ 0x184cc:$x4: $%TelegramDv$ 0x15de9:$x5: KeyLoggerEventArgs 0x1617e:$x5: KeyLoggerEventArgs 0x19b14:$m2: Clipboard Logs ID 0x19d52:$m2: Screenshot Logs ID 0x19e62:$m2: keystroke Logs ID 0x1a13c:$m3: SnakePW 0x19d2a:$m4: \SnakeKeylogger\
0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d55:$a1: get_encryptedPassword 0x13041:$a2: get_encryptedUsername 0x12b61:$a3: get_timePasswordChanged 0x12c5c:$a4: get_passwordField 0x12d6b:$a5: set_encryptedPassword 0x1441b:$a7: get_logins 0x1437e:$a10: KeyLoggerEventArgs 0x13fe9:$a11: KeyLoggerEventArgsEventHandler
0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a70c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1993e:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d71:$a4: \Orbitum\User Data\Default\Login Data 0x1adb0:$a5: \Kometa\User Data\Default\Login Data
0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13943:$s1: UnHook 0x1394a:$s2: SetHook 0x13952:$s3: CallNextHook 0x1395f:$s4: _hook
0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d48:$x1: $%SMTPDV$ 0x1672c:$x2: $#TheHashHere%& 0x17cf0:$x3: %FTPDV$ 0x166cc:$x4: $%TelegramDv$ 0x13fe9:$x5: KeyLoggerEventArgs 0x1437e:$x5: KeyLoggerEventArgs 0x17d14:$m2: Clipboard Logs ID 0x17f52:$m2: Screenshot Logs ID 0x18062:$m2: keystroke Logs ID 0x1833c:$m3: SnakePW 0x17f2a:$m4: \SnakeKeylogger\
0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b55:$a1: get_encryptedPassword 0x14e41:$a2: get_encryptedUsername 0x14961:$a3: get_timePasswordChanged 0x14a5c:$a4: get_passwordField 0x14b6b:$a5: set_encryptedPassword 0x1621b:$a7: get_logins 0x1617e:$a10: KeyLoggerEventArgs 0x15de9:$a11: KeyLoggerEventArgsEventHandler
0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15743:$s1: UnHook 0x1574a:$s2: SetHook 0x15752:$s3: CallNextHook 0x1575f:$s4: _hook
0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b48:$x1: $%SMTPDV$ 0x1852c:$x2: $#TheHashHere%& 0x19af0:$x3: %FTPDV$ 0x184cc:$x4: $%TelegramDv$ 0x15de9:$x5: KeyLoggerEventArgs 0x1617e:$x5: KeyLoggerEventArgs 0x19b14:$m2: Clipboard Logs ID 0x19d52:$m2: Screenshot Logs ID 0x19e62:$m2: keystroke Logs ID 0x1a13c:$m3: SnakePW 0x19d2a:$m4: \SnakeKeylogger\
0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b55:$a1: get_encryptedPassword 0x3579d:$a1: get_encryptedPassword 0x14e41:$a2: get_encryptedUsername 0x35a89:$a2: get_encryptedUsername 0x14961:$a3: get_timePasswordChanged 0x355a9:$a3: get_timePasswordChanged 0x14a5c:$a4: get_passwordField 0x356a4:$a4: get_passwordField 0x14b6b:$a5: set_encryptedPassword 0x357b3:$a5: set_encryptedPassword 0x1621b:$a7: get_logins 0x36e63:$a7: get_logins 0x1617e:$a10: KeyLoggerEventArgs 0x36dc6:$a10: KeyLoggerEventArgs 0x15de9:$a11: KeyLoggerEventArgsEventHandler 0x36a31:$a11: KeyLoggerEventArgsEventHandler
0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15743:$s1: UnHook 0x3638b:$s1: UnHook 0x1574a:$s2: SetHook 0x36392:$s2: SetHook 0x15752:$s3: CallNextHook 0x3639a:$s3: CallNextHook 0x1575f:$s4: _hook 0x363a7:$s4: _hook
0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b48:$x1: $%SMTPDV$ 0x3a790:$x1: $%SMTPDV$ 0x1852c:$x2: $#TheHashHere%& 0x39174:$x2: $#TheHashHere%& 0x19af0:$x3: %FTPDV$ 0x3a738:$x3: %FTPDV$ 0x184cc:$x4: $%TelegramDv$ 0x39114:$x4: $%TelegramDv$ 0x15de9:$x5: KeyLoggerEventArgs 0x1617e:$x5: KeyLoggerEventArgs 0x36a31:$x5: KeyLoggerEventArgs 0x36dc6:$x5: KeyLoggerEventArgs 0x19b14:$m2: Clipboard Logs ID 0x19d52:$m2: Screenshot Logs ID 0x19e62:$m2: keystroke Logs ID 0x3a75c:$m2: Clipboard Logs ID 0x3a99a:$m2: Screenshot Logs ID 0x3aaaa:$m2: keystroke Logs ID 0x1a13c:$m3: SnakePW 0x3ad84:$m3: SnakePW 0x19d2a:$m4: \SnakeKeylogger\
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe", CommandLine: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe, NewProcessName: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe, OriginalFileName: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 7452, ProcessCommandLine: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe", ProcessId: 7268, ProcessName: hesaphareketi-01.pdf.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:28:48.671408+0100	2803305	3	Unknown Traffic	192.168.2.8	49710	104.21.67.152	443	TCP
2024-12-17T08:28:51.794893+0100	2803305	3	Unknown Traffic	192.168.2.8	49714	104.21.67.152	443	TCP
2024-12-17T08:28:54.882285+0100	2803305	3	Unknown Traffic	192.168.2.8	49717	104.21.67.152	443	TCP
2024-12-17T08:29:04.213431+0100	2803305	3	Unknown Traffic	192.168.2.8	49723	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:28:44.601686+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	132.226.247.73	80	TCP
2024-12-17T08:28:47.054808+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	132.226.247.73	80	TCP
2024-12-17T08:28:50.164193+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49711	132.226.247.73	80	TCP
2024-12-17T08:28:53.273570+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49715	132.226.247.73	80	TCP
2024-12-17T08:28:56.398624+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49718	132.226.247.73	80	TCP
2024-12-17T08:28:59.507946+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49720	132.226.247.73	80	TCP
2024-12-17T08:29:02.601834+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49722	132.226.247.73	80	TCP
2024-12-17T08:29:05.867344+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49724	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7125297965:AAFl6eQAjxqGeAfWHpfHbGAtADDAZUyFidM/sendMessage?chat_id=6367688286", "Token": "7125297965:AAFl6eQAjxqGeAfWHpfHbGAtADDAZUyFidM", "Chat_id": "6367688286", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: hesaphareketi-01.pdf.exe	Virustotal: Detection: 34%			Perma Link
Source: hesaphareketi-01.pdf.exe	ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: hesaphareketi-01.pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49708 version: TLS 1.0

Source: hesaphareketi-01.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbMZ@ source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER76EC.tmp.dmp.6.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0133F1F6h	2_2_0133F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0133FB80h	2_2_0133F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0133E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0133EB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0133ED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05721A38h	2_2_05721620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05721471h	2_2_057211C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 057202F1h	2_2_05720040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572D019h	2_2_0572CD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05721011h	2_2_05720D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572BEB9h	2_2_0572BC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572C769h	2_2_0572C4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05720751h	2_2_057204A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572F731h	2_2_0572F488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572BA61h	2_2_0572B7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572EA29h	2_2_0572E780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572D8C9h	2_2_0572D620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05721A38h	2_2_05721610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572E179h	2_2_0572DED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05721A38h	2_2_05721966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572CBC1h	2_2_0572C918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05720BB1h	2_2_05720900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572D471h	2_2_0572D1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572C311h	2_2_0572C068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572F2D9h	2_2_0572F030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572FB89h	2_2_0572F8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572B609h	2_2_0572B360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572E5D1h	2_2_0572E328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572EE81h	2_2_0572EBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0572DD21h	2_2_0572DA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05721A38h	2_2_05721A0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE8D4Dh	2_2_05CE8A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE5849h	2_2_05CE55A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE8861h	2_2_05CE85B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE0FF1h	2_2_05CE0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE8409h	2_2_05CE8160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE7FB1h	2_2_05CE7D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE0B99h	2_2_05CE08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE0741h	2_2_05CE0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE7B59h	2_2_05CE78B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE02E9h	2_2_05CE0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE7702h	2_2_05CE7458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_05CE37C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE7281h	2_2_05CE6FD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE6E29h	2_2_05CE6B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_05CE37B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE69D1h	2_2_05CE6728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE6579h	2_2_05CE62D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE6121h	2_2_05CE5E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05CE5CC9h	2_2_05CE5A20

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49718 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49715 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49720 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49722 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49724 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49706 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49710 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49717 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49723 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49714 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49708 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: InstallUtil.exe, 00000002.00000002.3844938865.0000000003391000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.000000000339E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000002.00000002.3844938865.0000000003391000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.000000000339E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003326000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000032D7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000002.00000002.3844938865.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000002.00000002.3844938865.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003391000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.000000000339E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: InstallUtil.exe, 00000002.00000002.3844938865.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: InstallUtil.exe, 00000002.00000002.3844938865.0000000003391000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.000000000339E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003326000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000032E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000002.00000002.3844938865.00000000033D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: InstallUtil.exe, 00000002.00000002.3844938865.0000000003391000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.000000000339E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003326000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 7388, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 7388, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: hesaphareketi-01.pdf.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B01331D	0_2_00007FFB4B01331D
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B0181C8	0_2_00007FFB4B0181C8
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B02421D	0_2_00007FFB4B02421D
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B018278	0_2_00007FFB4B018278
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B01B0F9	0_2_00007FFB4B01B0F9
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B018100	0_2_00007FFB4B018100
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B018108	0_2_00007FFB4B018108
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B01E109	0_2_00007FFB4B01E109
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B010E88	0_2_00007FFB4B010E88
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B013D15	0_2_00007FFB4B013D15
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B018260	0_2_00007FFB4B018260
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B01F89F	0_2_00007FFB4B01F89F
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B01F159	0_2_00007FFB4B01F159
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B0E0000	0_2_00007FFB4B0E0000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01336108	2_2_01336108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133C190	2_2_0133C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133F007	2_2_0133F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133B328	2_2_0133B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133C470	2_2_0133C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01336730	2_2_01336730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133C751	2_2_0133C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01339858	2_2_01339858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133BBD2	2_2_0133BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133CA31	2_2_0133CA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01334AD9	2_2_01334AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133BEB0	2_2_0133BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133300F	2_2_0133300F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01333062	2_2_01333062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_013330AE	2_2_013330AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133330E	2_2_0133330E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133E528	2_2_0133E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133E517	2_2_0133E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01333570	2_2_01333570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0133B4F2	2_2_0133B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_057236E8	2_2_057236E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_057279E8	2_2_057279E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_057211C0	2_2_057211C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05720040	2_2_05720040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_057282D8	2_2_057282D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572CD70	2_2_0572CD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05720D60	2_2_05720D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572CD61	2_2_0572CD61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05720D51	2_2_05720D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572F478	2_2_0572F478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572BC10	2_2_0572BC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572BC00	2_2_0572BC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05727C08	2_2_05727C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572C4C0	2_2_0572C4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572C4B0	2_2_0572C4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_057204A0	2_2_057204A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05720490	2_2_05720490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572F488	2_2_0572F488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572E770	2_2_0572E770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572B7B8	2_2_0572B7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572B7A8	2_2_0572B7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572E780	2_2_0572E780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572D620	2_2_0572D620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572D610	2_2_0572D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572DED0	2_2_0572DED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_057236D8	2_2_057236D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572DEC1	2_2_0572DEC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572C918	2_2_0572C918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05720900	2_2_05720900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572C90B	2_2_0572C90B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_057281DE	2_2_057281DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572D1C8	2_2_0572D1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_057211B0	2_2_057211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572D1B8	2_2_0572D1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572C068	2_2_0572C068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572C058	2_2_0572C058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572F030	2_2_0572F030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572F021	2_2_0572F021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05720007	2_2_05720007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_057208F0	2_2_057208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572F8E0	2_2_0572F8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572F8D1	2_2_0572F8D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572B360	2_2_0572B360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572B34F	2_2_0572B34F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572E328	2_2_0572E328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572E318	2_2_0572E318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572EBD8	2_2_0572EBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572EBC8	2_2_0572EBC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572DA78	2_2_0572DA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05727260	2_2_05727260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0572DA69	2_2_0572DA69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05727250	2_2_05727250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEC9E0	2_2_05CEC9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEBD40	2_2_05CEBD40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEB0A8	2_2_05CEB0A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE9059	2_2_05CE9059
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEA410	2_2_05CEA410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CED030	2_2_05CED030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEC390	2_2_05CEC390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEB6F0	2_2_05CEB6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEAA60	2_2_05CEAA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CED678	2_2_05CED678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE8A10	2_2_05CE8A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEC9D0	2_2_05CEC9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE5593	2_2_05CE5593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE1191	2_2_05CE1191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE85A8	2_2_05CE85A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE11A0	2_2_05CE11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE55A0	2_2_05CE55A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE85B8	2_2_05CE85B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE0D48	2_2_05CE0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE8150	2_2_05CE8150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE8160	2_2_05CE8160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE7D08	2_2_05CE7D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE0D39	2_2_05CE0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEBD30	2_2_05CEBD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE08E0	2_2_05CE08E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE7CF8	2_2_05CE7CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE08F0	2_2_05CE08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE0488	2_2_05CE0488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE789F	2_2_05CE789F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE0498	2_2_05CE0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE78B0	2_2_05CE78B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE7448	2_2_05CE7448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE0040	2_2_05CE0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE7458	2_2_05CE7458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE2C0F	2_2_05CE2C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE0006	2_2_05CE0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEA400	2_2_05CEA400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE2C20	2_2_05CE2C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CED020	2_2_05CED020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE4838	2_2_05CE4838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE6FC9	2_2_05CE6FC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE37C0	2_2_05CE37C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE6FD8	2_2_05CE6FD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE6B80	2_2_05CE6B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEC380	2_2_05CEC380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE37B0	2_2_05CE37B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE6B73	2_2_05CE6B73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE6718	2_2_05CE6718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE6728	2_2_05CE6728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE3B38	2_2_05CE3B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE62C0	2_2_05CE62C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE62D0	2_2_05CE62D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEB6E1	2_2_05CEB6E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CEAA50	2_2_05CEAA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CED66A	2_2_05CED66A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE5E68	2_2_05CE5E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE5E78	2_2_05CE5E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE8A04	2_2_05CE8A04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE5A11	2_2_05CE5A11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05CE5A20	2_2_05CE5A20

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7268 -s 1016

Source: hesaphareketi-01.pdf.exe

Static PE information: No import functions for PE file found

Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1542823135.0000013324620000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIrorexemilamozaqode6 vs hesaphareketi-01.pdf.exe
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs hesaphareketi-01.pdf.exe
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIrorexemilamozaqode6 vs hesaphareketi-01.pdf.exe
Source: hesaphareketi-01.pdf.exe	Binary or memory string: OriginalFilenameConsoleApplication3.exe4 vs hesaphareketi-01.pdf.exe

Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 7388, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 7388, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: hesaphareketi-01.pdf.exe

Static PE information: Section: .rsrc ZLIB complexity 0.998026163176034

Source: hesaphareketi-01.pdf.exe, -------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, tk-m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, tk-m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, tk-m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, tk-m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, m.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, tk-m.cs	Base64 encoded string: 'GIHvVVZfYDx+zRGgaKP1TiY4p0XGXf0l94tSPSZ598tJdvqm1bzdBlxLcohtz0FX'
Source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, tk-m.cs	Base64 encoded string: 'GIHvVVZfYDx+zRGgaKP1TiY4p0XGXf0l94tSPSZ598tJdvqm1bzdBlxLcohtz0FX'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@6/5@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7268

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\80fa8280-1961-4e0f-b5b7-c7189e8d5abf

Jump to behavior

Source: hesaphareketi-01.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe, 00000002.00000002.3844938865.0000000003450000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000034A2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.000000000346E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3846616724.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003495000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.000000000345F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: hesaphareketi-01.pdf.exe	Virustotal: Detection: 34%
Source: hesaphareketi-01.pdf.exe	ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe"
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7268 -s 1016
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: hesaphareketi-01.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: hesaphareketi-01.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbMZ@ source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER76EC.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER76EC.tmp.dmp.6.dr

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B017280 push ebx; iretd	0_2_00007FFB4B01756A
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B024038 push cs; ret	0_2_00007FFB4B02403D
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B012720 push eax; ret	0_2_00007FFB4B012731
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00007FFB4B0E0000 push esp; retf 4810h	0_2_00007FFB4B0E0312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_013324B9 push 8BFFFFFFh; retf	2_2_013324BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05722CF0 push esp; iretd	2_2_05722CF1

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: hesaphareketi-01.pdf.exe

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Memory allocated: 1330A720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Memory allocated: 13323E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 12F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599669	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599309	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598963	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596480	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596205	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595981	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595831	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594109	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 8054			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1788			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7668	Thread sleep count: 8054 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7668	Thread sleep count: 1788 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -599669s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -599309s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -598963s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -598296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -597966s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -596827s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -596480s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -596205s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -595981s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -595831s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -595266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -594219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7664	Thread sleep time: -594109s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599669	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599309	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598963	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596480	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596205	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595981	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595831	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594109	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: InstallUtil.exe, 00000002.00000002.3843678333.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1d50
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_057279E8 LdrInitializeThunk,

2_2_057279E8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: F2A008	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"			Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"			Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Queries volume information: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3844938865.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3844938865.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7388, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7388, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be8b350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.1331be6a708.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3844938865.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3844938865.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7388, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hesaphareketi-01.pdf.exe	35%	Virustotal		Browse
hesaphareketi-01.pdf.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
hesaphareketi-01.pdf.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	InstallUtil.exe, 00000002.00000002.3844938865.0000000003391000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.000000000339E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003326000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033D9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.6.dr	false	high
http://checkip.dyndns.org	InstallUtil.exe, 00000002.00000002.3844938865.0000000003391000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.000000000339E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003326000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000032D7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033D9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	InstallUtil.exe, 00000002.00000002.3844938865.0000000003391000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.000000000339E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033D9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	InstallUtil.exe, 00000002.00000002.3844938865.0000000003221000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	hesaphareketi-01.pdf.exe, 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	InstallUtil.exe, 00000002.00000002.3844938865.0000000003391000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.000000000339E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003326000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033D9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	InstallUtil.exe, 00000002.00000002.3844938865.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003391000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.000000000339E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000033D9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	hesaphareketi-01.pdf.exe, 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3844938865.00000000032E3000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.67.152	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576521
Start date and time:	2024-12-17 08:27:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hesaphareketi-01.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@6/5@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 211 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.190.181.2, 4.175.87.197
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target hesaphareketi-01.pdf.exe, PID 7268 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:28:45	API Interceptor	10777720x Sleep call for process: InstallUtil.exe modified
02:28:49	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.67.152	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
132.226.247.73	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Hesap_Hareketleri_10122024_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Hesap_Hareketleri_09122024_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	132.226.8.169
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
reallyfreegeoip.org	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	188.114.97.3
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	172.67.177.134
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Brokerage Invoice.pdf.vbs	Get hash	malicious	Unknown	Browse	104.21.2.70
	DHL.exe	Get hash	malicious	FormBook	Browse	104.21.48.233
	SFHgtxFGtB.ps1	Get hash	malicious	Unknown	Browse	104.21.87.65
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	104.21.87.65
	1iC0WTxgUf.exe	Get hash	malicious	Unknown	Browse	104.18.0.75
	Instruction_695-18112-002_Rev.PDF.lnk.d.lnk	Get hash	malicious	Unknown	Browse	104.21.83.229
	https://essind.freshdesk.com/en/support/solutions/articles/157000010576-pedido-553268637	Get hash	malicious	Unknown	Browse	104.17.25.14
	seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
UTMEMUS	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	132.226.8.169
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	104.21.67.152
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hesaphareketi-01_3ffcbc6a735f3e4af47273e3c2f361ad34325cd_57f7b72a_3ba493a6-892d-425a-a023-2ac34e7d3fd2\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9920135199674902
Encrypted:	false
SSDEEP:	96:Wn1FFFIQKy3Vs/hqSoNy/qSQXIDcQqc6jcEOcw3WH+BHUHZ0ownOgFkEwH3d2FYz:cIQP3VXv0UnUFaWB2WPzuiFwZ24lO8+
MD5:	EECBE128CE4387328E456D28667ADC03
SHA1:	0DFEFEFD9AD6EFDF07F6970CFBD8ACBADF6547DC
SHA-256:	D5CBCFE3939B129E230953757B4CA8C0F113A4289E8B6ED5F2A6B6C778D6D327
SHA-512:	1E319CD9BFA9E697AA22C6AC6894BE4A39318518C37303E7BDE18BD2A35D0115D23C8837206C5A6594EDB280D636DF3D875B05030D83D52DA66AFE6890D777AE
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.9.4.1.2.1.3.3.3.1.7.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.8.9.4.1.2.1.8.8.0.0.3.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.a.4.9.3.a.6.-.8.9.2.d.-.4.2.5.a.-.a.0.2.3.-.2.a.c.3.4.e.7.d.3.f.d.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.8.7.7.5.5.5.-.e.d.f.e.-.4.8.f.e.-.b.a.b.1.-.9.2.3.7.e.2.0.e.1.7.1.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.h.e.s.a.p.h.a.r.e.k.e.t.i.-.0.1...p.d.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.o.n.s.o.l.e.A.p.p.l.i.c.a.t.i.o.n.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.6.4.-.0.0.0.1.-.0.0.1.4.-.8.b.c.0.-.6.f.4.8.5.5.5.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.f.c.b.d.9.4.4.d.7.5.f.5.a.1.2.6.4.3.a.e.0.1.a.a.4.7.7.5.7.8.2.0.0.0.0.0.0.0.0.!.0.0.0.0.4.d.7.9.a.5.d.3.9.3.4.b.c.8.8.8.7.4.5.3.2.c.7.a.3.7.0.c.3.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76EC.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Tue Dec 17 07:28:41 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	383645
Entropy (8bit):	3.249119235756896
Encrypted:	false
SSDEEP:	3072:q4BdTeQ8hGI3+vURP7DoA/4+OlaNAcSpe2gUVCW1CCqn/A:dBcNp3QY/Glaqo0Ccqn
MD5:	E5B8281896F4BD9B98C2206014374B69
SHA1:	1217031AAB2A6999357506AACB085F0CAB4601E6
SHA-256:	18C5F4D2D0960C1740D0B8E977F35EF81332586ED4DBED9E8A88E417F82EEE65
SHA-512:	91A6C60FB3DB4BE8ED5BB9994F1FF503D2AFC2B4480918DED42FAA013C954E9AFE826CEA01F24A06E9F5BD91D725AB07FB8D3C9B1C79CC64A066215751CACF0A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......)(ag....................................$...........@............C...s..........l.......8...........T...........`(..=............5...........7..............................................................................eJ.......8......Lw......................T.......d...#(ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7807.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8640
Entropy (8bit):	3.7079638646474096
Encrypted:	false
SSDEEP:	192:R6l7wVeJ2pUR6YSQDFY0gmfXaMqprl89bjEofNBm:R6lXJzR6YFD5gmfKMNjzfi
MD5:	92D5B847F6EFA2E6F93DCE3DBF4B9F50
SHA1:	29CF0B98DE5DFC8A5DCCE9DA1096DE874164FC7B
SHA-256:	9E4F63843CEE5EA399A5D829ED7FE3CCFB474B73415365548253BD8295F19BFB
SHA-512:	BFF9037B47996AACA6AD3CB6E8D52E7D5C99A40E4038C05DCE8AE7B20147A662D24D803F968AF61057D2394488DBA55FF6A3DC840F593EDFDB568B0D32E0AA6B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7856.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4817
Entropy (8bit):	4.523679912048198
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg771I9w7WpW8VYEYm8M4JGQFcbyq85jCgvOz9kd:uIjfaI7/K7VMJyb7gWz9kd
MD5:	84DE5C10A54DA405E800CE4A125D745D
SHA1:	D3DBA5579CB9C1058AE6CD4A3643F05BBBF0832F
SHA-256:	6979621ECDAB5E5D448D68480C4996AA08AE58C3BFC865A82DB4905FB68BA388
SHA-512:	9945896E0AF83E099DF51DA7CF4ED3DD3C83E4890F46E0F53EFA009DFC5A6B96BD4E42E575F8906F24B9D4B7237095DBE24BF0E281BC9C19FA0AE2A7A8CBA91E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634951" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372332109075051
Encrypted:	false
SSDEEP:	6144:XFVfpi6ceLP/9skLmb0cyWWSPtaJG8nAge35OlMMhA2AX4WABlguNjiL:VV1CyWWI/glMM6kF75q
MD5:	97DEB910313B30FD1F5A54B9E305F199
SHA1:	0B7A6B1DCC0073C58581762F88EA98EB7242C67A
SHA-256:	264C4CDAA45CBDD110AC6D660337499D4C04415C0A1B7D3257196857A74E7A90
SHA-512:	345084BABAB2CF16C6AFDFC875C87B2CE64254D38DB1D590C8F5ED4E75C29E9F3C3691507D062A38C9A7C622570A3B6E94C0C1BD89B4E1F77939CD78D265F6B5
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm>/.KUP...............................................................................................................................................................................................................................................................................................................................................%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.995604324481497
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hesaphareketi-01.pdf.exe
File size:	492'032 bytes
MD5:	1182b118e3ef6a2bb23c1fa63421f415
SHA1:	4d79a5d3934bc88874532c7a370c3d29331c2b67
SHA256:	e6898cab171f9677ea94663fd86b9b4e5a7589d0f3557b54d99fb6eb2abd18bc
SHA512:	e4ba194a7558383d53887fa15f840af3d416d2b9af9e4b0ac7021f2998f301dd69c51ea668da947d26b102f905cc09985b1a5c169bfc232bd66308e15bc51a5c
SSDEEP:	12288:K7m8gHOq4pFZ7vIyfymnN7DsAHX9o+NfEkNHjRcsuN:0DgHOPFZ7vIyHN7DsAHto+NRNHja
TLSH:	86A423C1D71C3A29F128967C99B0506C1EBCF94106F1F2963ED98978AAFA14DD2534F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....\|]g.........."...0..!...^........... ....@...... ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675D7C9F [Sat Dec 14 12:39:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x75d30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x21ca	0x2200	3585201feb5892df536fcfba80c6b08b	False	0.6507352941176471	data	6.164438071172592	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x75d30	0x75e00	84819c1992a18b02d5906a8568bfaace	False	0.998026163176034	data	7.999147951755787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
OMNIPOTENTMALWARE	0x62f0	0x75410	data	1.0003248159376354
OMNIPOTENTMALWARE	0x7b700	0x180	data	1.0286458333333333
OMNIPOTENTMALWARE	0x7b880	0x10	data	1.5625
OMNIPOTENTMALWARE	0x7b890	0x10	data	1.5
OMNIPOTENTMALWARE	0x7b8a0	0x10	data	1.5625
OMNIPOTENTMALWARE	0x7b8b0	0x20	data	1.28125
RT_VERSION	0x7b8d0	0x274	data	0.445859872611465
RT_MANIFEST	0x7bb44	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T08:28:44.601686+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49706	132.226.247.73	80	TCP
2024-12-17T08:28:47.054808+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49706	132.226.247.73	80	TCP
2024-12-17T08:28:48.671408+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49710	104.21.67.152	443	TCP
2024-12-17T08:28:50.164193+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49711	132.226.247.73	80	TCP
2024-12-17T08:28:51.794893+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49714	104.21.67.152	443	TCP
2024-12-17T08:28:53.273570+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49715	132.226.247.73	80	TCP
2024-12-17T08:28:54.882285+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49717	104.21.67.152	443	TCP
2024-12-17T08:28:56.398624+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49718	132.226.247.73	80	TCP
2024-12-17T08:28:59.507946+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49720	132.226.247.73	80	TCP
2024-12-17T08:29:02.601834+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49722	132.226.247.73	80	TCP
2024-12-17T08:29:04.213431+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49723	104.21.67.152	443	TCP
2024-12-17T08:29:05.867344+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49724	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:28:42.565640926 CET	49706	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:42.685430050 CET	80	49706	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:42.685523987 CET	49706	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:42.685851097 CET	49706	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:42.805552959 CET	80	49706	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:44.002084017 CET	80	49706	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:44.054852009 CET	49706	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:44.121664047 CET	49706	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:44.241478920 CET	80	49706	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:44.548054934 CET	80	49706	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:44.601686001 CET	49706	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:44.897924900 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:44.897974014 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:44.898046970 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:44.906620979 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:44.906640053 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:46.126858950 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:46.127011061 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:46.133418083 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:46.133447886 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:46.133959055 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:46.179806948 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:46.198380947 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:46.239340067 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:46.572182894 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:46.572261095 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:46.572441101 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:46.581753969 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:46.584867001 CET	49706	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:46.704700947 CET	80	49706	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:47.008728027 CET	80	49706	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:47.011979103 CET	49710	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:47.012027025 CET	443	49710	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:47.012104034 CET	49710	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:47.012342930 CET	49710	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:47.012363911 CET	443	49710	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:47.054807901 CET	49706	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:48.224858999 CET	443	49710	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:48.228455067 CET	49710	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:48.228477001 CET	443	49710	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:48.671447039 CET	443	49710	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:48.671525002 CET	443	49710	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:48.671578884 CET	49710	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:48.672867060 CET	49710	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:48.675801039 CET	49706	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:48.676703930 CET	49711	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:48.795833111 CET	80	49706	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:48.795917034 CET	49706	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:48.796463966 CET	80	49711	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:48.796550989 CET	49711	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:48.796713114 CET	49711	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:48.916419983 CET	80	49711	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:50.122003078 CET	80	49711	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:50.123437881 CET	49714	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:50.123486996 CET	443	49714	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:50.123537064 CET	49714	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:50.123846054 CET	49714	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:50.123861074 CET	443	49714	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:50.164192915 CET	49711	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:51.347140074 CET	443	49714	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:51.349128962 CET	49714	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:51.349148035 CET	443	49714	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:51.794874907 CET	443	49714	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:51.794941902 CET	443	49714	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:51.794994116 CET	49714	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:51.795406103 CET	49714	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:51.799086094 CET	49711	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:51.800301075 CET	49715	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:51.919213057 CET	80	49711	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:51.919336081 CET	49711	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:51.920053005 CET	80	49715	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:51.920172930 CET	49715	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:51.920356035 CET	49715	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:52.040076017 CET	80	49715	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:53.224457979 CET	80	49715	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:53.225794077 CET	49717	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:53.225809097 CET	443	49717	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:53.225980997 CET	49717	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:53.226229906 CET	49717	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:53.226246119 CET	443	49717	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:53.273570061 CET	49715	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:54.440041065 CET	443	49717	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:54.441587925 CET	49717	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:54.441631079 CET	443	49717	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:54.882293940 CET	443	49717	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:54.882352114 CET	443	49717	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:54.882715940 CET	49717	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:54.884613991 CET	49717	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:54.891010046 CET	49715	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:54.918900013 CET	49718	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:55.011210918 CET	80	49715	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:55.011293888 CET	49715	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:55.038779974 CET	80	49718	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:55.038943052 CET	49718	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:55.039098978 CET	49718	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:55.158763885 CET	80	49718	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:56.343292952 CET	80	49718	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:56.344645023 CET	49719	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:56.344695091 CET	443	49719	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:56.344762087 CET	49719	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:56.345000029 CET	49719	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:56.345016956 CET	443	49719	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:56.398623943 CET	49718	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:57.561239958 CET	443	49719	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:57.563333035 CET	49719	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:57.563354015 CET	443	49719	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:58.010272980 CET	443	49719	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:58.010332108 CET	443	49719	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:58.010520935 CET	49719	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:58.011019945 CET	49719	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:58.022743940 CET	49718	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:58.024168015 CET	49720	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:58.143201113 CET	80	49718	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:58.143301010 CET	49718	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:58.145414114 CET	80	49720	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:58.145510912 CET	49720	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:58.145642042 CET	49720	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:28:58.266566992 CET	80	49720	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:59.453620911 CET	80	49720	132.226.247.73	192.168.2.8
Dec 17, 2024 08:28:59.455142975 CET	49721	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:59.455194950 CET	443	49721	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:59.455411911 CET	49721	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:59.455703020 CET	49721	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:28:59.455713034 CET	443	49721	104.21.67.152	192.168.2.8
Dec 17, 2024 08:28:59.507946014 CET	49720	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:00.673844099 CET	443	49721	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:00.675667048 CET	49721	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:00.675700903 CET	443	49721	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:01.118513107 CET	443	49721	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:01.118576050 CET	443	49721	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:01.118628979 CET	49721	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:01.119899988 CET	49721	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:01.123347044 CET	49720	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:01.125452042 CET	49722	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:01.243875027 CET	80	49720	132.226.247.73	192.168.2.8
Dec 17, 2024 08:29:01.243972063 CET	49720	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:01.245240927 CET	80	49722	132.226.247.73	192.168.2.8
Dec 17, 2024 08:29:01.245379925 CET	49722	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:01.245554924 CET	49722	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:01.365250111 CET	80	49722	132.226.247.73	192.168.2.8
Dec 17, 2024 08:29:02.548876047 CET	80	49722	132.226.247.73	192.168.2.8
Dec 17, 2024 08:29:02.550961971 CET	49723	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:02.551013947 CET	443	49723	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:02.551116943 CET	49723	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:02.551471949 CET	49723	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:02.551482916 CET	443	49723	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:02.601834059 CET	49722	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:03.767301083 CET	443	49723	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:03.769284010 CET	49723	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:03.769356012 CET	443	49723	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:04.213442087 CET	443	49723	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:04.213505030 CET	443	49723	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:04.213871002 CET	49723	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:04.214363098 CET	49723	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:04.218547106 CET	49722	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:04.220041990 CET	49724	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:04.338876963 CET	80	49722	132.226.247.73	192.168.2.8
Dec 17, 2024 08:29:04.339781046 CET	80	49724	132.226.247.73	192.168.2.8
Dec 17, 2024 08:29:04.339871883 CET	49722	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:04.339932919 CET	49724	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:04.340157032 CET	49724	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:04.459852934 CET	80	49724	132.226.247.73	192.168.2.8
Dec 17, 2024 08:29:05.820117950 CET	80	49724	132.226.247.73	192.168.2.8
Dec 17, 2024 08:29:05.822263956 CET	49725	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:05.822309971 CET	443	49725	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:05.822415113 CET	49725	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:05.822738886 CET	49725	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:05.822757959 CET	443	49725	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:05.867343903 CET	49724	80	192.168.2.8	132.226.247.73
Dec 17, 2024 08:29:07.037724972 CET	443	49725	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:07.039263964 CET	49725	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:07.039323092 CET	443	49725	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:07.484683990 CET	443	49725	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:07.484854937 CET	443	49725	104.21.67.152	192.168.2.8
Dec 17, 2024 08:29:07.484956980 CET	49725	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:29:07.485438108 CET	49725	443	192.168.2.8	104.21.67.152
Dec 17, 2024 08:30:10.686322927 CET	80	49724	132.226.247.73	192.168.2.8
Dec 17, 2024 08:30:10.686590910 CET	49724	80	192.168.2.8	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:28:42.412317038 CET	50145	53	192.168.2.8	1.1.1.1
Dec 17, 2024 08:28:42.554719925 CET	53	50145	1.1.1.1	192.168.2.8
Dec 17, 2024 08:28:44.599525928 CET	61529	53	192.168.2.8	1.1.1.1
Dec 17, 2024 08:28:44.896970034 CET	53	61529	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 08:28:42.412317038 CET	192.168.2.8	1.1.1.1	0xc488	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:28:44.599525928 CET	192.168.2.8	1.1.1.1	0x6a66	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 08:28:42.554719925 CET	1.1.1.1	192.168.2.8	0xc488	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:28:42.554719925 CET	1.1.1.1	192.168.2.8	0xc488	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:28:42.554719925 CET	1.1.1.1	192.168.2.8	0xc488	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:28:42.554719925 CET	1.1.1.1	192.168.2.8	0xc488	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:28:42.554719925 CET	1.1.1.1	192.168.2.8	0xc488	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:28:42.554719925 CET	1.1.1.1	192.168.2.8	0xc488	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:28:44.896970034 CET	1.1.1.1	192.168.2.8	0x6a66	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:28:44.896970034 CET	1.1.1.1	192.168.2.8	0x6a66	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	132.226.247.73	80	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:28:42.685851097 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 08:28:44.002084017 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:28:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3fa0e4028d6c70dc40ef50de191401d3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 08:28:44.121664047 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 08:28:44.548054934 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:28:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6276287e37e149dcea926b226066cb21 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 08:28:46.584867001 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 08:28:47.008728027 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:28:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 90a0032e31881635f4622ea4bcb02db4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	132.226.247.73	80	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:28:48.796713114 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 08:28:50.122003078 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:28:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6d7adf910cbd2c247c28d30fdefb12a9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49715	132.226.247.73	80	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:28:51.920356035 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 08:28:53.224457979 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:28:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8fa00e0bf5a81e43e95ef9c9f8b32522 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49718	132.226.247.73	80	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:28:55.039098978 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 08:28:56.343292952 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:28:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 32f44c2468916d7e473265ab14a9eb28 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49720	132.226.247.73	80	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:28:58.145642042 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 08:28:59.453620911 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:28:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ced23b0690e87b0136e08a9107f813cc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49722	132.226.247.73	80	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:29:01.245554924 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 08:29:02.548876047 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:29:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2e5a1815bfef2b368dcc63b678118387 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49724	132.226.247.73	80	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:29:04.340157032 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 08:29:05.820117950 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:29:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 57b4d470cfbc01be62d69c125d9b5ef2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	104.21.67.152	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:28:46 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 07:28:46 UTC	880	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:28:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 409295 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P5a%2BuGoWNehvhMYwhqfFeN9zsOTIdMZ9Oz8OGaLRaeZ4IyVDhEUmTug0%2BS5KL9sYanOA%2BYDBm5jic1PSSpJu0HMBxplllNzoPM%2Fj%2FuUJuuMrW8IVEstBCguftW6ljPez54vPQBjz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3532c20e7c15a3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1452&min_rtt=1441&rtt_var=563&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1903520&cwnd=127&unsent_bytes=0&cid=7d35928e053fc0d7&ts=455&x=0"
2024-12-17 07:28:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	104.21.67.152	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:28:48 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 07:28:48 UTC	880	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:28:48 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 409297 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XpfwlCeMeZA%2FuPsJdmpHsfbpW%2BVR4%2Bqehy6ix6op6e08nexsR0BSnUMs4by7KRP4ruOE3No3%2BvTVWJ%2BtfSVFP2c3nsnwENwnO14wt9CTX0NULwMjbq5HRyQoetd6RUDAFaWUMXXC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3532cf2e087c8e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2022&min_rtt=2008&rtt_var=781&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1376709&cwnd=248&unsent_bytes=0&cid=39572607194abc31&ts=451&x=0"
2024-12-17 07:28:48 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49714	104.21.67.152	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:28:51 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 07:28:51 UTC	882	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:28:51 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 409300 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GQrFdQKp5fnOLwMm9DKrc6n5lgo3bcQ2ajo%2B5jmMYt3V3Z%2FbcDDNrKvBH%2BkkbfiJ47Wq9xallrZ5G97rhLc6oPPqr8prb%2F7ax4VH0E4P4nVhlNbxoQnZianVNaDMYgF%2BIrFl%2BwPx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3532e2aeef424c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1563&rtt_var=599&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1806930&cwnd=227&unsent_bytes=0&cid=fb2d5d0a842d42ef&ts=454&x=0"
2024-12-17 07:28:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49717	104.21.67.152	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:28:54 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 07:28:54 UTC	882	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:28:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 409303 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FgqEWdTRdldrTZy3SLE8EjRh7Xnp%2BBqtKW%2FBXCj82XdiBhWEmmMmGgEOYkTTCb4Ww%2FIZDgyMXGMQBPPBWOjoPt9AcpTULRiRJyTHRW7N3kf%2BUAtNJmDLHuFlPlAabzXVW%2FrRCVp4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3532f5ff8f15c3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1501&min_rtt=1496&rtt_var=572&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1893644&cwnd=252&unsent_bytes=0&cid=0b90fad86efeb9f3&ts=451&x=0"
2024-12-17 07:28:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49719	104.21.67.152	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:28:57 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 07:28:58 UTC	886	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:28:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 409306 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=US8PFnA%2BSIiNCnr%2Bt5uDnkEKBbpGF1Wh1NCI3guj%2BiWQZCwdShS4577167fDMvp3YTwsLixs6OMp2iZyXSqdWuGIwA8d%2FvDQZw79WPj%2BXtP%2FJM4bKZw%2F0GTdho%2FZeYoIJ3o6UuRN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3533098d038c1b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2519&min_rtt=2003&rtt_var=1783&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=476112&cwnd=210&unsent_bytes=0&cid=dd90acbc24dd10b1&ts=457&x=0"
2024-12-17 07:28:58 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49721	104.21.67.152	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:29:00 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 07:29:01 UTC	882	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:29:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 409309 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bz7QGisa%2FD9s97Tkd7M3qLVxiIWJNkEs4%2B3NxXD3Nz695IJlagboL%2BzfPVrhr3nN1lTtZUOJRKDWoC0PW%2B%2BvwVlQm6nVOTRiI0WcjGSYdJsG5lu1nBWOLw%2FoO3BoJEt41TVvzOdn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f35331cfa520f9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1517&min_rtt=1506&rtt_var=587&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1830721&cwnd=213&unsent_bytes=0&cid=4c229c78e218020b&ts=455&x=0"
2024-12-17 07:29:01 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49723	104.21.67.152	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:29:03 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 07:29:04 UTC	880	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:29:04 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 409313 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7myZov%2FN7j7hhDP6uSJ4Qty9D1eYDgQQsOjwdNv%2FITCpyl7kXZPzj2V20%2FEBZhic00zEQ08p5MPP4CrASPbKOoJnXX9nAC6clY12WHVRrGg1kIwEFFEPsdSThfHT%2FCpVWe%2BQc0cL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3533304f0b4368-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1596&rtt_var=602&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1812538&cwnd=233&unsent_bytes=0&cid=c3c0985b5d758029&ts=456&x=0"
2024-12-17 07:29:04 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49725	104.21.67.152	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:29:07 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 07:29:07 UTC	876	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:29:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 409316 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3GvRX93c%2FikJzffbylPM66MXq9MQ4LdLF6szXJCw6Iunadg8GYoawo5Bpcz7lhBh9y1KoGsJ3FEcmLxsQIuljDifdH39d8wsSQQdxfLV8VJ%2FEAfk9qwFaoJWgHCExBrsIVQiLTo%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f353344b9cd43f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1572&min_rtt=1566&rtt_var=599&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1808049&cwnd=204&unsent_bytes=0&cid=a5c26150ad0e871f&ts=454&x=0"
2024-12-17 07:29:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	02:28:35
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\hesaphareketi-01.pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\hesaphareketi-01.pdf.exe"
Imagebase:	0x1330a1e0000
File size:	492'032 bytes
MD5 hash:	1182B118E3EF6A2BB23C1FA63421F415
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1540882631.000001330C19C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1541480811.000001331BE47000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:28:40
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Imagebase:	0xc80000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.3842779442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3844938865.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3844938865.0000000003221000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:28:40
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Imagebase:
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:28:41
Start date:	17/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7268 -s 1016
Imagebase:	0x7ff771d60000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFB4B013D15 Relevance: 4.2, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

fish, xrefs: 00007FFB4B013D60
X_J, xrefs: 00007FFB4B013DA0
hKK, xrefs: 00007FFB4B013E24

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: X_J$fish$hKK
API String ID: 0-3098413198
Opcode ID: aa5aebf6ace62d559c8649b5397ce168ce197ef0d3202732ee09f044a6642cb0
Instruction ID: 6640332fe415201ec47f067fd7210eed206ae8d3fd24c5ba468c2aef7a778097
Opcode Fuzzy Hash: aa5aebf6ace62d559c8649b5397ce168ce197ef0d3202732ee09f044a6642cb0
Instruction Fuzzy Hash: A1B18871A1CB491FE75DFE38D8551B973E1EF96211B0481BED58BC32E2DD29AC028781

Function 00007FFB4B01E109 Relevance: 4.1, Strings: 2, Instructions: 1577COMMON

Download Yara Rule

Strings

ON_H, xrefs: 00007FFB4B01ED62
[N_H, xrefs: 00007FFB4B01E293

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: ON_H$[N_H
API String ID: 0-4207816812
Opcode ID: edeff295fd4adb984c686d7b5b329b399b97249cac012153ed1f54354ddc91ed
Instruction ID: c5362788f02736557e02a17da3e2cb79a9973bf3ea1a3279aa4e91b231c11791
Opcode Fuzzy Hash: edeff295fd4adb984c686d7b5b329b399b97249cac012153ed1f54354ddc91ed
Instruction Fuzzy Hash: 84B2137061CB454FD35DEF28C4914B9B7E2FF85302B1489BEE48AC72A6DE25E846C781

Function 00007FFB4B010E88 Relevance: 3.2, Strings: 2, Instructions: 729COMMON

Download Yara Rule

Strings

HoK, xrefs: 00007FFB4B01471E
d, xrefs: 00007FFB4B01445F

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: HoK$d
API String ID: 0-3790475164
Opcode ID: db919958525b3915d22dae70381cb16927c0c0cb4b8d18e46de64ad2be4d2d7e
Instruction ID: 51269f36b6bff1c8d0eb5085739609bd0d90f976b24fd7f4af54f3c80db45e6d
Opcode Fuzzy Hash: db919958525b3915d22dae70381cb16927c0c0cb4b8d18e46de64ad2be4d2d7e
Instruction Fuzzy Hash: AF2243B091CA4A4FE34DEE3CD4815B577D1EF45311B1482BAD98EC72A7DD2AE8438B81

Function 00007FFB4B018108 Relevance: 2.9, Strings: 1, Instructions: 1666COMMON

Download Yara Rule

Strings

:N_L, xrefs: 00007FFB4B020263

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: :N_L
API String ID: 0-2258578227
Opcode ID: 336fd51d92fdc09c19fd3b81dbf923e7360df45bbde61db381ee30b258c8e697
Instruction ID: ee025d512db3e8783e4f6fda09807333b948c2d94d4ae469c2d44905f0c5048a
Opcode Fuzzy Hash: 336fd51d92fdc09c19fd3b81dbf923e7360df45bbde61db381ee30b258c8e697
Instruction Fuzzy Hash: 1FC29FB1A0CA498FDB9AEF38C495AB977E1FF55301F1440BAD44EC72A2DE24AC45CB41

Function 00007FFB4B02421D Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

zK, xrefs: 00007FFB4B02426D
zK, xrefs: 00007FFB4B024228

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: zK$zK
API String ID: 0-1499812205
Opcode ID: 3684ad154a25ef352ab509e12538b74b86eb8069bd0255b4e2745fd593be7b6a
Instruction ID: 2882202c0a4311324e74930c216d4b5b634a2ec71b092401fd4c26e362d8a1bf
Opcode Fuzzy Hash: 3684ad154a25ef352ab509e12538b74b86eb8069bd0255b4e2745fd593be7b6a
Instruction Fuzzy Hash: E6514E71A0D7890FD71E9A38C8561797BD5DB83310B15C2BFD58AC72A7DC285C0B8792

Function 00007FFB4B01F89F Relevance: 2.5, Strings: 1, Instructions: 1279COMMON

Download Yara Rule

Strings

:N_L, xrefs: 00007FFB4B020263

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: :N_L
API String ID: 0-2258578227
Opcode ID: 5361d0fce13684d6a009d60975115be7522e439577a25ae5f12b17acd2f9b0a4
Instruction ID: 1ba20089e88d2494638b6d9c2bef274337caa390171f26e1edf426f4e1afbeab
Opcode Fuzzy Hash: 5361d0fce13684d6a009d60975115be7522e439577a25ae5f12b17acd2f9b0a4
Instruction Fuzzy Hash: F572577190CB494FE35DEF38C4915B577E1FF95302B1086BED48AC72A2EE25A846C781

Function 00007FFB4B0E0000 Relevance: 2.2, Instructions: 2184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543526582.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b0e0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fadc7b7819b49aa094923e71f66f60bd188e27d81947544525149ed623e2dd3
Instruction ID: 7b600c780baf918278e82454eedf7fbc91f6eb547f4b26e6ce6df7d545c0d6e1
Opcode Fuzzy Hash: 2fadc7b7819b49aa094923e71f66f60bd188e27d81947544525149ed623e2dd3
Instruction Fuzzy Hash: 8BE235B280D7C64FE756EF38C8565A47FE0EF56301F0845FAD189CB6A3E9286806C791

Function 00007FFB4B01331D Relevance: 1.8, Strings: 1, Instructions: 598COMMON

Download Yara Rule

Strings

rJ, xrefs: 00007FFB4B0133F9

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: rJ
API String ID: 0-1272313041
Opcode ID: 1c0bdf59d29de8af6d1a64eac4feeb7fb3a31734e2f538e56e00800f57a6164b
Instruction ID: 173d09519f68ed5edff9ed7af0fd5e3a9cc672fcc7363a8ccf815a3ff14aaf62
Opcode Fuzzy Hash: 1c0bdf59d29de8af6d1a64eac4feeb7fb3a31734e2f538e56e00800f57a6164b
Instruction Fuzzy Hash: 2FF1DDA1A0CA565FE31DAE38D8811F977D1FFC1312B18C17ED1CAC7296DD29B8468290

Function 00007FFB4B018100 Relevance: .8, Instructions: 752COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994634613eefd15a4ce0b0c7ef252ac2d25131f365ce83134c3a9b166a868717
Instruction ID: bc12f41f92f1ad1a918702ccb5ba721c357c5776404d61d1fab59f844260d734
Opcode Fuzzy Hash: 994634613eefd15a4ce0b0c7ef252ac2d25131f365ce83134c3a9b166a868717
Instruction Fuzzy Hash: DC32B370A1CA094FDB6CEE28D895A7977E1FF59301F1441BEE44EC72A2DE25EC428781

Function 00007FFB4B018278 Relevance: .6, Instructions: 641COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1debebd8c3478357c546fa78daea6869829ebb5c38c4a27ef0e3ba2097f907
Instruction ID: 4c46972673900f99193ee5ef0437e02edbf18efd82cea07d7fcde67bc32f30b4
Opcode Fuzzy Hash: 1b1debebd8c3478357c546fa78daea6869829ebb5c38c4a27ef0e3ba2097f907
Instruction Fuzzy Hash: E21216B1A1C9494FE3ADEA2CC5065A477D1FF89311B1482BAD58DC77B1DE28AC0E4383

Function 00007FFB4B0181C8 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7bea414a38a9b787d1cc1de8e21bfc00ef49fddd303ea5a002f59d974df722c
Instruction ID: 623713399d8dabcb29fad4d9ea655b6312d3fdf2fc0f0d62c5364477aa868c6d
Opcode Fuzzy Hash: a7bea414a38a9b787d1cc1de8e21bfc00ef49fddd303ea5a002f59d974df722c
Instruction Fuzzy Hash: B51227B1A1CA498FE798EF3CC8467B877E1FF99311F1441B9D54CC72A2CE2968068751

Function 00007FFB4B01B0F9 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2a374846e9f591a3b87cc813f2d21d50371863c18dcd26b5f601ff527b9e9
Instruction ID: b7598f39502acb2a909fabbd14bbcb67fe9a6046c61b7be2d18cb0ecaeb8deab
Opcode Fuzzy Hash: 9ba2a374846e9f591a3b87cc813f2d21d50371863c18dcd26b5f601ff527b9e9
Instruction Fuzzy Hash: AAE15A7150CB864FE31DDF38C4911B5BBE2FF95302B1886BED5C6C72A1DA29A846C781

Function 00007FFB4B01F159 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffeaa581ef8519ec32d2058dd996682cfad0fbab37b5e6079a64ac4a3ccc671
Instruction ID: 2491bb5be26e1f1ed7daafe4c6842267d2196b890c9f734b62143e2924e3973a
Opcode Fuzzy Hash: 3ffeaa581ef8519ec32d2058dd996682cfad0fbab37b5e6079a64ac4a3ccc671
Instruction Fuzzy Hash: C9C117B1A1C94A4FE7ACEE28C4462B537D1FF98312F5441B9D54CC77A2DD2AAC0A8781

Function 00007FFB4B023650 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

zK, xrefs: 00007FFB4B02376A
zK, xrefs: 00007FFB4B0237E6
zK, xrefs: 00007FFB4B0236CA
zK, xrefs: 00007FFB4B02372A
zK, xrefs: 00007FFB4B02370A
zK, xrefs: 00007FFB4B02374A
zK, xrefs: 00007FFB4B0236EA

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: zK$zK$zK$zK$zK$zK$zK
API String ID: 0-1295247578
Opcode ID: 7ee2d79858d47dd873a09c9ac79d0de740170b7bf3dc189d7eb3d2a18cc44246
Instruction ID: f48cb0578da69d593e08034c182bb5efea7e73c01e1ffbf23b66580d87a577d9
Opcode Fuzzy Hash: 7ee2d79858d47dd873a09c9ac79d0de740170b7bf3dc189d7eb3d2a18cc44246
Instruction Fuzzy Hash: CE813CE2E1DF8A5FD75AAB34C4505A1BBE1EF62210F0487FAC04AC31D7DC1CA8098792

Function 00007FFB4B0106D3 Relevance: 3.0, Strings: 2, Instructions: 460COMMON

Download Yara Rule

Strings

@O_I, xrefs: 00007FFB4B010704
?O_I, xrefs: 00007FFB4B010804

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: ?O_I$@O_I
API String ID: 0-4232489661
Opcode ID: 1fddc4c4ab57113e505143789ec78667a7bf96196800a6c81906b6bd0ecf2cb6
Instruction ID: 964d3ed16be086f2d6f9b758890f9221ad235a0522037a64873f36d8e6ec17e4
Opcode Fuzzy Hash: 1fddc4c4ab57113e505143789ec78667a7bf96196800a6c81906b6bd0ecf2cb6
Instruction Fuzzy Hash: A5D14B92A0DB910FE359AA7C98152787BD1FF86311B5581FBE1CCCB2E7EC199C068391

Function 00007FFB4B010620 Relevance: 1.6, Strings: 1, Instructions: 378COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFB4B011F44

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 01ad54ef308e2c2d95d934b874654238e895e19b6a0fa2c56c5393be4f646a8a
Instruction ID: b9aa4d481121148a3ae88081f1314054f40b8aeb0309519881ed5a019225e011
Opcode Fuzzy Hash: 01ad54ef308e2c2d95d934b874654238e895e19b6a0fa2c56c5393be4f646a8a
Instruction Fuzzy Hash: 49B1EFB0A1CA4A4FD36DEE28C4415B177E1FF55310B1486BDC58AC76A7DE2AF8538780

Function 00007FFB4B020158 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

:N_L, xrefs: 00007FFB4B020263

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: :N_L
API String ID: 0-2258578227
Opcode ID: 0278106ad4e59b57d9ae94d1c8cfea90bb360b4e4960a97e60f5514f5d280505
Instruction ID: ffceb84bcea40f775241705e6074d860bd68e4a52866e5c66823f8fed42c6565
Opcode Fuzzy Hash: 0278106ad4e59b57d9ae94d1c8cfea90bb360b4e4960a97e60f5514f5d280505
Instruction Fuzzy Hash: 91816AB190CB494FE76EEE38C44567537D1EF95302F0081BAD58DC73A2ED28AC0A8792

Function 00007FFB4B016EC0 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

sk, xrefs: 00007FFB4B016FEE, 00007FFB4B01706D

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: sk
API String ID: 0-977471097
Opcode ID: 3ffe2f97435951784157762a6921330d1086304e8089e3b2222fb26b5dd67fd6
Instruction ID: f29a99ab6fa34db0548dd5efacb382a1042e79a1b32d3d7bbc33c3886d1da8a3
Opcode Fuzzy Hash: 3ffe2f97435951784157762a6921330d1086304e8089e3b2222fb26b5dd67fd6
Instruction Fuzzy Hash: 2671E77091C60E8FDB4DEF28C5905BA77A2FF94301F1085B9E109C7296DA36F892CB80

Function 00007FFB4B0128B8 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFB4B01445F

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 1170e072421776f1da1419f1f9accd58c92695ee12125c2c6e3922a4a05d4782
Instruction ID: b5ad8507ada09d833bd825ac4340cd0ca8e139ed36dac0d56fe99085c28005cd
Opcode Fuzzy Hash: 1170e072421776f1da1419f1f9accd58c92695ee12125c2c6e3922a4a05d4782
Instruction Fuzzy Hash: B861F1B0A1CA094BE74CEE2CD58157573D1FB44305B1481B8DA4ECB2A7DE2AF853CA81

Function 00007FFB4B011D28 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFB4B011F44

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 4f57411f3cc1ff1f075734dab1bfe2696614e2d48f2e082b281d43a729f27fb3
Instruction ID: ef5670ae5dddb071e5a71f1124c1102e5a7bde3917165df2c63ff13f67c416eb
Opcode Fuzzy Hash: 4f57411f3cc1ff1f075734dab1bfe2696614e2d48f2e082b281d43a729f27fb3
Instruction Fuzzy Hash: 2551CDB091CA094FE32DEE28C5815B177E1FF55305B1485BDD69F836A3DE26B8238681

Function 00007FFB4B025560 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

F+, xrefs: 00007FFB4B025576

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: F+
API String ID: 0-1357166025
Opcode ID: 85aa161670c55a0262b059c3b558ecabbdbe46847f4d1c0f005608150c4461fa
Instruction ID: 4379a5da6ab4117e0080bbe3c1a39c86342d6b757bb655cd601d9e5380a7425d
Opcode Fuzzy Hash: 85aa161670c55a0262b059c3b558ecabbdbe46847f4d1c0f005608150c4461fa
Instruction Fuzzy Hash: CF51A06151E3C54FD70BAB388D251A47FB1EB53301B2982EBC086CB2F7D9299C4AC356

Function 00007FFB4B023FBD Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

zK, xrefs: 00007FFB4B023FD3

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: zK
API String ID: 0-161796052
Opcode ID: 93950665aa285ee1be538689c84434023b478385d8dfef4098776180fb5b068a
Instruction ID: ff10c74ded7cc4fd1058d1c08a98c97110551034d58b7daf5f261345135c9909
Opcode Fuzzy Hash: 93950665aa285ee1be538689c84434023b478385d8dfef4098776180fb5b068a
Instruction Fuzzy Hash: 2231E16160E7C54FC30BAB74D8641A47FA1AF87324B1A40FBD145CF6B3D9296D8AC362

Function 00007FFB4B012CD2 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

PRJ, xrefs: 00007FFB4B012D44

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: PRJ
API String ID: 0-2028185031
Opcode ID: a7e048e67567c94faa95d7282d781ceb660dd8aa9f938460d35fb47627becda5
Instruction ID: 37d58a7408f66f5b712d983ab3d1943e12504da525529c7b1d11a7ceeb225114
Opcode Fuzzy Hash: a7e048e67567c94faa95d7282d781ceb660dd8aa9f938460d35fb47627becda5
Instruction Fuzzy Hash: 5E21057180E7CA4FEB87EBB8C8551E97FF1EF46250B1405EBC488CA1A3DA39194AC751

Function 00007FFB4B01B581 Relevance: .9, Instructions: 896COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecad344c48312cd49d958b6914fd62ee082d554b494f5bc060c2074fe26ebfc
Instruction ID: 91c898482ea73f7d9762ee8e09a74ec6e4819c4f2622c614da1b59da90d7ad46
Opcode Fuzzy Hash: eecad344c48312cd49d958b6914fd62ee082d554b494f5bc060c2074fe26ebfc
Instruction Fuzzy Hash: 4F52367090CA4A8FE759EF38C4945B4BBE1FF55301B1885BED48AC73A2DE39A846C740

Function 00007FFB4B013318 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69435fe82660bb1b3b47dedafe97f061fb822ce8139492e268250e3bc8cf2381
Instruction ID: 5264febf958b6960b2f0475b45b510a7c8d85300b8ad921bb6fd49d8464ae3ad
Opcode Fuzzy Hash: 69435fe82660bb1b3b47dedafe97f061fb822ce8139492e268250e3bc8cf2381
Instruction Fuzzy Hash: 13E1E2A191E7C60FD35A9B3488605B17FB0EF6321171982FBC5C9CB2E7D919A84BC352

Function 00007FFB4B015F10 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eaff5d36f33eb9173c0e0e0d6285ef7f3b7f9d0fa17af785b3b09cc8233f01c
Instruction ID: 653942a0e1d275ef6681dda77af5cb8557777e96b0bddd1d664368e7a024c6f5
Opcode Fuzzy Hash: 6eaff5d36f33eb9173c0e0e0d6285ef7f3b7f9d0fa17af785b3b09cc8233f01c
Instruction Fuzzy Hash: FCE1B47590CA1A4FEB9CEF24C8516B973E1FF54305F1045B9D51ADB2A6CE36E842C780

Function 00007FFB4B0110B9 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e980cf926435a63cf03ffb55cb13512fdc6c9449d7c2a2a88a985d045286708a
Instruction ID: 32860d12e603a1ffda9e2ff96d6b17af496a3afe7e0a6601a484db113c3a2449
Opcode Fuzzy Hash: e980cf926435a63cf03ffb55cb13512fdc6c9449d7c2a2a88a985d045286708a
Instruction Fuzzy Hash: 31D125A2A0DA8A4FE39DEB3CC95867477D2EF99202B4981F6D04DC73B3DD199C068341

Function 00007FFB4B016B20 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d980a8f1dfbd661555c31f51b4b1fc1109e081c26b5f4809b6634fc54da2780
Instruction ID: 644d915803d068ecb6ebb0d086cb7ad16724bd67f7cf20ad4a4e4380d1e68320
Opcode Fuzzy Hash: 0d980a8f1dfbd661555c31f51b4b1fc1109e081c26b5f4809b6634fc54da2780
Instruction Fuzzy Hash: 31C1557191D9064BEB1CAE38C8911B973D2EF94312B2481BDD58FC76E2DD2AFC468780

Function 00007FFB4B018CF5 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3347973aaf891ac608aae9dd213dc2e1d90b5f32499f0fb85dc178f59072a8ff
Instruction ID: 5b12b446c823bc6183aae9565b5e9435ce5feff17116b5d3f89f458661c11be1
Opcode Fuzzy Hash: 3347973aaf891ac608aae9dd213dc2e1d90b5f32499f0fb85dc178f59072a8ff
Instruction Fuzzy Hash: 82B124B190DB458FE32AEF38C8515B07BE0EF5531570481BAD58EC72A3D926B8078791

Function 00007FFB4B01C9B8 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759dc9338b1e3e6e27ef66b844fe4a1956923156f6b9005da507cf66f737f0e0
Instruction ID: 2c330699f0a403ef59f8173a8dde1129e66810ab4872d2fc079622c13a29ca1b
Opcode Fuzzy Hash: 759dc9338b1e3e6e27ef66b844fe4a1956923156f6b9005da507cf66f737f0e0
Instruction Fuzzy Hash: B3B19C7060D6498FD76DEF38D8555B53BD1EF56301B1440BDE48ECB2A2DE26E802C791

Function 00007FFB4B018E00 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1143283dc8eba58628864b56a0224ec5e0db71d2cb32cfc25292b574fd03877c
Instruction ID: 89663bc51fd2163962b31368af52b6790a052a951825378c2b12b3df5744ac8c
Opcode Fuzzy Hash: 1143283dc8eba58628864b56a0224ec5e0db71d2cb32cfc25292b574fd03877c
Instruction Fuzzy Hash: 7CA1FFB0A1CB454FE32AEE38C8415B1B7E1EF55305B1485BDD58BC76A7DA26F8438780

Function 00007FFB4B010610 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e1f4694b6a565414a9f1a7163b35436ad68ac9d171f3498e0caae101a9c698
Instruction ID: ec2c755db556a06055523ad7366f797d4a0b32535104b6f119e60838b55219c5
Opcode Fuzzy Hash: f3e1f4694b6a565414a9f1a7163b35436ad68ac9d171f3498e0caae101a9c698
Instruction Fuzzy Hash: 0B91A170A0CA4D8FDB59EF6CD855AB8BBE1FF59311B0441BAE04DD72A2CA25AC42C741

Function 00007FFB4B0104D0 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612cdf597e52e43c7292eb05578347619cd7441c26c6eeee0b4ca682caf49375
Instruction ID: c44c1c45a81a19be6ea1e733c4637e480f2d445560609409920f38fb0d8fd8d8
Opcode Fuzzy Hash: 612cdf597e52e43c7292eb05578347619cd7441c26c6eeee0b4ca682caf49375
Instruction Fuzzy Hash: 3481C370A1CA4D8FEB98EF38C8557F937E1FB59311F14817AE84DC33A2DA6598428781

Function 00007FFB4B0176F2 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6e8066dd2b687109a2b51e03a3e44615a21dcdeccbe10492b54f4b5dede15c
Instruction ID: dab9544d43935a5ffa4485299f6b4454d0622cd8c336d18582b155907957ac6d
Opcode Fuzzy Hash: 8b6e8066dd2b687109a2b51e03a3e44615a21dcdeccbe10492b54f4b5dede15c
Instruction Fuzzy Hash: 239180B190DA8D8FDB89EF68C454ABC7BF1FF55301F1440BAD149DB2A2CE29A845C750

Function 00007FFB4B0223A5 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6abbc45c117e276c392bd5b5346b5f4c2905375a5ca201bb6f50aedb5f942617
Instruction ID: 0d9865ac22c2d26826862bd87107a61dc256cce501d76e32d4f13726b2bb52b5
Opcode Fuzzy Hash: 6abbc45c117e276c392bd5b5346b5f4c2905375a5ca201bb6f50aedb5f942617
Instruction Fuzzy Hash: 77711471A0CD4D8FDB89EF6CD855AA97BE1EF59310B0441AAD40DC72A2CE34AD46CB81

Function 00007FFB4B0181C0 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a069830ef178db41fbd03a8fb7acc0cd6ba5a4bd87cbbf0015da6fa4bb0b59e
Instruction ID: 242cf08ad05ec8d1e48017ba15d208d76f0c2ae88b755352872d40c3550962b1
Opcode Fuzzy Hash: 1a069830ef178db41fbd03a8fb7acc0cd6ba5a4bd87cbbf0015da6fa4bb0b59e
Instruction Fuzzy Hash: 7D71C27190C9098FDB48EF28D855AF977E1FF59301F1441AAE44EC36A2CE25AD46CB81

Function 00007FFB4B0223C0 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b228b99c85cc7e09a27ca91bfd676b6d96ce2854eb7ae0b947dad104d6b409
Instruction ID: 1e8b2d259da301a51c7b2d5e8a711910032f958c9cfecac879f24cba29d7d27b
Opcode Fuzzy Hash: 63b228b99c85cc7e09a27ca91bfd676b6d96ce2854eb7ae0b947dad104d6b409
Instruction Fuzzy Hash: F7710271A08D4D8FDB89EF6CD455AA977E1EF59310B0441AAD40DC32A2CE34AD46CB81

Function 00007FFB4B016156 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79061afc59d8efb1b635afcc6068726d731ee037231ec9e5215c670f2b13dd8
Instruction ID: 96c506d5d9c729d0a3e61d6845447261b6940a00cfec0f43b1fab7eadcf8451e
Opcode Fuzzy Hash: e79061afc59d8efb1b635afcc6068726d731ee037231ec9e5215c670f2b13dd8
Instruction Fuzzy Hash: F281927591C91A8FEB88EF24C851AF973E1FF54305B1041B9D51ADB2A6DA36F842CB80

Function 00007FFB4B01C49A Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79602612a16c607fcef90ce368f9d9ccd8e394a51248aa14147b9b64be7ece37
Instruction ID: 5c1bc5890542b9a0dcb098c302338c2bfbea912086188e0adef50e5982ce8b20
Opcode Fuzzy Hash: 79602612a16c607fcef90ce368f9d9ccd8e394a51248aa14147b9b64be7ece37
Instruction Fuzzy Hash: C971B170A0C9194FEBACEE2CD45577977D1EF59342B5480BAE18ACB3A1CE25EC418781

Function 00007FFB4B0132B0 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99112071f8b461452d7a767310906cb01f169819957131fc79d4a3df6170d9d
Instruction ID: 46ab8a77f5b40baceab1968bcf5d332689ef432c6b4a1110093c711eb7d390c4
Opcode Fuzzy Hash: b99112071f8b461452d7a767310906cb01f169819957131fc79d4a3df6170d9d
Instruction Fuzzy Hash: E871D1B0A1CB454FE72DEE28C9419B1B7E0EF55305B1085BDD68FC76A6DE26F8438680

Function 00007FFB4B01ADDF Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84eab2aa4a212ad0774e78ff60b3c84d0f04eda78b7492ac833bf57fbf02a3f
Instruction ID: b5ebd242755929a29250925a170d1e0fc907f1879f35c2eb2f2658c932515bd2
Opcode Fuzzy Hash: b84eab2aa4a212ad0774e78ff60b3c84d0f04eda78b7492ac833bf57fbf02a3f
Instruction Fuzzy Hash: DF7128B1A0CB864FE34DDF28C491175BBD2FFD5302B04867ED1DAC33A6DA2598028781

Function 00007FFB4B01C14D Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5918988093ce81a326779f7cbfe578610411e272c8a2012b7c0398a0200933
Instruction ID: 5325e6c44d65814f1e46262b0f1c8b200d7116336da1983a765b7b306deccbde
Opcode Fuzzy Hash: 7e5918988093ce81a326779f7cbfe578610411e272c8a2012b7c0398a0200933
Instruction Fuzzy Hash: F3513A7161D7884FD35DAA3CC4510B67BD1EF86711B0447BEE1CBC7392DD2AA8468391

Function 00007FFB4B022EC5 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817972733425e863504976e4afe6087f65c45af0d13cef1d19a27fc106e894ae
Instruction ID: 6021588681227e8675d452fe9b55909e08778fdc6845264b4b9e76c9aee9136d
Opcode Fuzzy Hash: 817972733425e863504976e4afe6087f65c45af0d13cef1d19a27fc106e894ae
Instruction Fuzzy Hash: 1951A57090CA4D8FDF89EF28D465AA97BF1EF5A301F1900EAD40DD76B2CA25AC44C791

Function 00007FFB4B012B1D Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22889ca538afcb9778da2d2defffe9e36e87e87dbc15e4ef3c996e57ed540b5e
Instruction ID: 739f6035a2fb198e63c130a662e464175e2790cc44ffe94e98465e1bdbffd47b
Opcode Fuzzy Hash: 22889ca538afcb9778da2d2defffe9e36e87e87dbc15e4ef3c996e57ed540b5e
Instruction Fuzzy Hash: 9151F571B1DA498FDB8CEF38D8952B877E1FF99301B1440BED54EC76A2CE29A8058750

Function 00007FFB4B012B40 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2b77d908004fecb46d8965efe843eab3d0bb64af4ac4e0ec5d78afe31499e6
Instruction ID: 62a74ddc5196c5b4c3b086be7f8fe1bf30d5b33c3df4fa7c3705e0c5ccb980dd
Opcode Fuzzy Hash: ab2b77d908004fecb46d8965efe843eab3d0bb64af4ac4e0ec5d78afe31499e6
Instruction Fuzzy Hash: 8441F470B19A0D8FDB8CEF38D8952B877E2FF99341B1440BED54EC3692CE29A8058740

Function 00007FFB4B01A2E8 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0e293817b181640875133c78eedb2637d2d3f701b6f089c5b37c707d4aff6a
Instruction ID: 96ddccb2e03316a0712e11f4e77fd40ed72b38d05f29918fae699bda488023b7
Opcode Fuzzy Hash: ef0e293817b181640875133c78eedb2637d2d3f701b6f089c5b37c707d4aff6a
Instruction Fuzzy Hash: E731069585E3D60FE3076B7089601A03FB1AE1365174A82FBD1D4CB1F3D54E284BC722

Function 00007FFB4B010508 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210562c2d2caa57afa154c53983e38af1e868dcab53c1abc3b7cac3db3f17f07
Instruction ID: af61f63425ed0bbdee44c71c43e28e26c4582bc66a9608a3b83213d0b2095212
Opcode Fuzzy Hash: 210562c2d2caa57afa154c53983e38af1e868dcab53c1abc3b7cac3db3f17f07
Instruction Fuzzy Hash: 1041E370A1891D9FDF88FB6CD599EADB7E1EFAC311F040165E00EE32A1CA65AC418B50

Function 00007FFB4B018250 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b1f89e6a11af00dee2ee96891042742b49b59d3056f96c65d4bc2dd547b36f
Instruction ID: a2da957924c2b95d0e3e535046a2669fc83ee607373fbab89932620a1129ed4c
Opcode Fuzzy Hash: b2b1f89e6a11af00dee2ee96891042742b49b59d3056f96c65d4bc2dd547b36f
Instruction Fuzzy Hash: B1414D70A08A1D8FDF89EF28D595AA97BF1EF5D341F1400AAD40ED76A1CA31AC44CB91

Function 00007FFB4B013B68 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36dd079583202abafeeb12795951b7af9a098674e771278dd1ed7f290a95645
Instruction ID: ff61c8b405baa9671111003b33afe617792194775cf12004e9ea8f8aab32ef22
Opcode Fuzzy Hash: e36dd079583202abafeeb12795951b7af9a098674e771278dd1ed7f290a95645
Instruction Fuzzy Hash: B94117B050D6954FD70DAB38C8545B57BE0FF96302B4441FEE4CACB2A3DA19D642C781

Function 00007FFB4B012EE9 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d658c471ec4a14f6c42eb1feea6309302201997680ede9551bf5112b9b07a1
Instruction ID: 3b6046a703451ef12da1c77bcd91692acb9030e512df03382b77238d4ebf0b88
Opcode Fuzzy Hash: 58d658c471ec4a14f6c42eb1feea6309302201997680ede9551bf5112b9b07a1
Instruction Fuzzy Hash: C2412B92A0DA8A4FEB5DAB38D8653B83BD0EF85312F0480BFD549C72E3DD1D58459351

Function 00007FFB4B0E10C9 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543526582.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b0e0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc07064fce826122774e51ef8e81f6d180a7138d56784b5e52d605fb54c2770
Instruction ID: 15343b6c18346ff4fefbe4f345c0dbd9cd4bcc285fb22faa20f99e2e6ee18378
Opcode Fuzzy Hash: fcc07064fce826122774e51ef8e81f6d180a7138d56784b5e52d605fb54c2770
Instruction Fuzzy Hash: ED4128B590CBC95FEB56EF24C8914A87FE0FF26301B0545EED089C72B2DA24A851C381

Function 00007FFB4B010E9D Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06a829f3b4c15838dac1a9d4d8048be047a9b6f8099225d533504380ee1f095
Instruction ID: 10ea50ac49476f0523192eec1c33618fae681a31689ef837c577a8cdf2279512
Opcode Fuzzy Hash: d06a829f3b4c15838dac1a9d4d8048be047a9b6f8099225d533504380ee1f095
Instruction Fuzzy Hash: B741686071C9550FE78DFA3C95623B872C3EFD9345F6440BAE14AC73E3DC5AA8428252

Function 00007FFB4B0180F0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e33eda26795fcf40d2e479dbb5babeb8607f40f55c725669cf7ca8fc31acf7e
Instruction ID: e9fb64b10e5c5bfabd0b2d2f651a8a414a3c437f681f2989b9c5d423ad3ea53c
Opcode Fuzzy Hash: 9e33eda26795fcf40d2e479dbb5babeb8607f40f55c725669cf7ca8fc31acf7e
Instruction Fuzzy Hash: BF415D7161D91A8FEBA8EF3DD494B7437D0FF59302B4540BAE14ACB2B2DA26EC408750

Function 00007FFB4B018248 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da82c15853282fac493979a1c0da41b0be50f0a21a23251fa733172fd2d59cdd
Instruction ID: 26afc23b0a9b65391605174ebe9fffb9855894f3afafe0ae086b3bd733b81610
Opcode Fuzzy Hash: da82c15853282fac493979a1c0da41b0be50f0a21a23251fa733172fd2d59cdd
Instruction Fuzzy Hash: 91418D70A08E1D8FDB89EF2CC458ABA7BF1FF19341B1405AAD409D72A1CB31AD44CB81

Function 00007FFB4B01A305 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220ff8bed66d7f21bf3b0502a0298761daae3455481a463137814b9c70536ae4
Instruction ID: 0d3ef705fb2f3cbc176aa3df0f6376964b29bd6aab35bb1d5816c733078dbf78
Opcode Fuzzy Hash: 220ff8bed66d7f21bf3b0502a0298761daae3455481a463137814b9c70536ae4
Instruction Fuzzy Hash: 7031F4A585E3D60FD3076B7189A00A07FB1AE2325175E82FBD1D4CB2F3D51E684AC722

Function 00007FFB4B01B365 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a9a27c27656c853bf6f6d23ec2801060707d7d6e4f0c6840dd0df1ca3c1858
Instruction ID: 3ba1cba5113d486fa0253eeb4d659481ab20c63731650d1fc374e5619769001c
Opcode Fuzzy Hash: 27a9a27c27656c853bf6f6d23ec2801060707d7d6e4f0c6840dd0df1ca3c1858
Instruction Fuzzy Hash: DF31187060CB854BD30CDF28C8424B5BBE2FBD6202B148A7EE1C6C33A1DA35E545C782

Function 00007FFB4B024703 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891f6a269a759071f43a1ddc34d4a8907ea262560a4804eb157a968754250c87
Instruction ID: 46bd0029988321d15df821f12acd75bdad1599fbc03a16d5c1ded93d21926902
Opcode Fuzzy Hash: 891f6a269a759071f43a1ddc34d4a8907ea262560a4804eb157a968754250c87
Instruction Fuzzy Hash: DE415BA284E3C25FD3078B309CA65567FB0AF13205B1A45EBC1C5CF1E3D618A90AC763

Function 00007FFB4B01D868 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbad254477a572db105941b2fa86defed73d135034bfd890e5dd52d1f4ce22e4
Instruction ID: 75e11ab21efe3279b638ff960733d10505db9edb327524d63e098a02c935b3e5
Opcode Fuzzy Hash: cbad254477a572db105941b2fa86defed73d135034bfd890e5dd52d1f4ce22e4
Instruction Fuzzy Hash: CD212561B19A095FE38CEB7CD8997B877C2EF9C202B4402FAD80DC73A2CC159C468351

Function 00007FFB4B024C2B Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f183a0ccee2dd6d7548db740871659a07e455daff8644329b675c4003d353f8
Instruction ID: 4facf480fcdd754eaf93bd07cb54aced6613cc82fbfa79a3733853d33ce5295a
Opcode Fuzzy Hash: 4f183a0ccee2dd6d7548db740871659a07e455daff8644329b675c4003d353f8
Instruction Fuzzy Hash: 9C314F7150D3C19FD30BDB24C8A19667FB1AF57201B1945EFD586CB2E3C928A849C762

Function 00007FFB4B018870 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fa942996e17af2242e92aa1156368df08dc3c14bdc268f16da55fcdeec8704
Instruction ID: fbb161c84a8b7648e374b255c2a89f46fb3d7c5faf76295af7d734735d55294e
Opcode Fuzzy Hash: 82fa942996e17af2242e92aa1156368df08dc3c14bdc268f16da55fcdeec8704
Instruction Fuzzy Hash: 59212261B199095FE38CEB7CD89977977D2EF9C202B5402FAE80DC73A2CC159C868350

Function 00007FFB4B01B3A6 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41ac0ffd52dad2b69f3da627ff53099ee361691bcf558e4f23aa833ed152b1b
Instruction ID: e2296b519a451b5f66fdbf7e61fb249670fe81874c48d27cd77cb4ca31300682
Opcode Fuzzy Hash: d41ac0ffd52dad2b69f3da627ff53099ee361691bcf558e4f23aa833ed152b1b
Instruction Fuzzy Hash: 9E31E17060CB854BD30CDB28D4455B6BBE2FBD6212B148A7EE0CAC33A5CA34E441CB82

Function 00007FFB4B017189 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57541e0a4a6f0a002dbf5e8a495d06a33e146c5f9c0317f5b1a135ba289b3ae7
Instruction ID: 6e88f4c13413e25a096364e5c359abd3b6ef9d762c43376bb03b0694dfdcd55e
Opcode Fuzzy Hash: 57541e0a4a6f0a002dbf5e8a495d06a33e146c5f9c0317f5b1a135ba289b3ae7
Instruction Fuzzy Hash: CD2149B150C6964FE34AAB3498511F53BE1EF85316F0441BAE488CB2F2CA1ED682C391

Function 00007FFB4B013E2F Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb1907887f691b7004c65d682a33746b5ba15a55689c28434078b60301c9e9ff
Instruction ID: ca61447063679b05a6193e11565a80a691bccdda5e3c73678f9f1fd490e6f650
Opcode Fuzzy Hash: bb1907887f691b7004c65d682a33746b5ba15a55689c28434078b60301c9e9ff
Instruction Fuzzy Hash: 2C21D47070DA0E5FEB5CFD38E8954B973C0EB59321B10457EE58BC36A5DD25F8828680

Function 00007FFB4B012D7D Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3964e286148574b0553d13b85520dc83a54e39c7b2a483a446b48975ff5c0818
Instruction ID: 2d905436b9b85bdd485caf592588d0e509c857aaac45e2e0399c29ec5f5ea6f2
Opcode Fuzzy Hash: 3964e286148574b0553d13b85520dc83a54e39c7b2a483a446b48975ff5c0818
Instruction Fuzzy Hash: 8721AE70A09A4C8FCB89EF38D8616A97BE1EF5A341B0500AFD509D76A2CB25A804C751

Function 00007FFB4B01D799 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4ec93be10b16e4bf9582acd97ec087cf8fdec73cb2ea3047743ae4ee8eb8f3
Instruction ID: 00d6b7448f0214062b9c93b3f3e9bc83b2ab4eb5e14ddcb456b0be4f32dc0731
Opcode Fuzzy Hash: 8d4ec93be10b16e4bf9582acd97ec087cf8fdec73cb2ea3047743ae4ee8eb8f3
Instruction Fuzzy Hash: 6E21C6B2A1CA0A0FE3ACFE7CE4461B577C1EB54212710827FE54EC33A1ED16AC468291

Function 00007FFB4B01BA59 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b7bd6af15622a0e8777264a79256326434b3995279a947fe8a2e887dede20a
Instruction ID: 8855920af052bd54e46d3931b3607180ced58099a160e2cedd9407ea2d35f9eb
Opcode Fuzzy Hash: 85b7bd6af15622a0e8777264a79256326434b3995279a947fe8a2e887dede20a
Instruction Fuzzy Hash: D421077061DB854FE35AEF38C494071BBE1FB9920571885FED48AC33B6EA26A842C740

Function 00007FFB4B010FED Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1064c9bc638a5bc2286271e1aaed1aa925dd4cacf9200139ea2569d0a726d8
Instruction ID: c6532ebd8306b850877bd7ece1c50fc0f8f11d101da822bfe297ee8271f496a5
Opcode Fuzzy Hash: be1064c9bc638a5bc2286271e1aaed1aa925dd4cacf9200139ea2569d0a726d8
Instruction Fuzzy Hash: C5213B61C0DAC64FE31F6B74C5125F43BE1EF82201B0981FAD58CC72A3DD5EA8198341

Function 00007FFB4B024DB8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1e674af138d288933ee1fd7c0e0b91b36ba9f97181df44277ea2d4b9fd8209
Instruction ID: 172001938fdddf49623132b241bff591bdcbcb8321c17086b4b7238e9c349fe5
Opcode Fuzzy Hash: 2f1e674af138d288933ee1fd7c0e0b91b36ba9f97181df44277ea2d4b9fd8209
Instruction Fuzzy Hash: 1611083250D6444FE31DAA799C894A57BD2EB9733032582BEE086C72B7D829E847C380

Function 00007FFB4B014785 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5806b7b5cf3bc0a3d7b8eb7d98a38cc8291c15ca7a9c4d093268376459678d
Instruction ID: e01637adeaa95a77bbc894387705f8411871fd428d32a229562d1749b08053e8
Opcode Fuzzy Hash: 6f5806b7b5cf3bc0a3d7b8eb7d98a38cc8291c15ca7a9c4d093268376459678d
Instruction Fuzzy Hash: 0D215B7160DB884FC386EB3898541767FE1EFDB221B1902ABE48CC73A3D9249941C792

Function 00007FFB4B024308 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb9165b10eb045a90b5681074b443b3b3d0032c6be6667704b4920f8f5eb1f9
Instruction ID: 620e4518080b5149927078fc9f87a40db5750d9328f96b0e28e2de951d51c801
Opcode Fuzzy Hash: 8fb9165b10eb045a90b5681074b443b3b3d0032c6be6667704b4920f8f5eb1f9
Instruction Fuzzy Hash: BC112571A1C1481F972C9D388C1A17BB79BE7C6211B12C33EE987C2396DE20980382C2

Function 00007FFB4B024BD9 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2532eaeaf9b8ada54699d60407a0e430d329841e5a91bad32c3ae76a2e0a02
Instruction ID: bd3ff138087445b0770de9d168ab02b3298c28a5800c2a55669fe706d6e7c307
Opcode Fuzzy Hash: 8b2532eaeaf9b8ada54699d60407a0e430d329841e5a91bad32c3ae76a2e0a02
Instruction Fuzzy Hash: CE215E6141E3C15FE30BAB348C615667FB0AF03205F1A44FBD682CB2E3D518A919C362

Function 00007FFB4B022E21 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb605639d3fc340cff7adb004f05330a7a367ef4b28b1e093b32f584bfda655
Instruction ID: 321817bfbd16d7c20336683b7ad980ab8866fdfbd4b70383c281422e02dbf6e4
Opcode Fuzzy Hash: 0eb605639d3fc340cff7adb004f05330a7a367ef4b28b1e093b32f584bfda655
Instruction Fuzzy Hash: 0411A2A090CA494FE785FB78C4582B9B7D0FF58315F0445BED88DD72B2DE19A9428741

Function 00007FFB4B0180E0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e63bcfc185d94d4f953572e65c37a7958fdb2da7c8138bccf8ffa02e6231c9f
Instruction ID: 355b07e97cd18abc15c79737c726c375fc3f9628f577a32955329e1d987c3b16
Opcode Fuzzy Hash: 5e63bcfc185d94d4f953572e65c37a7958fdb2da7c8138bccf8ffa02e6231c9f
Instruction Fuzzy Hash: B111E070A0CA094FD76CEE38D18497A33E1EF98316B50463EE44EC72A0CE2AE8418741

Function 00007FFB4B0125D6 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae22ca5afdd12ebe9183ef4e20d185fb79c6301e2098e66e04a3a41d5daabbc9
Instruction ID: bf74cd063b2c0a84fa9772b471f6fb5afd86d59463f19c2b934d9d2eba740983
Opcode Fuzzy Hash: ae22ca5afdd12ebe9183ef4e20d185fb79c6301e2098e66e04a3a41d5daabbc9
Instruction Fuzzy Hash: 9C11ED6148F3C21EE79357B499655927FF69D87020B0E81EBE6C8CE4A7D18E484EC362

Function 00007FFB4B013B60 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80480906fc274e63f165c14153310326ce7ad5eec22ef196dd9711a1107ca564
Instruction ID: 820db6b5c4589dbb77bdecf5dc8e04dfe8a4cab3b073328bf08dda400c6adaea
Opcode Fuzzy Hash: 80480906fc274e63f165c14153310326ce7ad5eec22ef196dd9711a1107ca564
Instruction Fuzzy Hash: 2D1130B1E0C50E8BDB59EF68D5416FEB7F5EB44301F10813AE219D2390CA3569418B81

Function 00007FFB4B025378 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29076ec13ef1b29f1dc49d6e1c3780ff8cebcdb5db06b4f76b6d4ec160be5244
Instruction ID: 277b47795f4874e12b1dbab2df78ab1369ef62f67919dfb6770b561c280a9a3a
Opcode Fuzzy Hash: 29076ec13ef1b29f1dc49d6e1c3780ff8cebcdb5db06b4f76b6d4ec160be5244
Instruction Fuzzy Hash: EB01A15191D7C54FD71B9B3C8862061BFE1EF5721570985EFC4CAC71A3CA84A846C396

Function 00007FFB4B0243CC Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f93a59bb425d5c54cae680bc1a1b8b7948d8e9fc51c112006234c16aa4269b
Instruction ID: 2fc568c79413ea207425142a4e1988361932143bca2dbc6c4e544b754408eb43
Opcode Fuzzy Hash: d5f93a59bb425d5c54cae680bc1a1b8b7948d8e9fc51c112006234c16aa4269b
Instruction Fuzzy Hash: 9301F570B182418BDB1CAA28C55613E33A7F7C2306F20C63ED2C3863E9DE349806C746

Function 00007FFB4B01D96C Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf5f3ca69d28931172314392009f986b3361b92b49b61169ef20c780df3eed0
Instruction ID: 0d8d2480b70c60f99618af2fbec2a043946d471959e4f1af0d6f3ee13cbc7107
Opcode Fuzzy Hash: bcf5f3ca69d28931172314392009f986b3361b92b49b61169ef20c780df3eed0
Instruction Fuzzy Hash: 86F0F652B0CDA70AE3AD9E7C69512782BC2DFC515270882F7E54CC63EBDD0A8C4352C1

Function 00007FFB4B01C301 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9782b513129b254560e8a233aa2ea2239b55f3b9a7c986b1ddf532fda172cf
Instruction ID: 08762ea177d35a495d29c6bfcfca1e0f2b93f4192a5a41cbef9079b77c76df82
Opcode Fuzzy Hash: 9a9782b513129b254560e8a233aa2ea2239b55f3b9a7c986b1ddf532fda172cf
Instruction Fuzzy Hash: 2FF0F67165CE894FC7A6EB3CC4905A177F1EBA521030946BBC08AC76A6DE18E8478381

Function 00007FFB4B018878 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689e8f485b30ec6cd66725f2a87805ca5b0c947399447a5adb32b67f10f3ae88
Instruction ID: a78221aaf28ed46a96e2d2ab16351a8334a54486a5c7e47d7a3e54affb5c3482
Opcode Fuzzy Hash: 689e8f485b30ec6cd66725f2a87805ca5b0c947399447a5adb32b67f10f3ae88
Instruction Fuzzy Hash: BFF0BB92B0CD6B06F3BC5D7C795127916C2DBC965270482F7E54CC53DADD069C4322C0

Function 00007FFB4B016628 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402b062a3052f1d6de7b4d23dd486b6e0e80cda5e68c6395980d860f64c6f6b3
Instruction ID: d540e3eff9d873d6f684e8f366467df65a6b51875ccb3b43d07a1fb292cba51b
Opcode Fuzzy Hash: 402b062a3052f1d6de7b4d23dd486b6e0e80cda5e68c6395980d860f64c6f6b3
Instruction Fuzzy Hash: 6FF0286191DB568BD759FA3CD4020F5B7D0DF45215704867BE8CED3252CE54B84202C6

Function 00007FFB4B0117D2 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85483cde2540b983a3d1478a1cc75f5fb826cb417fac8f7688a0247f1eef363
Instruction ID: 4435f95d2cc06e73587257eb0399673a8c15502f760b038828d6c6f7f253e198
Opcode Fuzzy Hash: b85483cde2540b983a3d1478a1cc75f5fb826cb417fac8f7688a0247f1eef363
Instruction Fuzzy Hash: DBF0B4B140D10C5EF71CAE15ED067F633A8FB46235F00402EE58E81062E67A68678751

Function 00007FFB4B024EB5 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e298ef0550d288775a067c9f1eb04f786a5a0912fb348275cb89c8b0b6097e6
Instruction ID: 408d04ced1acf91306e0d35195e6d66700cf0e3537262288975b14aedd407549
Opcode Fuzzy Hash: 2e298ef0550d288775a067c9f1eb04f786a5a0912fb348275cb89c8b0b6097e6
Instruction Fuzzy Hash: B5F0AF326085068BE71DBE38CA451B83262FB80311B61853DD18BCB3FADD39EC058640

Function 00007FFB4B016638 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9efd4128601ff8b927ac8838c781ba7e1e69faefd2b370784fe31d6584c946
Instruction ID: b4fd61fbbb79d1ff5c3687be254bde2ebfb2bd8cc3e39e54db122dbbcf3ffc7a
Opcode Fuzzy Hash: 4d9efd4128601ff8b927ac8838c781ba7e1e69faefd2b370784fe31d6584c946
Instruction Fuzzy Hash: B8F02E71E18F594B975CEE3CD80617577C1EB493117008A7EA89ED3361CE64FC4202C6

Function 00007FFB4B0127B0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf1817d7b9face9ba64706cb276f61343e69c57e6bd7c3a982b54a16b7a271d
Instruction ID: 079dbbcb44fffddff4729427d60c706b1e34517c5bec164b306b7232d0dadee1
Opcode Fuzzy Hash: acf1817d7b9face9ba64706cb276f61343e69c57e6bd7c3a982b54a16b7a271d
Instruction Fuzzy Hash: 51F0A03561CD0D8F8AB9EA3CD444A7673E2FBA832131546BAD44EC3668DE25FC428780

Function 00007FFB4B023E31 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b883fb97bb40f8287a71d11807da547ccfb89ebf4562344fcca59025451a23f1
Instruction ID: 2981acd7676cf059054f7d44a6626beec1ae7ad865aef5070a813471b34e6837
Opcode Fuzzy Hash: b883fb97bb40f8287a71d11807da547ccfb89ebf4562344fcca59025451a23f1
Instruction Fuzzy Hash: C1F0F622F0C50A4BDB2DED78D5515657392D7A4321714837A8107C27E4ED24BD4A4680

Function 00007FFB4B0240D8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffac887d2ff81ff384a62ca35642d3d555f269476da49872829cc8d814776608
Instruction ID: 0b8102a3100bcb41f85d45b8a527fbe73b40ef84c35bbfafb09543670b8718d6
Opcode Fuzzy Hash: ffac887d2ff81ff384a62ca35642d3d555f269476da49872829cc8d814776608
Instruction Fuzzy Hash: D6F0E2B160CA0D4BC71CEE64C9A05A5B282E7D4355B044239C202C73A5ED65AD428380

Function 00007FFB4B02353C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d3990500e59cb1eb7e66adb165d85913e540cd665fa2b373c2ab9953c1ec04
Instruction ID: 07bcee96326ea1c7f8bdbae9969c621d927e2d0053be0309ce52ee978c7a8d60
Opcode Fuzzy Hash: e3d3990500e59cb1eb7e66adb165d85913e540cd665fa2b373c2ab9953c1ec04
Instruction Fuzzy Hash: BCF0A031B0C21A4BCB1EBA28861546972CBD399721B24C27EE54ACB3EADD34AC4646C5

Function 00007FFB4B012AE0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389abd5aa9feec19368325e326303bb4e6c8be9497f068fec780028322145648
Instruction ID: d601eb83ec66dd23ab2505634fce16236310f98cb0967f4adfd20aa9d9818ad4
Opcode Fuzzy Hash: 389abd5aa9feec19368325e326303bb4e6c8be9497f068fec780028322145648
Instruction Fuzzy Hash: E6E0DF30B1981C8FCA88F73DA84956832D1EF8A31274405F5F40DC73A6EC39DC418380

Function 00007FFB4B0249A0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a300b60f7f9198679bf257be15eba54414f7b0b29bdefc07fcc2d675561a49
Instruction ID: a5093bc9340dddb8e96eef6d8b54a2cc744e6cfb5d657d9e1a911c90d2d1220b
Opcode Fuzzy Hash: 72a300b60f7f9198679bf257be15eba54414f7b0b29bdefc07fcc2d675561a49
Instruction Fuzzy Hash: 07E048B192C60547971DDE38C99757973D3EBC5301B61943DD187426E5CC1478064643

Function 00007FFB4B02494D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e8556ba60a9df4337eb34f309f5a88f987a7dfbc0514622532fc02efbc3fcd
Instruction ID: 4297cabf64d2cd1e56eb0b39a0d256e04d7bede2eacfa503bb67cd4268f3ea94
Opcode Fuzzy Hash: 64e8556ba60a9df4337eb34f309f5a88f987a7dfbc0514622532fc02efbc3fcd
Instruction Fuzzy Hash: 34E08670A1C7055B875CDE29C49643AB7E2EFC8701B21943DA1C7436A5CD20B8058543

Function 00007FFB4B01CE03 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bced5ec0a98990d0d7c3152dee1873996cdb963cf1cd6030705795ba39cfcd00
Instruction ID: 98a417d5f1e387bb7e72c1a5cd17dc1f9ead70329d2f5d15b3466c7cc1c2280e
Opcode Fuzzy Hash: bced5ec0a98990d0d7c3152dee1873996cdb963cf1cd6030705795ba39cfcd00
Instruction Fuzzy Hash: 7DD0A7B261D4024AD338894CFD85470E390D784161720423ED106863A0D457589242C0

Function 00007FFB4B024ADB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137a966db977ba99325b3a83dac5dbe8295adc51688dc98074eec2b1e5938494
Instruction ID: f2ca40dc89d7167154962791e0a4f2bb7381ab434eae5929b524bed026c54160
Opcode Fuzzy Hash: 137a966db977ba99325b3a83dac5dbe8295adc51688dc98074eec2b1e5938494
Instruction Fuzzy Hash: 25E0C270A1D7859BC3199A38D80252C37E5BF82611B6542ADFD86536D3CA25DC81C3C1

Function 00007FFB4B0249AC Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4b21090b6554ba9e3f1c9d2b2549120ebe6c5f8f32569720536a5fb1b19669
Instruction ID: 3cd8befbcd5029843697a5f7bdaa13965762c7aa70eeaf9bdf4e5a98b7bccea4
Opcode Fuzzy Hash: 3b4b21090b6554ba9e3f1c9d2b2549120ebe6c5f8f32569720536a5fb1b19669
Instruction Fuzzy Hash: B3E0CD71D1C60787CB2DED34D5531BA7385BB50302F10983ED2C7816A5CD2478058783

Function 00007FFB4B0235CD Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a6c3549b087e699d174dc7a7778ba4529c5b7563302c6237f316bca0049e12
Instruction ID: 293d02072b42e4a34a41b614b16113316a1003f68c7fcd3e8cd3852a7d8ef890
Opcode Fuzzy Hash: f3a6c3549b087e699d174dc7a7778ba4529c5b7563302c6237f316bca0049e12
Instruction Fuzzy Hash: 2DE0C2D2D2C2620AEA1F3AB4552607C7E656F4B500B1A44BAD6CA4B2E3AE486C0A0087

Function 00007FFB4B013D10 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fccaba93f86de1aa9c53927d5a5fc512b7da1192b01e9a975c92fb805e32763
Instruction ID: 36799ad3943e440830000a2bc102c7780eefe9af25bac595e48481f5e6dea944
Opcode Fuzzy Hash: 1fccaba93f86de1aa9c53927d5a5fc512b7da1192b01e9a975c92fb805e32763
Instruction Fuzzy Hash: D7D02B3041E6445FC348FF30C49182577E1FF86241FE046A9E444CB360C23B9441D701

Function 00007FFB4B023C14 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e5c78ed30c46730af6b22cf99d713f0bcee7fdee83b424f45e9abb22f278a2
Instruction ID: d5fe04eff2e00b7aa9d8f3d82a1f88dbd5686313ac0bc3a9023eabf96e330bbe
Opcode Fuzzy Hash: 58e5c78ed30c46730af6b22cf99d713f0bcee7fdee83b424f45e9abb22f278a2
Instruction Fuzzy Hash: 78D05EB47193098B920C9E38C65603977D1EB88605B10417ED28F423A1CD22BC0AC646

Function 00007FFB4B0249DC Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01aac003771090fe56974cec5906d435ace7fd4f0484a10e1b53dabce63bf6b5
Instruction ID: 59d58592ae4736a4db6856efa0975d93beaded90a571c1e6a865e443edc7c3ed
Opcode Fuzzy Hash: 01aac003771090fe56974cec5906d435ace7fd4f0484a10e1b53dabce63bf6b5
Instruction Fuzzy Hash: D8D0127151C7058BC76DDE24D4925B677D5BB95701F20943DE1C782265DE306441C782

Function 00007FFB4B023C40 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e233c798bf6982e1db57e19a567669eae4e320d738c2c7b8a460a9adb26ffe01
Instruction ID: 90f9b346a92fb481cf192f8de8a8bb17c9bb7a7cce8cda60b6c166fd163b80fd
Opcode Fuzzy Hash: e233c798bf6982e1db57e19a567669eae4e320d738c2c7b8a460a9adb26ffe01
Instruction Fuzzy Hash: 39D01264F1D3058B860DEE28826303F76D3DBC8A05F10A13EE68B83291CD247C06854B

Function 00007FFB4B024F22 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95741ce94365ce47586a2c9550d3c84bb5f6a5cf57f4b803794ff616345a7f37
Instruction ID: 0639d95545a60c50354aa811d03e9b50b58c082be87890fb3b7c347b5b1840ef
Opcode Fuzzy Hash: 95741ce94365ce47586a2c9550d3c84bb5f6a5cf57f4b803794ff616345a7f37
Instruction Fuzzy Hash: 89D0227248D2018FE71D3C7088060386232DF12300B1068BE838F472A18C7ACC928E00

Function 00007FFB4B02358B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564f781968f7829fc3ca3dcd61cda36a34572940e7f2064e3fa5309d65bb8d5f
Instruction ID: 87560c6481a27b04d5bae13c9df2b0e398cef108a0b84622501b54baf1a1b4bb
Opcode Fuzzy Hash: 564f781968f7829fc3ca3dcd61cda36a34572940e7f2064e3fa5309d65bb8d5f
Instruction Fuzzy Hash: B1D023C5C1C06343A91D37F4416703C7D105F85100706C47EC286163D77F0C1C060443

Function 00007FFB4B0248D4 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa4bc0c2e0a3395fb549b0cbcc8f736c27a8dc94e224bcaeee82839e296c177
Instruction ID: ecb2b44d71df4acf02b63b236d9557d83e1f9eeaa7898cd531c214677200aa01
Opcode Fuzzy Hash: 2fa4bc0c2e0a3395fb549b0cbcc8f736c27a8dc94e224bcaeee82839e296c177
Instruction Fuzzy Hash: A2D0C9759097069BE319EA24C15047872A6BB85346B118578E28687361EA75E905CA01

Non-executed Functions

Function 00007FFB4B018260 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68bcf3e9498b53e18b0f7eb070bbc978e37934993fd55d5fab21e3fa1c85dc0
Instruction ID: 1a1c67c0a164283a5abdc9be3f6cb539d8343b3567ff7351d171f27665f9f40b
Opcode Fuzzy Hash: f68bcf3e9498b53e18b0f7eb070bbc978e37934993fd55d5fab21e3fa1c85dc0
Instruction Fuzzy Hash: F21238B190CA894FEB6EEF78C8165643BE0EF55312B1449FED54DCB2B2D918AC0D8742

Function 00007FFB4B0166F0 Relevance: 7.8, Strings: 6, Instructions: 280COMMON

Download Yara Rule

Strings

hK, xrefs: 00007FFB4B016741
K, xrefs: 00007FFB4B016731
K, xrefs: 00007FFB4B0167F1
K, xrefs: 00007FFB4B0167D1
K, xrefs: 00007FFB4B016811
0K, xrefs: 00007FFB4B0167E1

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: K$ K$0K$hK$K$K
API String ID: 0-4245933979
Opcode ID: 0f655adf5efe144478c30098f96ec41a54ff6ce8566523fbc3d8d24a9953fc7b
Instruction ID: 3e8b631e84a24423fea95e9c62f1d05f9bdbb7bc978608b9ed53a59b80c9a513
Opcode Fuzzy Hash: 0f655adf5efe144478c30098f96ec41a54ff6ce8566523fbc3d8d24a9953fc7b
Instruction Fuzzy Hash: 87816A8390DAC64FE3596ABCDC611B57FD0EF5625170885FBD189861EBDC15AC0A8390

Function 00007FFB4B018AFA Relevance: 5.2, Strings: 4, Instructions: 215COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFB4B018B12
N_^, xrefs: 00007FFB4B018B7A
N_^, xrefs: 00007FFB4B018C7A
N_^, xrefs: 00007FFB4B018B2A

Memory Dump Source

Source File: 00000000.00000002.1543322505.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b010000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-1196809394
Opcode ID: 15ca2b1a0f597b54831a5db0039a2addb99e7af6aabab4207526037650a1bc14
Instruction ID: d8a8bfc4ce0b8d44d2154f03cbdba255d1da279f061a3e31839accd253fef2c4
Opcode Fuzzy Hash: 15ca2b1a0f597b54831a5db0039a2addb99e7af6aabab4207526037650a1bc14
Instruction Fuzzy Hash: 4161E4F3D0E6424BE36A6B79CCA50E13BD0FF1125C74D41F4D29D8B293ED1A25074646

Analysis Process: InstallUtil.exePID: 7388, Parent PID: 7268COMMON

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	28.3%
Total number of Nodes:	53
Total number of Limit Nodes:	5

Executed Functions

Function 0133B328 Relevance: 5.4, Strings: 4, Instructions: 380
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o't, xrefs: 0133B562
Lj't, xrefs: 0133B6CF
s, xrefs: 0133B39E
Lj't, xrefs: 0133B6E5

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o't$Lj't$Lj't$s
API String ID: 0-3502828939
Opcode ID: 40eedd3546d47d7b622a66c3dc211c1d45cb7c6b9ee5868eefc7321331e04709
Instruction ID: bc9a7a0c947bec1bc28dbf6651c2140e85d4e101223238279d8a92908bfec441
Opcode Fuzzy Hash: 40eedd3546d47d7b622a66c3dc211c1d45cb7c6b9ee5868eefc7321331e04709
Instruction Fuzzy Hash: F1F14A74E00218CFDB15CFA9D984A9DFBB1FF89314F1580A9E819AB366DB319841CF58

Function 0133BBD2 Relevance: 3.9, Strings: 3, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj't, xrefs: 0133BDAF
0o't, xrefs: 0133BC42
Lj't, xrefs: 0133BDC5

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o't$Lj't$Lj't
API String ID: 0-4181762534
Opcode ID: 1d94301fe3a1a98be73cba6b05bfd8d700630dac728919b7b9f1267fc1ec4a99
Instruction ID: 40789dcac731be2bb54d3404a7eface7bec6f21858e63019a804d055e0364faa
Opcode Fuzzy Hash: 1d94301fe3a1a98be73cba6b05bfd8d700630dac728919b7b9f1267fc1ec4a99
Instruction Fuzzy Hash: 2A819074E00218DFEB14DFAAD988A9DFBB2BF89304F14C069E509AB265DB349941CF15

Function 0133BEB0 Relevance: 3.9, Strings: 3, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj't, xrefs: 0133C0A5
Lj't, xrefs: 0133C08F
0o't, xrefs: 0133BF22

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o't$Lj't$Lj't
API String ID: 0-4181762534
Opcode ID: 9056906ce426da45d087358ed7e3c90367bd6ae1f80595543d072731c0d6ce2c
Instruction ID: 2758103bb8116fdc65dbea9398783436b9092dda4e78dea73ec61d8eb4daa55e
Opcode Fuzzy Hash: 9056906ce426da45d087358ed7e3c90367bd6ae1f80595543d072731c0d6ce2c
Instruction Fuzzy Hash: 3781A074E00258CFEB14DFAAD984A9DFBB2BF89304F14D06AE409AB365DB319941CF15

Function 0133C470 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj't, xrefs: 0133C64F
Lj't, xrefs: 0133C665
0o't, xrefs: 0133C4E2

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o't$Lj't$Lj't
API String ID: 0-4181762534
Opcode ID: b341d3560205d4d0099e2a50eb4cff8f24f56043bff0faa1cfc39cf4b66e1c1c
Instruction ID: 83857e736bc13498ddb04474d074ae3b5817118cf31e16859553d23bfdc086ee
Opcode Fuzzy Hash: b341d3560205d4d0099e2a50eb4cff8f24f56043bff0faa1cfc39cf4b66e1c1c
Instruction Fuzzy Hash: 7381B174E00218CFEB14DFAAD984A9DBBF2BF88314F14D06AE409AB365DB319941DF15

Function 01334AD9 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj't, xrefs: 01334CCE
0o't, xrefs: 01334B4A
Lj't, xrefs: 01334CB8

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o't$Lj't$Lj't
API String ID: 0-4181762534
Opcode ID: 76be67b1bf1bdf8b12b5fa9a137fb14c5d8e95571101c5c074db485b70c91a56
Instruction ID: 4537c1825fb172dfb978209143b2a31995e09932938070f8658c5179c1dc535c
Opcode Fuzzy Hash: 76be67b1bf1bdf8b12b5fa9a137fb14c5d8e95571101c5c074db485b70c91a56
Instruction Fuzzy Hash: 4F81A174E00218DFEB14DFAAD984A9DBBF2BF88304F14C069E819AB365DB349945CF14

Function 0133C751 Relevance: 3.9, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj't, xrefs: 0133C945
Lj't, xrefs: 0133C92F
0o't, xrefs: 0133C7C2

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o't$Lj't$Lj't
API String ID: 0-4181762534
Opcode ID: 682bbf031a85a3f861a54ad4c21d34471cd507ee73ca6f8d311d4a0ed2093024
Instruction ID: a53610d917ae12c5f160eb45d44dac996e4922b08fdfc73d4d99dea6704042fd
Opcode Fuzzy Hash: 682bbf031a85a3f861a54ad4c21d34471cd507ee73ca6f8d311d4a0ed2093024
Instruction Fuzzy Hash: F181B474E00218DFDB14DFA9D984A9DBBF2BF88314F15D06AE809AB365DB315941CF14

Function 0133C190 Relevance: 3.9, Strings: 3, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o't, xrefs: 0133C202
Lj't, xrefs: 0133C385
Lj't, xrefs: 0133C36F

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o't$Lj't$Lj't
API String ID: 0-4181762534
Opcode ID: e7481ee345c57bcc7f79f89e61cad0f0f4b4004d7c30aa09afaaa3a18b18ff74
Instruction ID: d6eb6ba4563faa2ebe6db0d3e9f231217364c3aadd1a6b93e10fe95d0e39408c
Opcode Fuzzy Hash: e7481ee345c57bcc7f79f89e61cad0f0f4b4004d7c30aa09afaaa3a18b18ff74
Instruction Fuzzy Hash: E281B174E00218DFEB14DFAAD984A9DBBB2BF88314F14D06AE419BB365DB349941CF14

Function 0133CA31 Relevance: 3.9, Strings: 3, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj't, xrefs: 0133CC25
0o't, xrefs: 0133CAA2
Lj't, xrefs: 0133CC0F

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o't$Lj't$Lj't
API String ID: 0-4181762534
Opcode ID: bef9ee8f03ad396479b108e31de7c0902d75b73818dac3745c8eb6eaf2fb9dc0
Instruction ID: c9ee600a78f5c49784a6d46a6436a81d74cc670b90a89391ac4bcc66ea2049d1
Opcode Fuzzy Hash: bef9ee8f03ad396479b108e31de7c0902d75b73818dac3745c8eb6eaf2fb9dc0
Instruction Fuzzy Hash: 3C81B674E00218CFDB18DFA9D994A9DBBF2BF88304F14D06AE409AB365DB349942DF14

Function 057279E8 Relevance: 2.0, APIs: 1, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edac67386bf7dd3dad4576a0eae011a223a9edfb50d6f5748421704e0482f6f
Instruction ID: 8682e970f5caa5c3580c264a8d358af5235c298aa89f919295c5a6e887da60ce
Opcode Fuzzy Hash: 5edac67386bf7dd3dad4576a0eae011a223a9edfb50d6f5748421704e0482f6f
Instruction Fuzzy Hash: A2222D74E002288FDB28DFA9C984B9DBBB2FF85304F1481A9D409AB355DB359D86CF51

Function 0133B4F2 Relevance: 1.4, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o't, xrefs: 0133B562

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o't
API String ID: 0-524922080
Opcode ID: e47c9fca671861bddff201b40df807721ef096f1bad25f19117eaddb93fbacd0
Instruction ID: f5a09e6f57c716e1e642151e9d2becb243d4ef143563d486811b7aa358382882
Opcode Fuzzy Hash: e47c9fca671861bddff201b40df807721ef096f1bad25f19117eaddb93fbacd0
Instruction Fuzzy Hash: 8461AF74E006089FEB18DFAAD984A9DFBF2BF88300F14C069E419AB265DB355942DF54

Function 01339858 Relevance: .9, Instructions: 859COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d02242343885dd608bfe0a54845683c101262b3566a326e2f40b7462c580b4b
Instruction ID: d94ed67e84c783c52836c6e4ad79bd8a92c2128c3b1f2044364799124a4e8212
Opcode Fuzzy Hash: 0d02242343885dd608bfe0a54845683c101262b3566a326e2f40b7462c580b4b
Instruction Fuzzy Hash: 3B729E70A00209DFCB25CF68C984AAEBBF6FF88318F158559E845DB3A1D770E941CB64

Function 0133F007 Relevance: .7, Instructions: 717
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53181ebe1b9de51af1ae3bcaa7a5ee1a5ef4c2753b292f4361cc937220427fb0
Instruction ID: 05146e54bd6b63189926adabce3f80b8c12a75a9d2e4a7ed107ace26ca5e1ccd
Opcode Fuzzy Hash: 53181ebe1b9de51af1ae3bcaa7a5ee1a5ef4c2753b292f4361cc937220427fb0
Instruction Fuzzy Hash: 5B72DC74E012298FDB64CF69C984BEDBBB6BB89304F5081EAD408A7351DB349E81CF41

Function 01336108 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c573c54f8f44c20ae68222fc33406c0b07237db6a3b10ab79356ca52640766f
Instruction ID: 1f945c37df63ab32bff5e6c756105c178af078e72c925a74c7d92159e6530931
Opcode Fuzzy Hash: 8c573c54f8f44c20ae68222fc33406c0b07237db6a3b10ab79356ca52640766f
Instruction Fuzzy Hash: B2127CB0A002189FDB24DF69C855BAEBBF6FFC8304F148529E506EB391DB349941CB94

Function 01336730 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091e5d32c9fbd00a1561863a137b9f1d99cd2399a879bfd56da829ed31bc2fc1
Instruction ID: b2024fe28d810373be2ecc082e7517d3f00d781a21fd25bdcd81ebe87432a623
Opcode Fuzzy Hash: 091e5d32c9fbd00a1561863a137b9f1d99cd2399a879bfd56da829ed31bc2fc1
Instruction Fuzzy Hash: 88024CB0A00209EFDB15CFA9C985AADBBB6FF88308F158069E505EB261D731DE51CF54

Function 05CE8A10 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46bf6cd6c059e269b1df110b0378597a1392651e143d81718f43cc4f4a1f48d
Instruction ID: a813b0501fe38062387859fac479b79dc26d209367e5ad448a8f5f3242f6c04f
Opcode Fuzzy Hash: a46bf6cd6c059e269b1df110b0378597a1392651e143d81718f43cc4f4a1f48d
Instruction Fuzzy Hash: 5AE1CF74E01218CFEB24DFA9D948B9DBBB2BF89304F2081A9D409A7394DB755E85CF50

Function 057211C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86bae71b32a61ce537483e8c96f745c1a844cf22f8b0d08572ba433f1fa6926
Instruction ID: 0b2d88ca0bd533a6745ab5ca1612121169939ab6b2a2f1f84df1427db90419b1
Opcode Fuzzy Hash: f86bae71b32a61ce537483e8c96f745c1a844cf22f8b0d08572ba433f1fa6926
Instruction Fuzzy Hash: EEC18E74E01218CFDB24DFA9D948B9DBBB2BF89300F5081A9D809AB355DB359E81DF50

Function 05720040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c4ddc84ba28c453ef8d7b8e343cc0bf4ea9b4a970e8dac42f4f9edeabcd8cf
Instruction ID: b4c6a88a705ea815505968e40f1693164e5f4ad3a9aaf027acf4d1d7ce73c23f
Opcode Fuzzy Hash: 51c4ddc84ba28c453ef8d7b8e343cc0bf4ea9b4a970e8dac42f4f9edeabcd8cf
Instruction Fuzzy Hash: 18C18E74E01218CFDB24DFA9D948B9DBBB2BF89300F2081A9D809AB355DB355E81DF50

Function 05721610 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c28f75f0404443425e34283f4e8d4f285ea4c970dcf1b471fd08edb95958a3b
Instruction ID: 9b52f2769dd2ab81a336aa501c8e0b2de7cf32af14141bf401446abb052be341
Opcode Fuzzy Hash: 7c28f75f0404443425e34283f4e8d4f285ea4c970dcf1b471fd08edb95958a3b
Instruction Fuzzy Hash: D7A1F470D002188FEB24DFA8C498BEDBBB1FF89314F248269E449AB391DB755985CF54

Function 05721620 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a38c12c1549a7cdf9938e38e9934c1fbebfc35981cc1518e23b9300183de988
Instruction ID: 341eefb4f8e61ca1601f5d18663fddf9ce3f90132c5a630dfbc45620b79a3d37
Opcode Fuzzy Hash: 5a38c12c1549a7cdf9938e38e9934c1fbebfc35981cc1518e23b9300183de988
Instruction Fuzzy Hash: 24A1F470E00218CFEB24DFA8C448B9DBBB1FF88314F208269E409AB395DB759985CF55

Function 05CEC9E0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6264e32ee72cdda4ee09be0432099132da1081f01f7c87b94224f24f7cc1981c
Instruction ID: e342e350c5120a68c9d34b00c53431b5afc1c45e18ee14c66c1278cdaaccc75e
Opcode Fuzzy Hash: 6264e32ee72cdda4ee09be0432099132da1081f01f7c87b94224f24f7cc1981c
Instruction Fuzzy Hash: DAA18E74E012288FEB28CF6AD944B9DBAF2BF89300F14C5AAD40DA7254DB745A85CF50

Function 05CEBD40 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bc9adf5a6754980b15337c9e44702aa87a6513e05a2a6ae3085ea9ab3a85a2
Instruction ID: 41698f46981ad0fec92c42d1d6eec1479a2b0d2d8fac3162464811bfeb7a6250
Opcode Fuzzy Hash: 94bc9adf5a6754980b15337c9e44702aa87a6513e05a2a6ae3085ea9ab3a85a2
Instruction Fuzzy Hash: 8FA18F75E012288FEB28CF6AD944B9DFAF2BF89300F14C4AAD40DA7255DB345A85CF51

Function 05CEA410 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b65e7f5189ba2d09c7c9fb6f24b7f9e452466871696a9cf1e6d76e14622f4d1
Instruction ID: 717de771c4d46ed25631bac65dadc5e8b9f730ba544cd83e7a441cfa656936fd
Opcode Fuzzy Hash: 9b65e7f5189ba2d09c7c9fb6f24b7f9e452466871696a9cf1e6d76e14622f4d1
Instruction Fuzzy Hash: F1A19174E012188FEB28CF6AD948B9DBBF2BF89300F14C5AAD40DA7254DB345A85CF51

Function 05CEC390 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380121220eb5bdd86e0ce840148d24082acd84404869c3f57ab4755589d5720d
Instruction ID: 872698b300d43168a35f84988643f2ad0a26dae087be55aecc4dff0007132dc1
Opcode Fuzzy Hash: 380121220eb5bdd86e0ce840148d24082acd84404869c3f57ab4755589d5720d
Instruction Fuzzy Hash: 87A17275E01228CFEB28CF6AD944B9DBAF2BF89300F14C4AAD40DA7255DB345A85CF51

Function 05CEB6F0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f988098ff5c8aa9b68e034c517087d5c2c52b1c797ad8f9c15fafb0f1dedba74
Instruction ID: fbed8ce16f7ed65898980c9fa3f6ca35a436ebaea94a1ecffba1844b4ab7589b
Opcode Fuzzy Hash: f988098ff5c8aa9b68e034c517087d5c2c52b1c797ad8f9c15fafb0f1dedba74
Instruction Fuzzy Hash: 28A19E75E01228CFEB28CF6AD944B9DBAF2BF89304F14C4AAD40DA7254DB345A85CF50

Function 05CED678 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a8328379970f362609cfa99282c59c5301a0792986f4193fdec18b47cac54b
Instruction ID: e6e88d57c0d4c92d60412b880eb426158c0768d68fdc34c2fe158ff5815327ab
Opcode Fuzzy Hash: c4a8328379970f362609cfa99282c59c5301a0792986f4193fdec18b47cac54b
Instruction Fuzzy Hash: 41A18D74E012288FEB28CF6AD944B9DBBF2BB89300F14C4AAD40DA7255DB345A85CF51

Function 05CEB0A8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94c847d84d5015bb33cf1c5756001ba4e0ebac7589b9c7feb20c85c9f5804d6
Instruction ID: c2bc0e25b2cdb5386139ebaeb688b7c746fb17d3e6707977b1e9836faa4cabd5
Opcode Fuzzy Hash: a94c847d84d5015bb33cf1c5756001ba4e0ebac7589b9c7feb20c85c9f5804d6
Instruction Fuzzy Hash: A1A19F70E012288FEB28CF6AD944B9DFAF2BF89304F14C4AAD40DA7254DB345A85CF51

Function 05CED030 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ceb76e40318d756f400f4a4838fb5daa6547d5ab49b7ca063f1f6905e00fb74
Instruction ID: 840b1158a6ac3666ee22a4f9217599d28ed9bb36cb52869d6ed350eef2e75830
Opcode Fuzzy Hash: 1ceb76e40318d756f400f4a4838fb5daa6547d5ab49b7ca063f1f6905e00fb74
Instruction Fuzzy Hash: 3CA18E74E012288FEB28CF6AD944B9DFBF2BB89300F14C5AAD40DA7255DB345A85CF51

Function 05CEAA60 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57dbaee760505f66e5e5505a15772e5e870c8d7172641405158ebc3125f78413
Instruction ID: cb0b47c9e7516baa4c04540164849ad09747ddcf28715335f76622625545cf32
Opcode Fuzzy Hash: 57dbaee760505f66e5e5505a15772e5e870c8d7172641405158ebc3125f78413
Instruction Fuzzy Hash: 9CA18F75E012288FEB28CF6AD944B9DFAF2BF89300F14C5AAD409B7254DB355A85CF50

Function 05721966 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a678bc68fe9270731dbe15f205d7c53183e30931cd520355cc09c88dca2bd9c
Instruction ID: b4f2c2a03a2d8dcae3f5ae29a6c4ef9ba3dde48ebda34385bddf1933088899a7
Opcode Fuzzy Hash: 2a678bc68fe9270731dbe15f205d7c53183e30931cd520355cc09c88dca2bd9c
Instruction Fuzzy Hash: E591E374D00218CFEB20DFA8C488BDCBBB1FF89314F649269E449AB291DB719985CF54

Function 05CE9059 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c093c942bc1d17abd1bc4233654f6eae90c5af2cf704ba7cdb3598924b4af55
Instruction ID: 7cfd366dbcc2d4f851239513a0883ec349449e87aea009b6cc560fe55b72fcc6
Opcode Fuzzy Hash: 4c093c942bc1d17abd1bc4233654f6eae90c5af2cf704ba7cdb3598924b4af55
Instruction Fuzzy Hash: 6A81D274E00218CFDB68DFAAD8947ADBBF2BF89300F20856AD419AB395DB345945CF50

Function 05CED020 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78682fb04d871782ad8a043dc1685861b45a689c308b41cf6c8ae6c16fe6bfcc
Instruction ID: 9fbbc11e8379ba3b0da7e210973f6f2b6a650414ae8cf9a1d7d2d692dc5906c6
Opcode Fuzzy Hash: 78682fb04d871782ad8a043dc1685861b45a689c308b41cf6c8ae6c16fe6bfcc
Instruction Fuzzy Hash: 2B718471E016188FEB68CF6AD944B9DFBF2BF89200F14C5AAD40DA7254DB344A85CF51

Function 05CEAA50 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1aa1941ac96db91151012093e9db67ca4c3823be465ff9f6e7b5d47344f1425
Instruction ID: 4596c593281bc05d509c18309a3fe6b99f93a849232c652de7886098940dce44
Opcode Fuzzy Hash: a1aa1941ac96db91151012093e9db67ca4c3823be465ff9f6e7b5d47344f1425
Instruction Fuzzy Hash: C4719571E006188FEB68CF6AC944B9EFAF2BF89300F14C5AAD40DA7254DB345A85CF50

Function 05CEC9D0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87a3bc09b22f55399ede6155f628dc5fa650d7637fef5b09cd4860a9411facd
Instruction ID: 58ce67cd3158491f55129e2d5a9e1f6075ca92d2fe4e136561a19496d90dea3f
Opcode Fuzzy Hash: e87a3bc09b22f55399ede6155f628dc5fa650d7637fef5b09cd4860a9411facd
Instruction Fuzzy Hash: DE419871E016189BEB58CF6BD9457DEFAF3AFC9310F04C1AAC50CA6264DB740A868F51

Function 05CEC380 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39eeea94b01fa0b659240baf9db8eb7b0353c84bba2461d265d17808e0651dd2
Instruction ID: 0947fffe643fc4f3d66e863be58128a4d82d62aa949e84bc6c468ba53b64466e
Opcode Fuzzy Hash: 39eeea94b01fa0b659240baf9db8eb7b0353c84bba2461d265d17808e0651dd2
Instruction Fuzzy Hash: 304199B1E016188FEB58CF6BC9557DEFAF3AFC9200F14C1AAC40CA6255DB740A868F51

Function 05CE8A04 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a641553c7af63b25b530b9c1b8ad89309441119baf27a53673e6cbc75fa4f5a1
Instruction ID: 5a818f0c22a488d42046989faf19bafd4053e507bc54d10be5f22e6bcdf23a17
Opcode Fuzzy Hash: a641553c7af63b25b530b9c1b8ad89309441119baf27a53673e6cbc75fa4f5a1
Instruction Fuzzy Hash: 0F41B3B0E012188BEB18DFAAD8487DEBBF2BF88300F14D569C418BB254DB754946CF54

Function 05CEBD30 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db3034484477d252ab32ebe099530d47fc23a8197ee1506a85ce07939a7200d
Instruction ID: 10db04568c4f0d6b310f28699166a5373b348b6d31780762c96e1cc580d4b733
Opcode Fuzzy Hash: 8db3034484477d252ab32ebe099530d47fc23a8197ee1506a85ce07939a7200d
Instruction Fuzzy Hash: 19414A71E016188BEB58CF6BD9457DEFAF3AFC9304F14C1AAC50CA6254DB740A868F51

Function 05CEB6E1 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c227d02f13aca21e8a1563bf53984f41c01113cee8109c0f2e5ae04aaf4675
Instruction ID: e02004917bda67898cacfe32488e140cbad8bd211868f66cc1bca7e752934ee3
Opcode Fuzzy Hash: c6c227d02f13aca21e8a1563bf53984f41c01113cee8109c0f2e5ae04aaf4675
Instruction Fuzzy Hash: F8416B71D016188BEB58CF6BD9457DEFAF3AFC8304F14C1AAC40CA6254DB750A858F51

Function 05CED66A Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7f4c8593502f5083372c492d390ceb287bc8fa71b6ffc61698724691d982cc
Instruction ID: 64942045183c3d061b9e29eb68d8d838c1f0dfbd461096b2e2945ad18f5f5ecc
Opcode Fuzzy Hash: 9e7f4c8593502f5083372c492d390ceb287bc8fa71b6ffc61698724691d982cc
Instruction Fuzzy Hash: 10418AB1E016188BEB58CF6BD9457CDFAF3AFC8300F14C1AAC50CA6254EB740A858F51

Function 05CEA400 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d4e6b0d03400d006204405ebe52c39a8ad73aa11633c54d692301cc66898cf
Instruction ID: f438ffef62711351892c9f4c8a7cd5451cac09baa953303caa44fab5434ee606
Opcode Fuzzy Hash: 90d4e6b0d03400d006204405ebe52c39a8ad73aa11633c54d692301cc66898cf
Instruction Fuzzy Hash: 41414BB1E016189BEB58CF6BDD4578EFAF3AFC9310F14C1AAC50CA6254EB740A858F51

Function 05721A0E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c9457fd6296a079f34bb346ce3d69f3f331e7c2fe5e5ae222ae3daa2dbf077
Instruction ID: 8b8ea1748e479ca043943f6ae89eaa8cbca8dad20c048770c5869a5cc6cee66b
Opcode Fuzzy Hash: 88c9457fd6296a079f34bb346ce3d69f3f331e7c2fe5e5ae222ae3daa2dbf077
Instruction Fuzzy Hash: 84E0922BE44628C6DF1089A588463FCB1F67F86212F8C5261D054A20C0C3398A98E128

Function 05727FEC Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 0572812E

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c1e180eead6b7c294ad0197f7aa4e91205183dd94acc17854ecfd5d3aaef806b
Instruction ID: a4af73567f3ff152575fa026c1530fca8811488629ddff79f655b309f0b9a782
Opcode Fuzzy Hash: c1e180eead6b7c294ad0197f7aa4e91205183dd94acc17854ecfd5d3aaef806b
Instruction Fuzzy Hash: C2116A74E102298FEB18DBA9D884EADB7F5FB88304F148169E848E7345D732DC41DB62

Function 013395D4 Relevance: 1.5, Strings: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

T, xrefs: 013395E6

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: dc98491543cc5e65e93a1721f10781d42c79d81f6f0f29d3bdd51479c7a82fad
Instruction ID: a7c8469bdef18f91cdb75ea1bb3027191dfa0112dfe14da0b0bd4871a4d7bf9a
Opcode Fuzzy Hash: dc98491543cc5e65e93a1721f10781d42c79d81f6f0f29d3bdd51479c7a82fad
Instruction Fuzzy Hash: C481D270604346CFDB06CB6CC890BBABBB5EFC5318F1885AAD445CF2A2D665DC42CB95

Function 013377F0 Relevance: .7, Instructions: 707
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3848510d39285b8b535861b970a6ea7a9b017e2c51eb7d5314df27d408e8eedc
Instruction ID: 6c55a4b3cf4ee7a39601180467f37ab0331a0d159f8a2690bc8e5744ab12b80d
Opcode Fuzzy Hash: 3848510d39285b8b535861b970a6ea7a9b017e2c51eb7d5314df27d408e8eedc
Instruction Fuzzy Hash: 17523034A0021C8FEB25DBE4D860BAEBB72FF88700F1081A9D50A6B755CF355E859F65

Function 013387E9 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3a968e238dafa4efe8303527a77e0857ef1f83862f85aa6da03ce51e41eaf8
Instruction ID: 1123a11a2bd878a8320034f5ab421d4d451dab8bde9b77151d53152a88b08e14
Opcode Fuzzy Hash: 0a3a968e238dafa4efe8303527a77e0857ef1f83862f85aa6da03ce51e41eaf8
Instruction Fuzzy Hash: 51F1A6703142158FEB299B3DC858B797B9AAFC5708F1546EAF502CF3A1DA29CC41C749

Function 01336E58 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b347180a6f505c370f385043372ef976cf9a8ca829e2d348dc052ced62e15d8f
Instruction ID: e462b5fca8cea2711587f23e27d368760d7adb0d34713ec400bbb6d5b3419c4f
Opcode Fuzzy Hash: b347180a6f505c370f385043372ef976cf9a8ca829e2d348dc052ced62e15d8f
Instruction Fuzzy Hash: 7B125B70A00209DFDB25DF68C884AAEBBF2FF89318F158559E945DB261DB30ED41CB54

Function 0133A818 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d510218f5c940973f6602ab6f49f05c1f978376bd18bda58b88b488fa345f72
Instruction ID: ba5669deae0a4a5028621ef020eb50ee4009af17a94175889bb674c401da60f8
Opcode Fuzzy Hash: 5d510218f5c940973f6602ab6f49f05c1f978376bd18bda58b88b488fa345f72
Instruction Fuzzy Hash: 9EF13B75A002148FDB19CFACC8889ADBBF6FF88314B1A8569E545EB361CB35EC41CB54

Function 01330C8F Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff27315440fcb21a74f5d2f7536343673eda8284027fb4a126367a9d95409fa1
Instruction ID: 8ff634c8942d953079722e58a27b455e01bab45289c206b0372c88fa1aa31011
Opcode Fuzzy Hash: ff27315440fcb21a74f5d2f7536343673eda8284027fb4a126367a9d95409fa1
Instruction Fuzzy Hash: 9E22E574A0021ADFCB64DF68F988A9DBBB2FF88311F1091A9D809A7314DB396D45CF51

Function 01330CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c55844d7929418183f8c914b4501f683250354b3bfa90b2c6fd6a98bb6d7ed4
Instruction ID: 48ceed248734d71ddd40f17d79b6852e2b71e168a6eaf4a89e3eea221c9612e0
Opcode Fuzzy Hash: 4c55844d7929418183f8c914b4501f683250354b3bfa90b2c6fd6a98bb6d7ed4
Instruction Fuzzy Hash: E822D574A0021ADFCB64DF68F988A9DBBB2FF88311F1091A9D809A7314DB356D45CF51

Function 013356A8 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab679de5ec60ac2687f92f02efbe951dee3a5ab161940b8f5278d4b9b9552d6a
Instruction ID: ac8744fe63fb1d7db050c4bd99f64bc7db5ef18ce4c0bdaa8e25962669ecca5a
Opcode Fuzzy Hash: ab679de5ec60ac2687f92f02efbe951dee3a5ab161940b8f5278d4b9b9552d6a
Instruction Fuzzy Hash: B3B1CE307042058FEB269F78D858B7E7BA6ABC9318F148969E446CB391DB74CC02D7A5

Function 01335C08 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af13b01f83744109750ad3b034632e2251944315b80aadb3019d7a2cc18a476
Instruction ID: fd5a44f38ad502f38454bfabda88e31c0353d6c25bc9753e2c1ab8574f6791da
Opcode Fuzzy Hash: 6af13b01f83744109750ad3b034632e2251944315b80aadb3019d7a2cc18a476
Instruction Fuzzy Hash: 5B819F30B00209CFDB14DF6DC488AA9BBF6FFC9219B158169D50ADB765D731E842CBA4

Function 05CE9918 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb81a479c436de5ef6c19e85b8e4168ce9af9d5393efa551b962dd383800b0d
Instruction ID: 411da0f3dbfcf97bd6588e16b6f0c5fb20f634a60a12c45b239ebc949fa47a28
Opcode Fuzzy Hash: 9bb81a479c436de5ef6c19e85b8e4168ce9af9d5393efa551b962dd383800b0d
Instruction Fuzzy Hash: C0719131F002199BDB15EFA9D851AAEBBB2AFC4700F15852AE406E7380DF349E41C7A1

Function 01337438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e8b06d2681140e2362cfc08ee6125fae430a22c869032b76bb7aa79cbc334b
Instruction ID: 5321e7ec7b304d45e5c790fe108fd795adae378dbf1b23ff122424949ef8fea4
Opcode Fuzzy Hash: b6e8b06d2681140e2362cfc08ee6125fae430a22c869032b76bb7aa79cbc334b
Instruction Fuzzy Hash: ED711874700245CFEB29DF2CC498A6D7BE9AF89219F1500A9E906CB3B1DB74DC41DB94

Function 0133CEC7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e588be92d3519abb5a15882a95d04f34f13456d4dc7414e144108d51e4d9168c
Instruction ID: fc344a67e40cfd3b0bc7ff04442c0082f4fb01ed22553f93510054e44473dcf6
Opcode Fuzzy Hash: e588be92d3519abb5a15882a95d04f34f13456d4dc7414e144108d51e4d9168c
Instruction Fuzzy Hash: 49519B700213469FE3342BA0F5EC16ABBA9FF4F327B456D44E14EA5519DF34648ACB60

Function 0133CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd0eadf2153ae952e12fba6a32b0a05a845e98927047f178d03f093548f2db6
Instruction ID: e89d53faf0465a9200691757e260279323a4514bd770950232936c1d44101c5c
Opcode Fuzzy Hash: 7bd0eadf2153ae952e12fba6a32b0a05a845e98927047f178d03f093548f2db6
Instruction Fuzzy Hash: 5B5186700213468FE3302BA0F6EC16ABBA9FF4F327B45AD04E10EA5419DF356489CB60

Function 0133E2D9 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef35a8f5444b9582317a3c5a1303205194b063f285b07ecb5e18e8df1bb0bc9
Instruction ID: 6acef0ba9911659c4b007b3f1da8ad890f1edb1398d52e82415aeefb3aae9e9c
Opcode Fuzzy Hash: 6ef35a8f5444b9582317a3c5a1303205194b063f285b07ecb5e18e8df1bb0bc9
Instruction Fuzzy Hash: 91612074E01318DFDB24CFA8D858BADBBB2FF88305F608129D809AB294DB395945CF40

Function 01339390 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8db6e48a118a1d913becae09b4fcddad9eec9a5bdd243598ccaa32fd90dd25
Instruction ID: 62ac3b76bf77a621e4d3446d6dab6d72b8b58bb9980f1055dbe7f2a1b9fb7816
Opcode Fuzzy Hash: 1f8db6e48a118a1d913becae09b4fcddad9eec9a5bdd243598ccaa32fd90dd25
Instruction Fuzzy Hash: EC519F307042159FDB15DF68C844BAEBBEAEFC8358F1484A5E908DB296DB71CC01CB95

Function 0133964C Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c0d0c8164aeaa6627d6037971a0115c2568ccc7f10aa0277ebfb1ce402d5e3
Instruction ID: 6408bbe79798e732d6d34061efb249edae87db1240792b9d903fb5895a858340
Opcode Fuzzy Hash: 27c0d0c8164aeaa6627d6037971a0115c2568ccc7f10aa0277ebfb1ce402d5e3
Instruction Fuzzy Hash: D041B674B04206DFEB15DA6DC880BBEB7A9EFC832CF148465E501DB291DAB5CC41DB94

Function 013338F9 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a971cb7717329790d5a0703f72e490a3da9d32c2869297d927be844ace400bb
Instruction ID: ae266423eb73492d2863f0333c4645dcee0e79cead69f2b4f70e0e28f4a1574f
Opcode Fuzzy Hash: 6a971cb7717329790d5a0703f72e490a3da9d32c2869297d927be844ace400bb
Instruction Fuzzy Hash: E051C574E01208DFCB18DFA9E59499DBBB2FF89300B209069E805AB324DB369C42CF54

Function 0133CD10 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5729357091026769b328e05211450938892eaa0258600c697c53dac3e3b09caa
Instruction ID: cd033e7552775ca31224da819e60a55111f7b6b74657ef301b2d046fde9b587f
Opcode Fuzzy Hash: 5729357091026769b328e05211450938892eaa0258600c697c53dac3e3b09caa
Instruction Fuzzy Hash: 25518074E01218DFDB58DFA9D59499DBBF2FF89300F24816AE809AB365DB31A901CF10

Function 05CEDCC8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9ce4593313a7d6ec31a646a5fba5e50d7916c7dcc3f7b6292455168e0ba804
Instruction ID: fc66199b5d74d013bae7b6a37cf9cf6b5a7ef824e2b525b9e0fadba0aa026cb1
Opcode Fuzzy Hash: 0c9ce4593313a7d6ec31a646a5fba5e50d7916c7dcc3f7b6292455168e0ba804
Instruction Fuzzy Hash: B141393090231ADFD714AFB4E09C7EE7BB5FB4A316F505869D512A6294CB7C0A84CBA4

Function 01333908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967f93d2f9e44da631bdbc74eb9a79cf3e2a9655daf70a56a41531cb870ecd9a
Instruction ID: 6a7f5eb20be7af19e6b1d004988d87a0c1087322bed1013c0e310bea98994fd0
Opcode Fuzzy Hash: 967f93d2f9e44da631bdbc74eb9a79cf3e2a9655daf70a56a41531cb870ecd9a
Instruction Fuzzy Hash: 8D51A674E01208DFCB58DFA9E59499DBBF2FF89314B209069E805AB324DB36AC41CF54

Function 0133F0E9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988733ac4dea761c1674ed767d34a53b68e52b8f97b7cdf8eb1560405a97b6c5
Instruction ID: b69732a8e508e315d99efa5f1df0cd15294833585ad4cf68872cb6fb51bf32b1
Opcode Fuzzy Hash: 988733ac4dea761c1674ed767d34a53b68e52b8f97b7cdf8eb1560405a97b6c5
Instruction Fuzzy Hash: 1E51DE74E02228CFCB64DF68D988BEDBBB5BB89305F5055AAD409A7350D735AE81CF10

Function 05CE9E51 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c82481871f8960891a878c52048a7b7ee8ca3395bc257b7755540e638c38fd4
Instruction ID: b8ddd4cf14aaccd77c9bec5e7d0b9528c9984803b4d74309940974fa30db1fca
Opcode Fuzzy Hash: 5c82481871f8960891a878c52048a7b7ee8ca3395bc257b7755540e638c38fd4
Instruction Fuzzy Hash: 4051F179E01218DFDB14CFA9E584AEDBBF2FF88310F20812AD815A7254D7385A46CF50

Function 01339A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903d765a39191854c53e82dc78eea79de57dc6acd574db194a7ef526f7dacf13
Instruction ID: b2fd7d689e6dcb1e1311afdc1cd14805db451b47b1981b70ef2ed0c0af0a97b7
Opcode Fuzzy Hash: 903d765a39191854c53e82dc78eea79de57dc6acd574db194a7ef526f7dacf13
Instruction Fuzzy Hash: 1B41C031A04249DFDF16CFA8C844B9EBFB6BF89318F048566E8119F2A5D3B4D911CB64

Function 0133A650 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ba96459481de0d746196c7e6275e4990ab7b32ea96729bf211ce1478bd0288
Instruction ID: 53f7185fc8127113e46c65481c01d9d7846a8e5692bc664a5f047e2a0bbbbbb4
Opcode Fuzzy Hash: 73ba96459481de0d746196c7e6275e4990ab7b32ea96729bf211ce1478bd0288
Instruction Fuzzy Hash: D341C0357002089FDB25AB79D855BBE7BF6ABCC311F148569E506E7391CE358C02CBA0

Function 01331F08 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7e0499f3664017c8c1f67815d0f75ff2c91948c7f544a704333aef7ebc2ea4
Instruction ID: b272d38ad053057875f71f7c3a1c326110446dc68ae101269512dd844e49e7d7
Opcode Fuzzy Hash: 5f7e0499f3664017c8c1f67815d0f75ff2c91948c7f544a704333aef7ebc2ea4
Instruction Fuzzy Hash: EC411274C082088FDF22DFB888591FDBFB4FE86318F50059AD405AB251E6324549CBA6

Function 05CE9908 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a4bd9600967cb98a344bdd642f240b39fbc73cad6cca2dd660699020c3f040
Instruction ID: 055dcb6782ed4c52f015e5b5f1d9e15d86606c943d3dfee38aee5646ae208b4a
Opcode Fuzzy Hash: 15a4bd9600967cb98a344bdd642f240b39fbc73cad6cca2dd660699020c3f040
Instruction Fuzzy Hash: D7412271E10219DBDB14DFA5C891BDEBBB6BF88710F148529E816B7340EB70AE45CB90

Function 0133D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff87e5fbdc785aa2048c6482f78ef49ef348271313da69fb39e57b24f48e5fc4
Instruction ID: ea45b0ddebb963f9f1a5ca619e24f05633bc3f510e00738be4f016ce79680e04
Opcode Fuzzy Hash: ff87e5fbdc785aa2048c6482f78ef49ef348271313da69fb39e57b24f48e5fc4
Instruction Fuzzy Hash: 56414670D00208CFCB25CFE8E4846ECBBB9FB89319FA09119D41AAB645D7399842CF58

Function 01333428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851af176917e9f2514ca422f05d85f6a759db12607276ead21e2c68945ef8b5d
Instruction ID: 37f48ba174dfc11f204a25d9334b76e2901c613e2e97b7f8c81c8f4733963813
Opcode Fuzzy Hash: 851af176917e9f2514ca422f05d85f6a759db12607276ead21e2c68945ef8b5d
Instruction Fuzzy Hash: 373107357003188BFF2D8AAE599427EA59EBBC4619F14C039E906E3380DF75CC4497A9

Function 0133D7EB Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38700d0bed7f17a4f3b8f8863eb91956f98bfae0116a9d10baf7ecaf1fbff566
Instruction ID: 0a9fc9a508870a24e1675d43b7fdc088d85b39bc8bbeca6e9c633161469c3ab7
Opcode Fuzzy Hash: 38700d0bed7f17a4f3b8f8863eb91956f98bfae0116a9d10baf7ecaf1fbff566
Instruction Fuzzy Hash: 41413770D00208CFCB25DFE8E4846EDFBB9FB89319FA19115E419AB255D7399841CF68

Function 05CE9E60 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ca3e8e7534a5c30b9e976380aff63ed560a30c7d43bd9e186f6afb1ae75c2d
Instruction ID: b341100405f771ee1650c8095d99ed9a4322025ae9ea96537a04e994b8f47e0b
Opcode Fuzzy Hash: 18ca3e8e7534a5c30b9e976380aff63ed560a30c7d43bd9e186f6afb1ae75c2d
Instruction Fuzzy Hash: 7B41C074E01218DFDB54DFA9E5886EDBBF2FF89301F10902AD805A7254DB385A45CF50

Function 0133D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a6d8662cb666a922a401aa5b014ed1ed942f73ab56ab622c0c2b5b2c02e565
Instruction ID: 8e35224ed39d7edf1224ab883ea89df0bdffc5af5582212118660953236cff83
Opcode Fuzzy Hash: 60a6d8662cb666a922a401aa5b014ed1ed942f73ab56ab622c0c2b5b2c02e565
Instruction Fuzzy Hash: F2411570D00208CFDB21CFE8E4846EDBBBAFB89319FA09119E419AB245D7399841CF58

Function 0133D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590a4183eaa719ca17bf6c4351e96e3b4049e9978a28348c2b8a647ccb3927e3
Instruction ID: 0a163313ea8b98ffc11cb61374a6851b509651adf4d8f8bdf091b43a571665c8
Opcode Fuzzy Hash: 590a4183eaa719ca17bf6c4351e96e3b4049e9978a28348c2b8a647ccb3927e3
Instruction Fuzzy Hash: 10413770E00208CBDB14DFA9D4486DDFBF6FB89304F94D129D418A7255DB359845CF58

Function 01334DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c79cc4a4b3ede71137bd7d77590bf528a68d5a7fa250682ccd31e4548520519
Instruction ID: 3d4d610a39baa1b41f8530124c3b2e1b06fdaad862c82f14ab64c2e4e3aef568
Opcode Fuzzy Hash: 0c79cc4a4b3ede71137bd7d77590bf528a68d5a7fa250682ccd31e4548520519
Instruction Fuzzy Hash: 5531A33130810AAFCF259F68E858AAF7BA6FB88304F008414F91987255CB39CD65DBB0

Function 013392DC Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3dcb268655b13be852b467e2edb8405a74ace3decfad6bce54f2bee964acd00
Instruction ID: fd7baec48b21a147b07c73b32420e1e6f5376ee916bbc1e0f46abd91a8c74b18
Opcode Fuzzy Hash: f3dcb268655b13be852b467e2edb8405a74ace3decfad6bce54f2bee964acd00
Instruction Fuzzy Hash: 8831E430A00649DFCB11DF6CC880AAEBBF9FF89324F548566E844CB215C331E912CBA1

Function 013376D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bcfc26cc57b7ff7bccf13d875f6d724306985eae659721242dc247549b4451
Instruction ID: 9a7906a37972f4e89605e47be27b9fc7ca583f4012b41dc0997cce442d280826
Opcode Fuzzy Hash: e3bcfc26cc57b7ff7bccf13d875f6d724306985eae659721242dc247549b4451
Instruction Fuzzy Hash: 1921F8743042154BEB37173D8894A7D379B9FC865DB184079D906CBB9ADE25CC42E7C4

Function 0133A809 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917bb44dc461f2cad960ce673f5e48a0f77953c32c0145136b6c2dab8db004dc
Instruction ID: b473b003a46d27dc2da6398e387354c409baad735559ff4f115ce34145e65998
Opcode Fuzzy Hash: 917bb44dc461f2cad960ce673f5e48a0f77953c32c0145136b6c2dab8db004dc
Instruction Fuzzy Hash: D3316F74A006098FCB04CF6DC8849AEBBB6FFC5354B168559E555EB3A5CB349C02CB94

Function 05CEDCB9 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5d865f95b9419fedd9954114dd76d62c3394bc05bf45293ae7dd66daa762f9
Instruction ID: 1c6726c4ca8f12567ba55694bb405ca37d5c7a6526faaa3c0ec41dadee01e537
Opcode Fuzzy Hash: 6b5d865f95b9419fedd9954114dd76d62c3394bc05bf45293ae7dd66daa762f9
Instruction Fuzzy Hash: 3C317C7190131ADFD7149FA4E09C3EEBBB1FB8A316F105869D51267284CB7C0A84CFA0

Function 013376E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02765f0cd649d4bacdfeec6d4b3fc147b9f593cff64ba1cb167155b913f8109e
Instruction ID: 6a3a8b9ff73022a9874904d6ffb78bc4f650e5be34be52d0064f44b352be07be
Opcode Fuzzy Hash: 02765f0cd649d4bacdfeec6d4b3fc147b9f593cff64ba1cb167155b913f8109e
Instruction Fuzzy Hash: E821C2793002154BEB2716398854B7E769FAFC875CF148078D906CBB99EE26CC81A7C8

Function 0125D006 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843171004.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_125d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e447f480753f1c9cf4ef0557e6094229b797e4a34424d4738c34e67700386b
Instruction ID: 25791436afe16091b83fb3bb7227b632c72024a0a7e3cf30db60a2bb36cac14d
Opcode Fuzzy Hash: b6e447f480753f1c9cf4ef0557e6094229b797e4a34424d4738c34e67700386b
Instruction Fuzzy Hash: 99312A7550E3C48FD7038B64C9A4711BF71AB47214F2985DBD9898F2A7C23A980ACB62

Function 01335A60 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9be24a0058107ab7cbb199469403578bc849f3d2dd024ef7993c1aac43f7358
Instruction ID: 90cae147f9b56ab451d97d92d5f5f275aa69b2fdf014de30863bd05fdc78cb31
Opcode Fuzzy Hash: b9be24a0058107ab7cbb199469403578bc849f3d2dd024ef7993c1aac43f7358
Instruction Fuzzy Hash: 6C21F5307056119FD73A9B28D49452EBBA6FFC9754B0981A9E906CB394CE34DC03CBD4

Function 01332060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73e5b0dcfa0352f68652c7178365c2ce034199cdcbcacd775c6fba1f627fa66
Instruction ID: d4bc5c46a17cea2048b26c35af21271ef3a497c2984a1742f4df0cdd32e4e78c
Opcode Fuzzy Hash: d73e5b0dcfa0352f68652c7178365c2ce034199cdcbcacd775c6fba1f627fa66
Instruction Fuzzy Hash: 3F21F175A00106EFCB14DF68C8409AFB7A6EBD8260B10C059D90A9B344DB36EE46CBD1

Function 0125D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843171004.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_125d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8035ff92184bcadde12e0ba0161e6914d597dae536650f180a9fd096a2c19c
Instruction ID: 3bc7e0bc5df50f4fbc5dce9550258458c0f367893490b875aa3623914e256ad0
Opcode Fuzzy Hash: da8035ff92184bcadde12e0ba0161e6914d597dae536650f180a9fd096a2c19c
Instruction Fuzzy Hash: 5E212271614309DFDB51DFA4C8C4B26BB61FB84314F20C56DED490B342C77AD846CA62

Function 0133215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aaae4b2fbb6f164ffd3dc746fbfb85c2b6c7e690e2d01e136139baa061d34c3
Instruction ID: ef0b297a5b3726560bcb8c0432052737e5617cbd99ff75f62aaaff32cbdce19c
Opcode Fuzzy Hash: 6aaae4b2fbb6f164ffd3dc746fbfb85c2b6c7e690e2d01e136139baa061d34c3
Instruction Fuzzy Hash: AF118932E0435A9FCB029BF89C104DFFB70FFC9220B248352E615B7191EA322906C7A0

Function 01334DB9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbcaa5d8fb704e82e6f8f92fa29d09f5bc1f2f58f84ce2f7e8655e06a96e85d
Instruction ID: a25c8cdbeaea7c210b3b34125e35cf31993a32920c908f3e5f88b05b547bbb5b
Opcode Fuzzy Hash: 0cbcaa5d8fb704e82e6f8f92fa29d09f5bc1f2f58f84ce2f7e8655e06a96e85d
Instruction Fuzzy Hash: 5521D4316082499FCB259F68E458A6A3BA6FFC8318F048469F5098B252CA38CC55CBB4

Function 013339ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210511a7d0d38f22c2b3145d32837b5afc69648603ce6841be2a2ee1b6d90ccf
Instruction ID: 33dd4d7c647e8777bc15881a6627987e1298bc11aab12c3c281bf23400e1863b
Opcode Fuzzy Hash: 210511a7d0d38f22c2b3145d32837b5afc69648603ce6841be2a2ee1b6d90ccf
Instruction Fuzzy Hash: 0431C778E11309DFCB14DFA8E59489DBBB2FF49315B205069E819AB324D736AC05CF51

Function 05CE9AF9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f000a4e879cab031a45ce830c8fe460284306d1af805a04c38bf985a8382d2a8
Instruction ID: 495975ef75c689889ed6b0f2bbfdd736001ea557973838eeaf1fafd4e62a44ff
Opcode Fuzzy Hash: f000a4e879cab031a45ce830c8fe460284306d1af805a04c38bf985a8382d2a8
Instruction Fuzzy Hash: 63113D367042545FDB465FB85C246AE3BA3EFC9250B45442AE506DB3D1DE344D0587B1

Function 01338EC1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5ae74b32e0f4061e15a3b37324e3acc82bce6ec48be7715cd361e53768bc07
Instruction ID: 6b9489e2f7daa4ba641578998cb4df97a9ec277a4faaac8ff04dc10a3fb7dfd5
Opcode Fuzzy Hash: de5ae74b32e0f4061e15a3b37324e3acc82bce6ec48be7715cd361e53768bc07
Instruction Fuzzy Hash: C421AD30A04249EFDB25CFA9E580AEDBFB6EF88304F248199F500A7290CB359901DB20

Function 0133E1F8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7aef8d310c887b95363ce680b1bdb78b73dc5c228a86c9aa8b00ba15c4a9ab
Instruction ID: 7f37695aa527e400d1f1b6f9c6682a41fc7dbb95c9f50a039467e10b6fd0fc1b
Opcode Fuzzy Hash: be7aef8d310c887b95363ce680b1bdb78b73dc5c228a86c9aa8b00ba15c4a9ab
Instruction Fuzzy Hash: A5215B70E003499FDB55EFB8E5457AEBFF1FB85304F0092BAC4449B215EB340A468B81

Function 0133D60F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471d425297be16c67458a009067ae2bf91ee7751caa74508073c0228e9351e98
Instruction ID: 3e8a957199fbdca7dc442e6fa994aead5513d63d21d660a456a527447b85e32d
Opcode Fuzzy Hash: 471d425297be16c67458a009067ae2bf91ee7751caa74508073c0228e9351e98
Instruction Fuzzy Hash: A8116A71D002488BDB19CFAAD4056EEBBF6EFCE315F48C175C418A7265D73448068F54

Function 05CEE0C8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c908aac5b17c42367d17ef04f1c1d1c72830671fd5f060cc9a76462854594160
Instruction ID: c360a7b2095dde96a361c8c1c5e399d33056bcb2861b9d91bf1aa681358df87f
Opcode Fuzzy Hash: c908aac5b17c42367d17ef04f1c1d1c72830671fd5f060cc9a76462854594160
Instruction Fuzzy Hash: E911A1317043549FD7154A7AAC186BBBFEFAFCA250B1984BBE506C7396CE248D468370

Function 01335A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3cc32f0d233619ee2bda593040965eb99973472aa02078ea99f75f6be4ab66
Instruction ID: 2d17985cece2150e6f4ebdc2b6e6999c036bb140da272b04bebd02d66cdd9463
Opcode Fuzzy Hash: 5a3cc32f0d233619ee2bda593040965eb99973472aa02078ea99f75f6be4ab66
Instruction Fuzzy Hash: 0B11A5317016129FE72A5A29D49852EBBAAFFC47557194168E906CB350DF21DC028BD4

Function 05CE964C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a845b1ce1afad4510dfaa2f8995dab2950cc63a938b2c29b5e51cb5ae5b76fb
Instruction ID: ca5e096444325cf90383e3a36521367fcb3ecdbbd08e3d505a597209496000da
Opcode Fuzzy Hash: 0a845b1ce1afad4510dfaa2f8995dab2950cc63a938b2c29b5e51cb5ae5b76fb
Instruction Fuzzy Hash: 571129B680034D9FDB10DF9AC844BEEBBF5EF48720F148419EA14A7250C379A554DFA1

Function 0133E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0553c5f491959012f0bd993a6efc2168d63e142ce87e71c7ceb6c984d5aa1ad1
Instruction ID: 8821776584be768e8d1d744291fdd9385d9fdfc8b5556fd5550a29d8bd2e1bb0
Opcode Fuzzy Hash: 0553c5f491959012f0bd993a6efc2168d63e142ce87e71c7ceb6c984d5aa1ad1
Instruction Fuzzy Hash: E6113A70E00309AFEB54EFBCE54479EBBF5FB84304F4195A9D404AB214EB355A458B91

Function 05CE9DA1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7981b1e6f60860fb8c4e641e69672cfa84f1485478b67cf814868c34a2dd3978
Instruction ID: c67e163e32c5137cb43fa4ced01e949c39dc2c649be93d7553680fd5f7a72ea9
Opcode Fuzzy Hash: 7981b1e6f60860fb8c4e641e69672cfa84f1485478b67cf814868c34a2dd3978
Instruction Fuzzy Hash: F51167B6800209DFCB10DF99C844BEEBBF5EF48320F14881AE614A7650C339A554DFA0

Function 05CE92C9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0110fbdc98bf88919c1da15689ff69023383a46b6de3ab989ad39af280a8139
Instruction ID: bcad8b97f2103e89e12fcdc1698d031be6215d66be3a00f8dcf75d365e58174d
Opcode Fuzzy Hash: c0110fbdc98bf88919c1da15689ff69023383a46b6de3ab989ad39af280a8139
Instruction Fuzzy Hash: 47112A34E002488FEB14DBE9D840BAEBBB2EB89311F419461E808E7349E6319D428B50

Function 01331F61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f18058976305bf934338b7ffe4825de2f13560182349c71b6a1d83f0e891fa6
Instruction ID: 6a9a8c72d52e8cf17357332537ab3ba2794c8d570fc7ee917c7ee4e6677a3ec4
Opcode Fuzzy Hash: 9f18058976305bf934338b7ffe4825de2f13560182349c71b6a1d83f0e891fa6
Instruction Fuzzy Hash: 4521C0B4D0420A8FCB50EFA8D9495EEBFF5FF49300F1051AAD805B2214EB345A85CFA1

Function 01335607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094fe998acf3284d068646c72b9e7b34cc62ee01f6162ba03f19c67c8b44879a
Instruction ID: d5ba1e89277f0fbf6cbefc37ccbfb40f11c73b2ba551a71f60ae25e603e694f6
Opcode Fuzzy Hash: 094fe998acf3284d068646c72b9e7b34cc62ee01f6162ba03f19c67c8b44879a
Instruction Fuzzy Hash: 210168717040046FCB118E68A820AFE3FABDFC8351F1D806AF504C7290CE318C0297A0

Function 05CE9B68 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42dcc4d1244cc3fc028349daa52dd725990a3a4303d54c8b8df9b4bdbf5fe55b
Instruction ID: d0fc34d92d7ec2381eba64c871d955313daf3690dfc4fe3c6304f75e5aecd435
Opcode Fuzzy Hash: 42dcc4d1244cc3fc028349daa52dd725990a3a4303d54c8b8df9b4bdbf5fe55b
Instruction Fuzzy Hash: B3F082763002186F9F059E99AC449AF7BABFBC8260B01482AFA09C7351DF32991197B5

Function 0133DF08 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fea6f8a09155f8cd8a0a79db5ac7f5600cd08bac368c486483283b9ae3f4d5a
Instruction ID: 96869d9c50fdfa49054ebeb0a47c7775f5d0fe9a3109730207068b8060c53501
Opcode Fuzzy Hash: 9fea6f8a09155f8cd8a0a79db5ac7f5600cd08bac368c486483283b9ae3f4d5a
Instruction Fuzzy Hash: 48E022329582559BCB049BA8A95B3FABBB2EBC7210F409434D408A3091C775851F8A81

Function 0133D449 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47041c531bc2d96326419d96e7add43e8cdd9bda5a89a159f95ddf140de6c43
Instruction ID: 9d9b51e2d72462ae56a30105ca831e03333ae3bf1a67b33b1cee069debfa07d8
Opcode Fuzzy Hash: b47041c531bc2d96326419d96e7add43e8cdd9bda5a89a159f95ddf140de6c43
Instruction Fuzzy Hash: DDE02231C1428497CB109BB8A91F3FDBBB2DBC7301F489478C018B7155CB3596178B01

Function 0133D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315da1ce913343c92cccf731444e4a9b8aa35d2a857198975cc5a711fdb543e1
Instruction ID: 5154ae2ba603d728ccc15fb736f8491c09bcc7f6699f1b8262f1f9fe4eee53af
Opcode Fuzzy Hash: 315da1ce913343c92cccf731444e4a9b8aa35d2a857198975cc5a711fdb543e1
Instruction Fuzzy Hash: EFE020D3C08244DBE7204BE664161B87F34DDD72057C450C7D099D7525D714D2069715

Function 01332010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e430707f4dd65e5e0381385b65b5c61a0afcb2fb6fb42b93fbe5ab09dcc982
Instruction ID: 644434b5b8dbb0905079d97261eca57727f705c79a49e287939335319f9dddb6
Opcode Fuzzy Hash: 84e430707f4dd65e5e0381385b65b5c61a0afcb2fb6fb42b93fbe5ab09dcc982
Instruction Fuzzy Hash: D0E0D835E143678FCB119B709C040EEBF31BED2321B15867BE45066051E7702D5BC7A1

Function 01332020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051aeb18adc75ccadc0fe8a8a6ba5221989f96996d9071cbbfe580b41be4d85e
Instruction ID: 95853cd4a34060b04074003491279439ef00b1d81410583e0b290ca678964f17
Opcode Fuzzy Hash: 051aeb18adc75ccadc0fe8a8a6ba5221989f96996d9071cbbfe580b41be4d85e
Instruction Fuzzy Hash: 15D05B31D2022B97CB10E7A5DC044EFF738EED5262B504626D51537140FB712659C6E1

Function 01338258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: aa4223257d0a21fbcbbdc765f83283c1154503a46b89c9da63c1a880e61f0b87
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: ECC0123724D1282AE626108E7C40AA3AB8CC2C12B8A2502B7F91CE3201A8429C8001A8

Function 0133A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236912884a60d865692baa7e8e1669f9b69e0e442282c29ba117e528538e7252
Instruction ID: aab36b492f87b829a714496543277b286b17802b5bbd7e33dc4403186637db68
Opcode Fuzzy Hash: 236912884a60d865692baa7e8e1669f9b69e0e442282c29ba117e528538e7252
Instruction Fuzzy Hash: 03D0677AB010089FCB149F99EC409DDB7B6FB9C321B048116E915A3264C6319925DB60

Function 01335EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b922e727ab65829e513e2dfbea02ab50162e1232a5e7b33cc00157b3e8468ae8
Instruction ID: c11a23b25faa491a0cfd3e7007de57dc8204bb6b85a38945cc1b51613803aaad
Opcode Fuzzy Hash: b922e727ab65829e513e2dfbea02ab50162e1232a5e7b33cc00157b3e8468ae8
Instruction Fuzzy Hash: 90D02B309083466FDB21E734F5154683B31BAC0204F40C2B6F8054D41BEF790C464B22

Function 0133FBEB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4765dd3edb2b8d7597c985b2da57c9e98f96b524626225da2a7f91faf29d700e
Instruction ID: 27aea8e66af0f240a109274b09b7ebc4fe17455efb9e841ad597ded522b7778a
Opcode Fuzzy Hash: 4765dd3edb2b8d7597c985b2da57c9e98f96b524626225da2a7f91faf29d700e
Instruction Fuzzy Hash: F6D06C78D4421C8BCB20EFA8EA483ECB7B4AFC9315F0010E6980DB3200D7305AA08F16

Function 01335EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a979000177e2cd2bab3249fd7f2fad3099c0ef602b2da4c5ac29793b6d9475d4
Instruction ID: 7ca709c19bee5812c4e40be37de433d8b01472fcadad6c1b4dc43a130a8c8d0e
Opcode Fuzzy Hash: a979000177e2cd2bab3249fd7f2fad3099c0ef602b2da4c5ac29793b6d9475d4
Instruction Fuzzy Hash: 92C0123020430A5BD525E779FA49519371AF6C0601F409611F5090A119EF795D4447A1

Non-executed Functions

Function 05CE37C0 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0o't, xrefs: 05CE382B

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o't
API String ID: 0-524922080
Opcode ID: ce60129b83c8a038616c0be45147f631d2ac40c1089f29a7a0573e91330c44d0
Instruction ID: 9ab3420efba4e67dacdef1883352c461fc42e60731c1300dc0ddfbe8ac9a3245
Opcode Fuzzy Hash: ce60129b83c8a038616c0be45147f631d2ac40c1089f29a7a0573e91330c44d0
Instruction Fuzzy Hash: 2FB18174E00218DFDB54DFA9D884A9DBBB2FF89310F2081A9D819AB365DB35AD41CF50

Function 05CE37B0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

0o't, xrefs: 05CE382B

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o't
API String ID: 0-524922080
Opcode ID: 63db5b0c33969aef2f99cb6ae456a0c6839192ed9eb178148b14d78cc0dc55cc
Instruction ID: 6511fe13d13f96f683fff7e3b68f05a445dd423fb22e6afc993c4cffab4ec971
Opcode Fuzzy Hash: 63db5b0c33969aef2f99cb6ae456a0c6839192ed9eb178148b14d78cc0dc55cc
Instruction Fuzzy Hash: C751A474E016488FDB08DFAAD98499DFBF2FF89300F148569D819AB364DB34A942CF10

Function 0133E528 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779ce285d936a96a1259324b92f708cfbfe243ad08dae6ce9a13264535e8a4f5
Instruction ID: 2b05f24c5fd0575e9e1d5672ff1c0304f1f21bc29f779a01a4bcfa0ae3a68452
Opcode Fuzzy Hash: 779ce285d936a96a1259324b92f708cfbfe243ad08dae6ce9a13264535e8a4f5
Instruction Fuzzy Hash: 4C528B74E01228CFEB64DF69C984B9DBBB2BB89305F1081E9E409A7354DB359E85CF50

Function 05CE55A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8412b76ed542f6407d22ccdc1c42cd974bacc3819ce1fde025b3a2198be76963
Instruction ID: 74ef575c0fd29e7a2033ab18068b33ccdac6cf6dd8b81719d8fbffc97995263b
Opcode Fuzzy Hash: 8412b76ed542f6407d22ccdc1c42cd974bacc3819ce1fde025b3a2198be76963
Instruction Fuzzy Hash: 27C19F74E01218CFDB14DFA9D994B9DBBB2BF89304F5080A9D809AB355DB355E81CF50

Function 05CE85B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634ed22c6d793af587bc183267bae3d74509e35180ed68dfad15eb53af549eb8
Instruction ID: 5a00837b5dea88259fd192dd20bf8cf9ae705321c6242602811409aeba5294d1
Opcode Fuzzy Hash: 634ed22c6d793af587bc183267bae3d74509e35180ed68dfad15eb53af549eb8
Instruction Fuzzy Hash: 06C19E74E01218CFDB14DFA9D988B9DBBB2BF89300F6080A9D809AB355DB355E81CF50

Function 05CE0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1bc64465d1ac26057cbb13756e8fffc8324281a3828d5a15085e344babc3e2
Instruction ID: ac2f88a871ab88ec28a1dc703983627acb2c345c4e1b81cbdfac616cec0deda4
Opcode Fuzzy Hash: 2d1bc64465d1ac26057cbb13756e8fffc8324281a3828d5a15085e344babc3e2
Instruction Fuzzy Hash: 9DC19E74E01218CFDB14DFA9D988B9DBBB2BF89300F5081A9D809AB355DB359E81DF50

Function 05CE8160 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8704b33e2da3bb1e43b9c508154dc43e5fd86c21f80a7249f309843cb413585a
Instruction ID: 17c2de531ecb96e4f6b24fea3ce131851a2f3b27aa9ea4763d8ce0706672d5a5
Opcode Fuzzy Hash: 8704b33e2da3bb1e43b9c508154dc43e5fd86c21f80a7249f309843cb413585a
Instruction Fuzzy Hash: 57C19E74E01218CFDB14DFA9D994B9DBBB2BF89300F6080A9D809AB355DB359E81DF50

Function 05CE7D08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7b447722c212e1dca1a97f40f13060b82e1c5af1437199f742f524490c238f
Instruction ID: 4fd4eff2076cdbf4d38e9bfa18617d3cb92ab05302c7edb7e76d96ea6fad1d50
Opcode Fuzzy Hash: cd7b447722c212e1dca1a97f40f13060b82e1c5af1437199f742f524490c238f
Instruction Fuzzy Hash: C6C19E74E01218CFDB14DFA9D984B9DBBB2EF89300F5081A9D809AB355DB359E81DF50

Function 05CE08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34e652be96445f7309cac7d7f7572e158e40707fe5c995cad021e149cc7f621
Instruction ID: 549271faf40aa63fec73dc38c0cfcc0d7d817404da2e3eadf9627b30666de675
Opcode Fuzzy Hash: a34e652be96445f7309cac7d7f7572e158e40707fe5c995cad021e149cc7f621
Instruction Fuzzy Hash: 28C19E74E01218CFDB14DFA9D988B9DBBB2BF89300F6081A9D809AB355DB755E81CF50

Function 05CE0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789d32d5e79c5a140609c696db3a1efbbf34ba30289d16cb0b290392120204b2
Instruction ID: b46f71819f1e9a20d83956f5ad04243c62f6dde1c2054c72d3afdf0538038e9e
Opcode Fuzzy Hash: 789d32d5e79c5a140609c696db3a1efbbf34ba30289d16cb0b290392120204b2
Instruction Fuzzy Hash: ACC19F74E01218CFDB14DFA9D958B9DBBB2BF89300F5081A9D809AB355DB355E81CF50

Function 05CE78B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88ac28be40caa963e217a51eee88fc8f8f50baec0fb1e23c6390535ab54d2f3
Instruction ID: 5defb0f7507a0606dbfc5f8b90ea1efa7db3c473bd2ec0f903a21e6a00f038ad
Opcode Fuzzy Hash: e88ac28be40caa963e217a51eee88fc8f8f50baec0fb1e23c6390535ab54d2f3
Instruction Fuzzy Hash: E8C18E74E01218CFDB14DFA9D984B9DBBB2EF89300F6081A9D809AB355DB355E81CF50

Function 05CE0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c12650c04b1c23f2c834f3466805ac4010887938fc1ed7045e35983afe2de8
Instruction ID: 2600731014ed109cad8e12f42717cd4524fd9d33f336c432374c639c7fb759e9
Opcode Fuzzy Hash: 22c12650c04b1c23f2c834f3466805ac4010887938fc1ed7045e35983afe2de8
Instruction Fuzzy Hash: 9EC18E74E01218CFDB14DFA9D948B9DBBB2BF89300F6080A9D809AB255DB355E81CF50

Function 05CE7458 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e93442157c1ff8651893a0bfc754eb7edd77ce0658babf5c57dca768af91ce
Instruction ID: aa6232bf02aa82bf47b4f88b7bbf3c5cd925a6b02ca1f0c2352152df70cdc5cd
Opcode Fuzzy Hash: 56e93442157c1ff8651893a0bfc754eb7edd77ce0658babf5c57dca768af91ce
Instruction Fuzzy Hash: 5DC18E74E01218CFDB14DFA9D988B9DBBB2EF89304F6081A9D809AB355DB355E81CF50

Function 05CE6FD8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598925d479bfee65e36de93021d5d9ea89621ab96c3b372e5232933635d178d6
Instruction ID: 2a95a66fc43a52dc55053d8f22b5a2085b441fb9247a67b84f475d7ddb103585
Opcode Fuzzy Hash: 598925d479bfee65e36de93021d5d9ea89621ab96c3b372e5232933635d178d6
Instruction Fuzzy Hash: 20C19E74E01218CFDB54DFA9D984B9DBBB2EF89300F5080A9D809AB355DB359E81DF50

Function 05CE6B80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e0ac0805bd47ecdb4aa568124b8d748437f09101ec7b8c7352643610b592f3
Instruction ID: 8fa4f368529cfbdefc0aeb39b1f8ec039680031127c316458c0e9690a0bf97ba
Opcode Fuzzy Hash: f4e0ac0805bd47ecdb4aa568124b8d748437f09101ec7b8c7352643610b592f3
Instruction Fuzzy Hash: E4C19E74E01218CFDB14DFA9D984B9DBBB2BF89301F6081A9D809AB355DB355E81CF50

Function 05CE6728 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a450ad46f40b8b25cd65cb18b73826e9a4cb2908c872d6fd6bbeefc07679cfa9
Instruction ID: faef3917ae7c0c9cc5408e3cfd1e5c28a2904bedd766f439eab2977b6ef4cad9
Opcode Fuzzy Hash: a450ad46f40b8b25cd65cb18b73826e9a4cb2908c872d6fd6bbeefc07679cfa9
Instruction Fuzzy Hash: BFC19E74E01218CFDB14DFA9D988B9DBBB2BF89300F6080A9D809AB355DB355E81DF50

Function 05CE62D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a811cfde1789990cb9bb37292bb05f0ea7285d680bef0b1f11e654c1fa36ba1
Instruction ID: 96d85513a93c9f8e201246095dec2cf0e2161ca64a46b870de6a94913d2edee6
Opcode Fuzzy Hash: 6a811cfde1789990cb9bb37292bb05f0ea7285d680bef0b1f11e654c1fa36ba1
Instruction Fuzzy Hash: 5EC19E74E01218CFDB14DFA9D994B9DBBB2BF89304F6080A9D809AB355DB359E81CF50

Function 05CE5E78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b298bcc9bb8bc44b67bd13f814ede376f092ce39b9c415e694b2e0ff59e4ccf
Instruction ID: 04451e29bc37f432dde1cbc6ef80ac1d2b27c226e46022b15e02377c06b55bc0
Opcode Fuzzy Hash: 8b298bcc9bb8bc44b67bd13f814ede376f092ce39b9c415e694b2e0ff59e4ccf
Instruction Fuzzy Hash: 57C19F74E01218CFDB14DFA9D948B9DBBB2BF89304F6081A9D809AB355DB359E81CF50

Function 05CE5A20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3847244878.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ce0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936f4c5b45ec8f5330e8020ae2dc8edf20cbd7105e56796ef1f17c7b168467cf
Instruction ID: ae2d3457a64bb2c2499fa2b9cd0031a68a80f94b7fe81ec21fc0ea133c6f678f
Opcode Fuzzy Hash: 936f4c5b45ec8f5330e8020ae2dc8edf20cbd7105e56796ef1f17c7b168467cf
Instruction Fuzzy Hash: 4AC19E74E01218CFDB24DFA9D994B9DBBB2BF89304F5080A9D809AB355DB355E81CF50

Function 0572CD70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d6b32a0a2c047b6bde12698c5af892f8559c60c2fed72996a33af6b1546edb
Instruction ID: 9325b73b0d6e609a2a7e6435014c5bbf1dd8d0268f743b2be25155d4a79c3a64
Opcode Fuzzy Hash: 85d6b32a0a2c047b6bde12698c5af892f8559c60c2fed72996a33af6b1546edb
Instruction Fuzzy Hash: E9C19F74E01228CFDB24DFA9D944B9DBBB2BF89300F6081A9D809AB354DB355E81DF50

Function 05720D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7396c440ef939c6e59323d570815c0085f509b12a549e1cb3afe279a47751c06
Instruction ID: a3026740957e5d5dd60cd69b5f4bea920024d481b5edad48c455abad3385f509
Opcode Fuzzy Hash: 7396c440ef939c6e59323d570815c0085f509b12a549e1cb3afe279a47751c06
Instruction Fuzzy Hash: 27C19E74E01218CFDB24DFA9D958B9DBBB2BF89300F1080A9D809AB354DB355E81DF50

Function 0572B360 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a13f13fceb32152bfadbce7847e9adf7c1b21a17c0f21b928155ad6d6786d19
Instruction ID: b2af3f763464e23cef4779cc9789ea53f221362b99a2dbc5c0589dfeb183519b
Opcode Fuzzy Hash: 9a13f13fceb32152bfadbce7847e9adf7c1b21a17c0f21b928155ad6d6786d19
Instruction Fuzzy Hash: 10C19F74E01218CFDB14DFA9D994B9DBBB2BF89300F6080A9D809AB355DB359E81DF50

Function 0572E328 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fc98c5e401a15fdafcf0d420ae107bea8b185ed2c4b9b20db9b5fc73a0487b
Instruction ID: 8d8ba28104252629d1d35c503dacd4fdda308eb682cec3162dfab26f7f08e1d3
Opcode Fuzzy Hash: 65fc98c5e401a15fdafcf0d420ae107bea8b185ed2c4b9b20db9b5fc73a0487b
Instruction Fuzzy Hash: AFC19F74E01218CFDB14DFA9D984BADBBB2BF89300F5080A9D809AB355DB355E81DF50

Function 0572C918 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1862dedfd3246a0cd4a8be1901d786112901d3aa6bc6de72f6593de60919b419
Instruction ID: 74c7dc3f007ed478e798947ec473b62978ec7c1f48858311ccc70c4d1c41ea97
Opcode Fuzzy Hash: 1862dedfd3246a0cd4a8be1901d786112901d3aa6bc6de72f6593de60919b419
Instruction Fuzzy Hash: B2C1AE74E01228DFDB14DFA9D958B9DBBB2AF89300F6080A9D809AB354DB355E81DF50

Function 05720900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4153fab2b5f7f685985977bc006247afa2115da4baf5e3528d1c1984b6be3ecf
Instruction ID: 4dbf48e350c0ee72f4cd38b897cb4d483b9ce4b3e6c8f36963930b3f79603dbf
Opcode Fuzzy Hash: 4153fab2b5f7f685985977bc006247afa2115da4baf5e3528d1c1984b6be3ecf
Instruction Fuzzy Hash: FDC18E74E01218CFDB24DFA9D958B9DBBB2BB89300F1081A9D809A7355DB359E81DF50

Function 0572EBD8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34432723f5b07841d3a4f85a961f9cb80a80a6ca458309956ee767b3fd3a06ef
Instruction ID: 3318f8aee5face44bac200de8c9273263a49653087f1ff2a9043ad4e10d0fb91
Opcode Fuzzy Hash: 34432723f5b07841d3a4f85a961f9cb80a80a6ca458309956ee767b3fd3a06ef
Instruction Fuzzy Hash: B8C19F74E01228CFDB54DFA9D944BADBBB2BF89300F6080A9D809AB355DB355E81DF50

Function 0572D1C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e015c365276f9fe951866ff6c464d80e287edb80de591673ed5976122c3f4430
Instruction ID: b820a351866e368e7e491ddfb313617790ebeb829106057a2f491ab5ce82ec8e
Opcode Fuzzy Hash: e015c365276f9fe951866ff6c464d80e287edb80de591673ed5976122c3f4430
Instruction Fuzzy Hash: 55C19074E01228CFDB24DFA9D944B9DBBB2BF89304F5080A9D809AB354DB359E81DF50

Function 0572B7B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70c7df94c0860e8a9bbb3cd7fd9794392f583459f2e13d8c53916aed0a57e45
Instruction ID: d4b4f084c81d93da2ad464d19ac39e1efc8470bfd87604cda0fdb08b9160a059
Opcode Fuzzy Hash: f70c7df94c0860e8a9bbb3cd7fd9794392f583459f2e13d8c53916aed0a57e45
Instruction Fuzzy Hash: C2C19E74E01228CFDB14DFA9D984B9DBBB2AF89300F6080A9D809AB355DB355E81DF50

Function 0572E780 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2dfa3b678c83c96f7809bf0766a493a7d87a9ee31362c5aac6f2338a16b512
Instruction ID: 75c492e272233cedd55cee6e9a8f67d18ed7993071b48a72cb48643ca52bcfd8
Opcode Fuzzy Hash: 6a2dfa3b678c83c96f7809bf0766a493a7d87a9ee31362c5aac6f2338a16b512
Instruction Fuzzy Hash: F3C1AF74E01218CFDB14DFA9D948BADBBB2BF89300F6080A9D809AB354DB355E81DF50

Function 0572DA78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf88ca85a067c2cab2c7e193a4b447372cb62e8a9aa893320d9b52e0224ec77
Instruction ID: 65068c5ffee553b4793f299ad9ec1ed5a99b1d8d4a00c794bb46f75c979a5919
Opcode Fuzzy Hash: 9bf88ca85a067c2cab2c7e193a4b447372cb62e8a9aa893320d9b52e0224ec77
Instruction Fuzzy Hash: 94C19F74E01228CFDB24DFA9D954B9DBBB2BF89300F5080A9D409AB355DB355E81DF50

Function 0572C068 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d39ce310ce261762d8b39baa3f09da01c90a1e8a9c8f51d34ad10ee6493d035
Instruction ID: 7886645417d639cc7f247e6d6cb447a8bcf934cddae837e981fd1769bd2536e7
Opcode Fuzzy Hash: 9d39ce310ce261762d8b39baa3f09da01c90a1e8a9c8f51d34ad10ee6493d035
Instruction Fuzzy Hash: FFC1BE74E01228DFDB14DFA9D944BADBBB2BF89300F6081A9D809AB354DB355E81DF50

Function 0572F030 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1bc4c375f049996fd0214100dad7af74cfe974a73a8073c6cb49d262b5fd48
Instruction ID: 94affa7b098185ea81d19503b1d4ab0eab62e4f3deb77274198eea46344d85f6
Opcode Fuzzy Hash: 4b1bc4c375f049996fd0214100dad7af74cfe974a73a8073c6cb49d262b5fd48
Instruction Fuzzy Hash: 36C19E74E01228CFDB14DFA9D954B9DBBB2BF89300F6080A9D809AB355DB355E81DF50

Function 0572D620 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4aee1f1610a76b77a4ce90e84fe16079da927831b629f3f236dd2abf2dfa74
Instruction ID: 0e5e928e247ecbe0cc0209a19bdacb8097b5f54b579c6bb72bb0aab26ffab763
Opcode Fuzzy Hash: 9d4aee1f1610a76b77a4ce90e84fe16079da927831b629f3f236dd2abf2dfa74
Instruction Fuzzy Hash: D3C19F74E01218CFDB24DFA9D948B9DBBB2BF89300F5081A9D809AB355DB359E81DF50

Function 0572BC10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804937dbbaa290a30239f72bd17436f6f99c8077a0c45605c86c598019df7a1f
Instruction ID: dd575b4fdbbc4d29a4b7254e70cd21882ff7b9a48825ca17c9f3f88bf2e15eb7
Opcode Fuzzy Hash: 804937dbbaa290a30239f72bd17436f6f99c8077a0c45605c86c598019df7a1f
Instruction Fuzzy Hash: D0C19F74E01228CFDB24DFA9D984B9DBBB2BF89300F5081A9D809AB355DB355E81DF50

Function 0572F8E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed82422f582cf19afa2245fc4c29b8723b7af3785e307fdb2d23402bbaa4b996
Instruction ID: b4ac202c2aadd214502f31029807b415c525db9e1513534b5d0ff8888a358cbe
Opcode Fuzzy Hash: ed82422f582cf19afa2245fc4c29b8723b7af3785e307fdb2d23402bbaa4b996
Instruction Fuzzy Hash: 00C18E74E01228CFDB14DFA9D958B9DBBB2BF89300F6081A9D809AB354DB355E81DF50

Function 0572DED0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856609fa431263c25a824a931380826d333b55f869912e365046eb0f2956da35
Instruction ID: 620a44785e37b27f06640a2f6c2e7f4e8e68d6b16bab6344324f7451ca8fb8b9
Opcode Fuzzy Hash: 856609fa431263c25a824a931380826d333b55f869912e365046eb0f2956da35
Instruction Fuzzy Hash: 62C19F74E01228CFDB14DFA9D954BADBBB2BF89300F5081A9D809AB354DB359E81DF50

Function 0572C4C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7501c73e2d7a3324059c950582cacd0a1d3b6e36dcdea639f892a543c5c676d5
Instruction ID: 19601f49d66717d2c909d857ee88e3246a110ca8e1a22f4cfd820d1e510a9ac0
Opcode Fuzzy Hash: 7501c73e2d7a3324059c950582cacd0a1d3b6e36dcdea639f892a543c5c676d5
Instruction Fuzzy Hash: DBC19F74E01218DFDB14DFA9D944B9DBBB2BF89300F6081A9D809AB354DB359E81DF50

Function 057204A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b08f29001e21ef9566a03f5a0b5a9862e1db4193980e9699f37d7f9935ff8fa
Instruction ID: a23e3f3e51948192df9f2146a0472b68f3f724aecd7c997b83e8d16fbad1547b
Opcode Fuzzy Hash: 3b08f29001e21ef9566a03f5a0b5a9862e1db4193980e9699f37d7f9935ff8fa
Instruction Fuzzy Hash: 17C18E74E01218CFDB64DFA9D948B9DBBB2BF89300F1081A9D809AB355DB359E81DF50

Function 0572F488 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3846937808.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f94e9ae77a83567dcc9994359ba67426c321243b832995c62a238556b3077cd
Instruction ID: f9c6f75f0bd3b31ddf3786f9dae9c9d71516db8a065ddbc791c5ec040242f7a6
Opcode Fuzzy Hash: 2f94e9ae77a83567dcc9994359ba67426c321243b832995c62a238556b3077cd
Instruction Fuzzy Hash: 40C19E74E01218CFDB14DFA9D984B9DBBB2BF89300F6080A9D809AB355DB359E81DF50

Function 0133EB5B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c171c7116e9d4376278c4b4a139790c382b6dbf88aeab507534b2a52c03716b7
Instruction ID: 9ba797a66d2878696ee9b240e17a89ead183f0ff0919b6ec9f6fc62f21bdcc90
Opcode Fuzzy Hash: c171c7116e9d4376278c4b4a139790c382b6dbf88aeab507534b2a52c03716b7
Instruction Fuzzy Hash: 70A18D74A01228DFDB64DF28C994B9ABBB2BF89305F1085E9E40DA7350DB319E81CF51

Function 0133ED3C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3843550275.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50750c6b52059184407d4d347e0489f380f384d85b16c0b7f6dddd6132df74c
Instruction ID: 7256eeb7f49d8f2f287a1b173d32ef970e0ac24c35363c03debfd5e873736060
Opcode Fuzzy Hash: a50750c6b52059184407d4d347e0489f380f384d85b16c0b7f6dddd6132df74c
Instruction Fuzzy Hash: 0F51A374A01228CFCB64DF24D954BAAB7B2FF4A305F5095E9D40AA7350DB329E81CF50

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hesaphareketi-01.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hesaphareketi-01_3ffcbc6a735f3e4af47273e3c2f361ad34325cd_57f7b72a_3ba493a6-892d-425a-a023-2ac34e7d3fd2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76EC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7807.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7856.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
hesaphareketi-01.pdf.exe