Edit tour

Windows Analysis Report
0001.exe

Overview

General Information

Sample name:	0001.exe
Analysis ID:	1577629
MD5:	50bb47bb771b4140a514b309b643711e
SHA1:	60ecc3ff6bad5b263313d8c35b91c461b3632d0d
SHA256:	ed54ab7270f7562ce7953847239b8c4467361c3105a9688942d05bc55a217234
Tags:	exeuser-Racco42
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Drops VBS files to the startup folder

Drops large PE files

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

0001.exe (PID: 1868 cmdline: "C:\Users\user\Desktop\0001.exe" MD5: 50BB47BB771B4140A514B309B643711E)

InstallUtil.exe (PID: 7112 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 6396 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

svcost.exe (PID: 1280 cmdline: "C:\Users\user\AppData\Roaming\svcost.exe" MD5: DD9799233734DDEB80E69E46D3FAF0B5)

InstallUtil.exe (PID: 5216 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sendxfoxnode@juguly.shop", "Password": "0Rwf4UeVpnUG", "Host": "juguly.shop", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1832153792.0000000003453000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1716994586.00000000055E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae9:$a1: get_encryptedPassword 0x35309:$a1: get_encryptedPassword 0x14dd5:$a2: get_encryptedUsername 0x355f5:$a2: get_encryptedUsername 0x148f5:$a3: get_timePasswordChanged 0x35115:$a3: get_timePasswordChanged 0x149f0:$a4: get_passwordField 0x35210:$a4: get_passwordField 0x14aff:$a5: set_encryptedPassword 0x3531f:$a5: set_encryptedPassword 0x16174:$a7: get_logins 0x36994:$a7: get_logins 0x160d7:$a10: KeyLoggerEventArgs 0x368f7:$a10: KeyLoggerEventArgs 0x15d42:$a11: KeyLoggerEventArgsEventHandler 0x36562:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18498:$x1: $%SMTPDV$ 0x38cb8:$x1: $%SMTPDV$ 0x184fe:$x2: $#TheHashHere%& 0x38d1e:$x2: $#TheHashHere%& 0x19b27:$x3: %FTPDV$ 0x3a347:$x3: %FTPDV$ 0x19c1b:$x4: $%TelegramDv$ 0x3a43b:$x4: $%TelegramDv$ 0x15d42:$x5: KeyLoggerEventArgs 0x160d7:$x5: KeyLoggerEventArgs 0x36562:$x5: KeyLoggerEventArgs 0x368f7:$x5: KeyLoggerEventArgs 0x19b4b:$m2: Clipboard Logs ID 0x19d6b:$m2: Screenshot Logs ID 0x19e7b:$m2: keystroke Logs ID 0x3a36b:$m2: Clipboard Logs ID 0x3a58b:$m2: Screenshot Logs ID 0x3a69b:$m2: keystroke Logs ID 0x1a155:$m3: SnakePW 0x3a975:$m3: SnakePW 0x19d43:$m4: \SnakeKeylogger\
00000006.00000002.3930502992.0000000002D0B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1689348386.0000000002523000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15539:$a1: get_encryptedPassword 0x15825:$a2: get_encryptedUsername 0x15345:$a3: get_timePasswordChanged 0x15440:$a4: get_passwordField 0x1554f:$a5: set_encryptedPassword 0x16bc4:$a7: get_logins 0x16b27:$a10: KeyLoggerEventArgs 0x16792:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18ee8:$x1: $%SMTPDV$ 0x18f4e:$x2: $#TheHashHere%& 0x1a577:$x3: %FTPDV$ 0x1a66b:$x4: $%TelegramDv$ 0x16792:$x5: KeyLoggerEventArgs 0x16b27:$x5: KeyLoggerEventArgs 0x1a59b:$m2: Clipboard Logs ID 0x1a7bb:$m2: Screenshot Logs ID 0x1a8cb:$m2: keystroke Logs ID 0x1aba5:$m3: SnakePW 0x1a793:$m4: \SnakeKeylogger\
00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2248:$x1: $%SMTPDV$ 0x22ae:$x2: $#TheHashHere%& 0x38d7:$x3: %FTPDV$ 0x39cb:$x4: $%TelegramDv$ 0x38fb:$m2: Clipboard Logs ID 0x3b1b:$m2: Screenshot Logs ID 0x3c2b:$m2: keystroke Logs ID 0x3f05:$m3: SnakePW 0x3af3:$m4: \SnakeKeylogger\
00000004.00000002.3931049967.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x19009:$a1: get_encryptedPassword 0x192f5:$a2: get_encryptedUsername 0x18e15:$a3: get_timePasswordChanged 0x18f10:$a4: get_passwordField 0x1901f:$a5: set_encryptedPassword 0x1a694:$a7: get_logins 0x1a5f7:$a10: KeyLoggerEventArgs 0x1a262:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1c9b8:$x1: $%SMTPDV$ 0x1ca1e:$x2: $#TheHashHere%& 0x1e047:$x3: %FTPDV$ 0x1e13b:$x4: $%TelegramDv$ 0x1a262:$x5: KeyLoggerEventArgs 0x1a5f7:$x5: KeyLoggerEventArgs 0x1e06b:$m2: Clipboard Logs ID 0x1e28b:$m2: Screenshot Logs ID 0x1e39b:$m2: keystroke Logs ID 0x1e675:$m3: SnakePW 0x1e263:$m4: \SnakeKeylogger\
00000006.00000002.3930502992.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.3931049967.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: 0001.exe PID: 1868	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 0001.exe PID: 1868	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 0001.exe PID: 1868	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 0001.exe PID: 1868	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: 0001.exe PID: 1868	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6b081:$a1: get_encryptedPassword 0x175c25:$a1: get_encryptedPassword 0x6b363:$a2: get_encryptedUsername 0x175f07:$a2: get_encryptedUsername 0x6ae97:$a3: get_timePasswordChanged 0x175a3b:$a3: get_timePasswordChanged 0x6af92:$a4: get_passwordField 0x175b36:$a4: get_passwordField 0x6b097:$a5: set_encryptedPassword 0x175c3b:$a5: set_encryptedPassword 0x6d56d:$a7: get_logins 0x178111:$a7: get_logins 0x6d4d0:$a10: KeyLoggerEventArgs 0x178074:$a10: KeyLoggerEventArgs 0x6d13b:$a11: KeyLoggerEventArgsEventHandler 0x177cdf:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 0001.exe PID: 1868	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6d13b:$x5: KeyLoggerEventArgs 0x6d4d0:$x5: KeyLoggerEventArgs 0x6ddd7:$x5: KeyLoggerEventArgs 0x6e138:$x5: KeyLoggerEventArgs 0x177cdf:$x5: KeyLoggerEventArgs 0x178074:$x5: KeyLoggerEventArgs 0x17897b:$x5: KeyLoggerEventArgs 0x178cdc:$x5: KeyLoggerEventArgs 0x6f735:$m2: Clipboard Logs ID 0x6f82c:$m2: Screenshot Logs ID 0x6f882:$m2: keystroke Logs ID 0x17a2d9:$m2: Clipboard Logs ID 0x17a3d0:$m2: Screenshot Logs ID 0x17a426:$m2: keystroke Logs ID 0x6f9b7:$m3: SnakePW 0x17a55b:$m3: SnakePW 0x6f818:$m4: \SnakeKeylogger\ 0x17a3bc:$m4: \SnakeKeylogger\
Process Memory Space: InstallUtil.exe PID: 7112	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7112	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: svcost.exe PID: 1280	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: svcost.exe PID: 1280	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svcost.exe PID: 1280	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: svcost.exe PID: 1280	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: svcost.exe PID: 1280	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x57848:$a1: get_encryptedPassword 0x57b2a:$a2: get_encryptedUsername 0x5765e:$a3: get_timePasswordChanged 0x57759:$a4: get_passwordField 0x5785e:$a5: set_encryptedPassword 0x59d34:$a7: get_logins 0x59c97:$a10: KeyLoggerEventArgs 0x59902:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: svcost.exe PID: 1280	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x59902:$x5: KeyLoggerEventArgs 0x59c97:$x5: KeyLoggerEventArgs 0x5a59e:$x5: KeyLoggerEventArgs 0x5a8ff:$x5: KeyLoggerEventArgs 0x5befc:$m2: Clipboard Logs ID 0x5bff3:$m2: Screenshot Logs ID 0x5c049:$m2: keystroke Logs ID 0x5c17e:$m3: SnakePW 0x5bfdf:$m4: \SnakeKeylogger\
Process Memory Space: InstallUtil.exe PID: 5216	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 5216	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: InstallUtil.exe PID: 5216	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x498d0:$m2: Clipboard Logs ID 0x499c7:$m2: Screenshot Logs ID 0x49a1d:$m2: keystroke Logs ID 0x49b52:$m3: SnakePW 0x499b3:$m4: \SnakeKeylogger\
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1568a:$s1: UnHook 0x15691:$s2: SetHook 0x15699:$s3: CallNextHook 0x156a6:$s4: _hook
0.2.0001.exe.55e0000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.0001.exe.34c5570.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0001.exe.34c5570.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.0001.exe.34c5570.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.0001.exe.34c5570.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a99:$a1: get_encryptedPassword 0x14d85:$a2: get_encryptedUsername 0x148a5:$a3: get_timePasswordChanged 0x149a0:$a4: get_passwordField 0x14aaf:$a5: set_encryptedPassword 0x16124:$a7: get_logins 0x16087:$a10: KeyLoggerEventArgs 0x15cf2:$a11: KeyLoggerEventArgsEventHandler
0.2.0001.exe.34c5570.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c4c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb2c:$a4: \Orbitum\User Data\Default\Login Data 0x1cb6b:$a5: \Kometa\User Data\Default\Login Data
0.2.0001.exe.34c5570.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1568a:$s1: UnHook 0x15691:$s2: SetHook 0x15699:$s3: CallNextHook 0x156a6:$s4: _hook
0.2.0001.exe.34c5570.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18448:$x1: $%SMTPDV$ 0x184ae:$x2: $#TheHashHere%& 0x19ad7:$x3: %FTPDV$ 0x19bcb:$x4: $%TelegramDv$ 0x15cf2:$x5: KeyLoggerEventArgs 0x16087:$x5: KeyLoggerEventArgs 0x19afb:$m2: Clipboard Logs ID 0x19d1b:$m2: Screenshot Logs ID 0x19e2b:$m2: keystroke Logs ID 0x1a105:$m3: SnakePW 0x19cf3:$m4: \SnakeKeylogger\
0.2.0001.exe.34c5570.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0001.exe.34c5570.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.0001.exe.34c5570.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c99:$a1: get_encryptedPassword 0x12f85:$a2: get_encryptedUsername 0x12aa5:$a3: get_timePasswordChanged 0x12ba0:$a4: get_passwordField 0x12caf:$a5: set_encryptedPassword 0x14324:$a7: get_logins 0x14287:$a10: KeyLoggerEventArgs 0x13ef2:$a11: KeyLoggerEventArgsEventHandler
0.2.0001.exe.34c5570.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a6c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d2c:$a4: \Orbitum\User Data\Default\Login Data 0x1ad6b:$a5: \Kometa\User Data\Default\Login Data
0.2.0001.exe.34c5570.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1388a:$s1: UnHook 0x13891:$s2: SetHook 0x13899:$s3: CallNextHook 0x138a6:$s4: _hook
0.2.0001.exe.34c5570.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16648:$x1: $%SMTPDV$ 0x166ae:$x2: $#TheHashHere%& 0x17cd7:$x3: %FTPDV$ 0x17dcb:$x4: $%TelegramDv$ 0x13ef2:$x5: KeyLoggerEventArgs 0x14287:$x5: KeyLoggerEventArgs 0x17cfb:$m2: Clipboard Logs ID 0x17f1b:$m2: Screenshot Logs ID 0x1802b:$m2: keystroke Logs ID 0x18305:$m3: SnakePW 0x17ef3:$m4: \SnakeKeylogger\
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs" , ProcessId: 6396, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs" , ProcessId: 6396, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\0001.exe, ProcessId: 1868, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T16:13:55.044063+0100	2803305	3	Unknown Traffic	192.168.2.8	49714	104.21.67.152	443	TCP
2024-12-18T16:13:58.234798+0100	2803305	3	Unknown Traffic	192.168.2.8	49716	104.21.67.152	443	TCP
2024-12-18T16:14:07.791964+0100	2803305	3	Unknown Traffic	192.168.2.8	49724	104.21.67.152	443	TCP
2024-12-18T16:14:11.460582+0100	2803305	3	Unknown Traffic	192.168.2.8	49729	104.21.67.152	443	TCP
2024-12-18T16:14:26.878765+0100	2803305	3	Unknown Traffic	192.168.2.8	49742	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T16:13:50.479156+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49711	132.226.8.169	80	TCP
2024-12-18T16:13:53.431769+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49711	132.226.8.169	80	TCP
2024-12-18T16:13:56.619228+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49715	132.226.8.169	80	TCP
2024-12-18T16:13:59.822439+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49717	132.226.8.169	80	TCP
2024-12-18T16:14:03.994296+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49720	132.226.247.73	80	TCP
2024-12-18T16:14:06.166173+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49720	132.226.247.73	80	TCP
2024-12-18T16:14:09.275525+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49726	132.226.247.73	80	TCP
2024-12-18T16:14:12.666218+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49730	132.226.247.73	80	TCP
2024-12-18T16:14:15.775639+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49734	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\svcost.exe

Avira: detection malicious, Label: HEUR/AGEN.1332199

Found malware configuration

Source: 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendxfoxnode@juguly.shop", "Password": "0Rwf4UeVpnUG", "Host": "juguly.shop", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: 0001.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\svcost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 0001.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 0001.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49722 version: TLS 1.0

Source: 0001.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 0001.exe, 00000000.00000002.1713417317.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1709684554.00000000035FB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 0001.exe, 00000000.00000002.1713417317.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1709684554.00000000035FB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: C:\Users\user\Desktop\0001.exe	Code function: 4x nop then jmp 023439D8h	0_2_02343920
Source: C:\Users\user\Desktop\0001.exe	Code function: 4x nop then jmp 023439D8h	0_2_0234391A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 027FF206h	4_2_027FF017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 027FFB90h	4_2_027FF017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_027FE538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_027FEB6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_027FED4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06318945h	4_2_06318608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 063158C1h	4_2_06315618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06315D19h	4_2_06315A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06316171h	4_2_06315EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_063136CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 063165C9h	4_2_06316320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06316A21h	4_2_06316778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_063133B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_063133A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06316E79h	4_2_06316BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 063172FAh	4_2_06317050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 063102E9h	4_2_06310040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06317751h	4_2_063174A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06310741h	4_2_06310498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06310B99h	4_2_063108F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06317BA9h	4_2_06317900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06318001h	4_2_06317D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06310FF1h	4_2_06310D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06318459h	4_2_063181B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06315441h	4_2_06315198
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 05F51C80h	5_2_05F51BC0
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 05F51C80h	5_2_05F51BC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00E7F1F6h	6_2_00E7F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00E7FB80h	6_2_00E7F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_00E7E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E8945h	6_2_065E8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E02E9h	6_2_065E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E58C1h	6_2_065E5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_065E36CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E6171h	6_2_065E5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E6A21h	6_2_065E6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E0741h	6_2_065E0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E7751h	6_2_065E74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E8001h	6_2_065E7D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E0FF1h	6_2_065E0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E5D19h	6_2_065E5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E65C9h	6_2_065E6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E6E79h	6_2_065E6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_065E33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_065E33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E72FAh	6_2_065E7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E0B99h	6_2_065E08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E7BA9h	6_2_065E7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E5441h	6_2_065E5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 065E8459h	6_2_065E81B0

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 0.2.0001.exe.34c5570.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49717 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49726 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49730 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49734 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49715 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49720 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49716 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49724 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49729 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49714 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49742 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49722 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: 0001.exe, svcost.exe.0.dr	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: 0001.exe, svcost.exe.0.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: InstallUtil.exe, 00000004.00000002.3931049967.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000004.00000002.3931049967.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CCF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000004.00000002.3931049967.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: 0001.exe, svcost.exe.0.dr	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: 0001.exe, svcost.exe.0.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: 0001.exe, svcost.exe.0.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: 0001.exe, svcost.exe.0.dr	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: 0001.exe, svcost.exe.0.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: 0001.exe, svcost.exe.0.dr	String found in binary or memory: http://ocsps.ssl.com0?
Source: 0001.exe, svcost.exe.0.dr	String found in binary or memory: http://ocsps.ssl.com0_
Source: InstallUtil.exe, 00000004.00000002.3931049967.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: 0001.exe, 00000000.00000002.1689348386.0000000002523000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1832153792.0000000003453000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 0001.exe, svcost.exe.0.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: 0001.exe, svcost.exe.0.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000004.00000002.3931049967.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000006.00000002.3930502992.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: InstallUtil.exe, 00000004.00000002.3931049967.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1689348386.0000000002523000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1832153792.0000000003453000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: 0001.exe, svcost.exe.0.dr	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.0001.exe.34c5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.0001.exe.34c5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.0001.exe.34c5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.0001.exe.34c5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.0001.exe.34c5570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.0001.exe.34c5570.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.0001.exe.34c5570.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.0001.exe.34c5570.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: 0001.exe PID: 1868, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 0001.exe PID: 1868, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: svcost.exe PID: 1280, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: svcost.exe PID: 1280, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 5216, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Drops large PE files

Source: C:\Users\user\Desktop\0001.exe

File dump: svcost.exe.0.dr 269736446

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_023452A0 NtProtectVirtualMemory,	0_2_023452A0
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_02347D40 NtResumeThread,	0_2_02347D40
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_0234529A NtProtectVirtualMemory,	0_2_0234529A
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_02347D38 NtResumeThread,	0_2_02347D38
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_05F53548 NtProtectVirtualMemory,	5_2_05F53548
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_05F55BE8 NtResumeThread,	5_2_05F55BE8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_05F53540 NtProtectVirtualMemory,	5_2_05F53540
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_05F55BE3 NtResumeThread,	5_2_05F55BE3

Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_0228E270	0_2_0228E270
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_02289B28	0_2_02289B28
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_0228A55D	0_2_0228A55D
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_0228A5B8	0_2_0228A5B8
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_0228A5C8	0_2_0228A5C8
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_02289B19	0_2_02289B19
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_02341D98	0_2_02341D98
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_023488CD	0_2_023488CD
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_02348EB0	0_2_02348EB0
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_02348EC0	0_2_02348EC0
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_02341D88	0_2_02341D88
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_05FEE990	0_2_05FEE990
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_05FD0040	0_2_05FD0040
Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_05FD0006	0_2_05FD0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027FB338	4_2_027FB338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027FF017	4_2_027FF017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027FC080	4_2_027FC080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027F6120	4_2_027F6120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027F46D9	4_2_027F46D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027FC761	4_2_027FC761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027F6748	4_2_027F6748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027FB7E2	4_2_027FB7E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027FCA41	4_2_027FCA41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027FBAC0	4_2_027FBAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027F9868	4_2_027F9868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027FBDA0	4_2_027FBDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027F3570	4_2_027F3570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027FE538	4_2_027FE538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027FE527	4_2_027FE527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_027FB502	4_2_027FB502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06318608	4_2_06318608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631D670	4_2_0631D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631AA58	4_2_0631AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631B6E8	4_2_0631B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631C388	4_2_0631C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631D028	4_2_0631D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631A408	4_2_0631A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06318C51	4_2_06318C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631B0A0	4_2_0631B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631BD38	4_2_0631BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_063111A0	4_2_063111A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631C9D8	4_2_0631C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06315618	4_2_06315618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631560A	4_2_0631560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06315A70	4_2_06315A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06315A60	4_2_06315A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631D662	4_2_0631D662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631AA48	4_2_0631AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06315EB8	4_2_06315EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631F2FF	4_2_0631F2FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631B6D9	4_2_0631B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06315EC8	4_2_06315EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06313730	4_2_06313730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06316320	4_2_06316320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06316312	4_2_06316312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06316778	4_2_06316778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631C378	4_2_0631C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631676A	4_2_0631676A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_063133B8	4_2_063133B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_063133A8	4_2_063133A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631F397	4_2_0631F397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631A3F8	4_2_0631A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631F3E3	4_2_0631F3E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06316BD0	4_2_06316BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06316BC1	4_2_06316BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06314430	4_2_06314430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631F42F	4_2_0631F42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06312818	4_2_06312818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631D018	4_2_0631D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06310007	4_2_06310007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06312807	4_2_06312807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06317050	4_2_06317050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06310040	4_2_06310040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06317040	4_2_06317040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_063174A8	4_2_063174A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06317497	4_2_06317497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06310498	4_2_06310498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06310488	4_2_06310488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631B08F	4_2_0631B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_063108F0	4_2_063108F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_063178F0	4_2_063178F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_063108E0	4_2_063108E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631F131	4_2_0631F131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06310D39	4_2_06310D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631BD28	4_2_0631BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06317900	4_2_06317900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06317D58	4_2_06317D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06310D48	4_2_06310D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06317D48	4_2_06317D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_063181B0	4_2_063181B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_063181A0	4_2_063181A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06311191	4_2_06311191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06315198	4_2_06315198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631518A	4_2_0631518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_063185FC	4_2_063185FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631C9C8	4_2_0631C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0631F1CF	4_2_0631F1CF
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_0326E270	5_2_0326E270
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_03269B28	5_2_03269B28
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_0326A5B8	5_2_0326A5B8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_0326A5C8	5_2_0326A5C8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_03269B19	5_2_03269B19
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_05F50040	5_2_05F50040
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_05F56D88	5_2_05F56D88
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_05F56D78	5_2_05F56D78
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_05F56783	5_2_05F56783
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_05F50006	5_2_05F50006
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_06F5E990	5_2_06F5E990
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_06F40040	5_2_06F40040
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_06F40007	5_2_06F40007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E7F007	6_2_00E7F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E7C190	6_2_00E7C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E7B328	6_2_00E7B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E7C470	6_2_00E7C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E797E8	6_2_00E797E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E7C752	6_2_00E7C752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E76730	6_2_00E76730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E74AD9	6_2_00E74AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E7CA32	6_2_00E7CA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E7BBD2	6_2_00E7BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E7BEB0	6_2_00E7BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E73572	6_2_00E73572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E7E528	6_2_00E7E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E7E517	6_2_00E7E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065ED670	6_2_065ED670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E8608	6_2_065E8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EB6E8	6_2_065EB6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E8C51	6_2_065E8C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EA408	6_2_065EA408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EBD38	6_2_065EBD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EAA58	6_2_065EAA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EC388	6_2_065EC388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E0040	6_2_065E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065ED028	6_2_065ED028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EB0A0	6_2_065EB0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EC9D8	6_2_065EC9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E11A0	6_2_065E11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065ED662	6_2_065ED662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E5618	6_2_065E5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E560A	6_2_065E560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EB6D9	6_2_065EB6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E5EC8	6_2_065E5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E5EB8	6_2_065E5EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E6778	6_2_065E6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E676A	6_2_065E676A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E3730	6_2_065E3730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E4430	6_2_065E4430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E0498	6_2_065E0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E7497	6_2_065E7497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E0488	6_2_065E0488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E74A8	6_2_065E74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E7D58	6_2_065E7D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E0D48	6_2_065E0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E7D48	6_2_065E7D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E0D39	6_2_065E0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EBD28	6_2_065EBD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E85FC	6_2_065E85FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EAA48	6_2_065EAA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E5A70	6_2_065E5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E5A60	6_2_065E5A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EC378	6_2_065EC378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E6312	6_2_065E6312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E6320	6_2_065E6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E6BD0	6_2_065E6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E6BC1	6_2_065E6BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EA3F8	6_2_065EA3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E33B8	6_2_065E33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E33A8	6_2_065E33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E7050	6_2_065E7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E7040	6_2_065E7040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E2818	6_2_065E2818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065ED018	6_2_065ED018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E0006	6_2_065E0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E2807	6_2_065E2807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E08F0	6_2_065E08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E78F0	6_2_065E78F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E08E0	6_2_065E08E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EB090	6_2_065EB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E7900	6_2_065E7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065EC9C8	6_2_065EC9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E5198	6_2_065E5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E1191	6_2_065E1191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E518A	6_2_065E518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E81B0	6_2_065E81B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_065E81A0	6_2_065E81A0

Source: 0001.exe

Static PE information: invalid certificate

Source: 0001.exe, 00000000.00000002.1713417317.0000000004F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 0001.exe
Source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 0001.exe
Source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 0001.exe
Source: 0001.exe, 00000000.00000002.1689348386.0000000002523000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs 0001.exe
Source: 0001.exe, 00000000.00000002.1687150375.000000000062E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 0001.exe
Source: 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 0001.exe
Source: 0001.exe, 00000000.00000002.1689348386.0000000002A47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs 0001.exe
Source: 0001.exe, 00000000.00000002.1713702005.0000000005180000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOyohn.dll" vs 0001.exe
Source: 0001.exe, 00000000.00000002.1689348386.00000000024C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 0001.exe
Source: 0001.exe, 00000000.00000002.1709684554.00000000035FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 0001.exe
Source: 0001.exe, 00000000.00000002.1709684554.00000000035FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOyohn.dll" vs 0001.exe
Source: 0001.exe, 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs 0001.exe
Source: 0001.exe, 00000000.00000000.1463671439.000000000017C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRef#5022736.exe8 vs 0001.exe
Source: 0001.exe	Binary or memory string: OriginalFilenameRef#5022736.exe8 vs 0001.exe

Source: 0001.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.0001.exe.34c5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.0001.exe.34c5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.0001.exe.34c5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.0001.exe.34c5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.0001.exe.34c5570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.0001.exe.34c5570.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.0001.exe.34c5570.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.0001.exe.34c5570.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: 0001.exe PID: 1868, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 0001.exe PID: 1868, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: svcost.exe PID: 1280, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: svcost.exe PID: 1280, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 5216, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0001.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: svcost.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.0001.exe.35ab810.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.0001.exe.35ab810.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.0001.exe.35ab810.3.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.0001.exe.35ab810.3.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.0001.exe.35fb830.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.0001.exe.35fb830.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.0001.exe.35fb830.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.0001.exe.35fb830.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.0001.exe.35ab810.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.0001.exe.35fb830.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.0001.exe.35ab810.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.0001.exe.35ab810.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.0001.exe.35fb830.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.0001.exe.35fb830.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.0001.exe.35ab810.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.0001.exe.35fb830.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.0001.exe.35ab810.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.0001.exe.35ab810.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/2@3/3

Source: C:\Users\user\Desktop\0001.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs"

Source: 0001.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0001.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0001.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe, 00000004.00000002.3931049967.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3934589428.0000000003A2D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3934120696.0000000003BCD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002DC2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 0001.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\0001.exe

File read: C:\Users\user\Desktop\0001.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0001.exe "C:\Users\user\Desktop\0001.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs"
Source: C:\Users\user\Desktop\0001.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\svcost.exe "C:\Users\user\AppData\Roaming\svcost.exe"
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\0001.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\svcost.exe "C:\Users\user\AppData\Roaming\svcost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\0001.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\0001.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\0001.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 0001.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0001.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 0001.exe

Static file information: File size 1175520 > 1048576

Source: 0001.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x118600

Source: 0001.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 0001.exe, 00000000.00000002.1713417317.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1709684554.00000000035FB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 0001.exe, 00000000.00000002.1713417317.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1709684554.00000000035FB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.0001.exe.35ab810.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.0001.exe.35ab810.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.0001.exe.35ab810.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.0001.exe.35fb830.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.0001.exe.35fb830.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.0001.exe.35fb830.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.0001.exe.55e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1832153792.0000000003453000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716994586.00000000055E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1689348386.0000000002523000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0001.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 1280, type: MEMORYSTR

Source: C:\Users\user\Desktop\0001.exe	Code function: 0_2_05FD7ED4 pushad ; ret	0_2_05FD7ED5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06313181 push ebx; retf	4_2_06313182
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 5_2_06F47ED4 pushad ; ret	5_2_06F47ED5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00E724B9 push 8BFFFFFFh; retf	6_2_00E724BF

Source: 0001.exe	Static PE information: section name: .text entropy: 7.6261958267331735
Source: svcost.exe.0.dr	Static PE information: section name: .text entropy: 7.6261958267331735

Source: C:\Users\user\Desktop\0001.exe

File created: C:\Users\user\AppData\Roaming\svcost.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\0001.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\0001.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

Jump to behavior

Source: C:\Users\user\Desktop\0001.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

Jump to behavior

Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 0001.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 1280, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 0001.exe, 00000000.00000002.1689348386.0000000002523000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1832153792.0000000003453000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\0001.exe	Memory allocated: 2280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Memory allocated: 24C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Memory allocated: 22E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Memory allocated: 6120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Memory allocated: 17120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory allocated: 1860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory allocated: 33F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory allocated: 53F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1170000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\0001.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599730	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599598	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599476	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599361	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596786	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596341	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595224	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594232	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598776	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597974	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597852	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595319	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595080	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594638	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594422	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2318	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 5919	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3933	Jump to behavior

Source: C:\Users\user\Desktop\0001.exe TID: 4676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe TID: 4920	Thread sleep count: 297 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1660	Thread sleep count: 2318 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1660	Thread sleep count: 7544 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -599730s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -599598s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -599476s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -599361s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -596786s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -596671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -596341s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -595905s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -595796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -595577s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -595224s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -594671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -594343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2112	Thread sleep time: -594232s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe TID: 5196	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe TID: 5192	Thread sleep count: 278 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2384	Thread sleep count: 5919 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2384	Thread sleep count: 3933 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -598776s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -598561s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -597974s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -597852s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -597744s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -595999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -595778s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -595319s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -595080s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -594966s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -594638s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -594422s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\0001.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599730	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599598	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599476	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599361	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596786	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596341	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595224	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594232	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598776	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597974	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597852	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595319	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595080	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594638	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594422	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: InstallUtil.exe, 00000004.00000002.3928510719.0000000000C08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlliY0
Source: 0001.exe, svcost.exe.0.dr	Binary or memory string: lp8[DgqEMUXQ@M8wGn
Source: 0001.exe, svcost.exe.0.dr	Binary or memory string: tC`UFMt^Fy4gLF]VSwWYDYF]K[Z8qEMUXK4{
Source: svcost.exe, 00000005.00000002.1832153792.0000000003453000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: wscript.exe, 00000003.00000002.1711215696.000001CF118E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svcost.exe, 00000005.00000002.1832153792.0000000003453000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: InstallUtil.exe, 00000006.00000002.3928725496.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltion
Source: 0001.exe, svcost.exe.0.dr	Binary or memory string: Q@yGG]YVT]QK4wWDMl[4K[AJWQ8cFQ@Q8x[YPgLFQYY4^AXTzUUQ4\|QRTU@]g@JQUU4F]G[MFW]zUUQG8`FAsQLbUTAQ8fQYPgLFQYY4K@F]UY8SQLkx]ZSL\4jQU\4f]UP~F[UqYZQP\QPjQGWAF[QG8FQIAQK@Q\uGKQYZXMvUY]4S]@kvUY]4`Wx[OQFqZBYF]YZ@8SQLkwMX@MFQqZRW4}KzATX{JqYH@M8w[VWUL4pQGDWGQ8x[YP4jQGWXB]uGKQYZXM8GQVPQJ4f]G[TBQ}BQV@uJSG8Q4u[ZQ@[J4qV@QJ4G]@kq@QU4[Hk}VQEMUXQ@M8u@LUWP4f]G[TBQ}BQV@\|YZPTQF8}ZLQFT[WSQP8qL[\UVSQ8xYZ@V_

Source: C:\Users\user\Desktop\0001.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0001.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\0001.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\0001.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\0001.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 728008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: BED008	Jump to behavior

Source: C:\Users\user\Desktop\0001.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\svcost.exe "C:\Users\user\AppData\Roaming\svcost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\0001.exe	Queries volume information: C:\Users\user\Desktop\0001.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0001.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svcost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0001.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.0001.exe.34c5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0001.exe.34c5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3930502992.0000000002D0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3931049967.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3930502992.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3931049967.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0001.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 1280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5216, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 0.2.0001.exe.34c5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0001.exe.34c5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0001.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 1280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5216, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.0001.exe.34c5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0001.exe.34c5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3930502992.0000000002D0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3931049967.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3930502992.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3931049967.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0001.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 1280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5216, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Scheduled Task/Job	111 Scripting	211 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0001.exe	71%	ReversingLabs	Win32.Trojan.Leonem
0001.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\svcost.exe	100%	Avira	HEUR/AGEN.1332199
C:\Users\user\AppData\Roaming\svcost.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://ocsps.ssl.com0_	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://stackoverflow.com/q/14436606/23354	0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1689348386.0000000002523000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1832153792.0000000003453000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsps.ssl.com0?	0001.exe, svcost.exe.0.dr	false		high
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	0001.exe, svcost.exe.0.dr	false		high
https://github.com/mgravell/protobuf-net	0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	0001.exe, svcost.exe.0.dr	false		high
http://ocsps.ssl.com0	0001.exe, svcost.exe.0.dr	false		high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0	0001.exe, svcost.exe.0.dr	false		high
http://checkip.dyndns.org	InstallUtil.exe, 00000004.00000002.3931049967.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CCF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	0001.exe, svcost.exe.0.dr	false		high
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	0001.exe, svcost.exe.0.dr	false		high
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	0001.exe, svcost.exe.0.dr	false		high
https://github.com/mgravell/protobuf-neti	0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	0001.exe, svcost.exe.0.dr	false		high
https://stackoverflow.com/q/11564914/23354;	0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1716820864.0000000005580000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp	false		high
https://www.ssl.com/repository0	0001.exe, svcost.exe.0.dr	false		high
http://ocsps.ssl.com0_	0001.exe, svcost.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189$	InstallUtil.exe, 00000004.00000002.3931049967.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	InstallUtil.exe, 00000004.00000002.3931049967.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	InstallUtil.exe, 00000004.00000002.3931049967.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	InstallUtil.exe, 00000004.00000002.3931049967.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C99000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0001.exe, 00000000.00000002.1689348386.0000000002523000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1832153792.0000000003453000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	0001.exe, svcost.exe.0.dr	false		high
https://reallyfreegeoip.org/xml/	0001.exe, 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 0001.exe, 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3931049967.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3930502992.0000000002C06000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	unknown	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577629
Start date and time:	2024-12-18 16:12:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0001.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/2@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 338 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 5216 because it is empty
Execution Graph export aborted for target InstallUtil.exe, PID 7112 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 0001.exe

Simulations

Behavior and APIs

Time	Type	Description
10:13:52	API Interceptor	12012107x Sleep call for process: InstallUtil.exe modified
16:13:38	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
checkip.dyndns.com	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse	104.21.12.88
	0Vwp4nJQOc.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.179.109
	Lw1k8a7gQu.exe	Get hash	malicious	LummaC	Browse	104.21.64.80
	iOnDpwrkWY.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	Z1jUFmrTua.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.179.109
	random.exe.7.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc, Vidar	Browse	104.21.12.88
	ji2xlo1f.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	https://heyzine.com/flip-book/f976862c0c.html	Get hash	malicious	Unknown	Browse	172.67.73.205
	H3G7Xu6gih.exe	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
	HI6VIJERUn.exe	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
UTMEMUS	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	132.240.253.211
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	132.244.23.61
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	132.226.8.169
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
UTMEMUS	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	132.240.253.211
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	132.244.23.61
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	132.226.8.169
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	Ls4O6Pmixd.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152

Process:	C:\Users\user\Desktop\0001.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	82
Entropy (8bit):	4.730916907236936
Encrypted:	false
SSDEEP:	3:FER/n0eFHHoCHyg4EaKC51Hn:FER/lFHICHhJaZ5t
MD5:	B701156443487C82F0A5B60ADC836714
SHA1:	AAB8A9BB276837F033B04D4F9511C3AA26CCA0E7
SHA-256:	0E17EFED61F8AFA778BA7528C678E9533CA101152E45CA194E5540596973313C
SHA-512:	E4E6CCD7F13621A8803051C5961A406E9D9676B8DC4B58FA60D966856C92B9211290AB5022A5F677430E8392BEED2BD326E5B0DCA360CD194EADD9FD2EB51015
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\svcost.exe"""

C:\Users\user\AppData\Roaming\svcost.exe

Download File

Process:	C:\Users\user\Desktop\0001.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	269736446
Entropy (8bit):	7.999978646220003
Encrypted:	true
SSDEEP:	6291456:FXXmytxKYilaHrLq07yNC9bJuBDhpQTeFiQH09FK:FXXGlaHnbyNaJmdp5FiQUC
MD5:	DD9799233734DDEB80E69E46D3FAF0B5
SHA1:	B291F4E465D3BCD97BE2F04A589798B480C7A2AB
SHA-256:	CF1E03627236AF116739057FF0259C4AA6FB27CE13E79368157F416678552EEE
SHA-512:	49E0EDF0CC498F62D09C2B6367D42191CFBB2D8453C38C36AA0B289060D3AE5EF152362FD90BD1A09444763EC4D6FF4E37519BCF938405A7BA20AAE9CE25AA38
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.....................J......>.... ........@.. .......................@............`....................................K........F................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc....F.......H..................@..@.reloc....... ......................@..B................ .......H..........................................................................(.......(.....s....(.....0../.........(....}.......}......\|......(...+..\|....(.......(.....0.......... ........8........E................\...F...8.......9Y... ....8........E....)...e...=.......S...?.......i.......x...........8$.....(.... ....8.....{...... ....~....{P...9....& ....8.....(....(...... ....~....{....9m...& ....8b........ ....8S...s....(....(...... ....~....{O...:....& ....8#.....(..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.609449291416142
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0001.exe
File size:	1'175'520 bytes
MD5:	50bb47bb771b4140a514b309b643711e
SHA1:	60ecc3ff6bad5b263313d8c35b91c461b3632d0d
SHA256:	ed54ab7270f7562ce7953847239b8c4467361c3105a9688942d05bc55a217234
SHA512:	1a7746b7a6854d372a9ed448ab7746ec8a2ce1009d17a50a1e47a5ce6f983d64308834fc94bf30ceed87303b7507084c690ef12fcb3cfd3484008005ac4a1d51
SSDEEP:	24576:PgbVReM+Fcmpgk+V41PAEXVz5L/905ipqa6LTlxIL:e/mUO4ErLl08pqu
TLSH:	7245D02367C64AD6C2814A36E8F72426C352D99D3E13DA17BE8E13DB007E356682774F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.....................J......>.... ........@.. .......................@............`................................

File Icon


Icon Hash:	fcdc888888a498b8

Static PE Info

General

Entrypoint:	0x51a43e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673DD19B [Wed Nov 20 12:10:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	04/07/2024 00:35:32 15/05/2027 11:15:04
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=VN, OID.2.5.4.15=Private Organization, CN="DUC FABULOUS CO.,LTD", SERIALNUMBER=0105838409, O="DUC FABULOUS CO.,LTD", L=Hanoi, C=VN
Version:	3
Thumbprint MD5:	FF0E889D2A73C3A679605952D35452DC
Thumbprint SHA-1:	2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C
Thumbprint SHA-256:	A73352D67693AA16BCE2F182B15891F0F23EA0485CC18938686AAFDEE7B743E3
Serial:	6DD2E3173995F51BFAC1D9FB4CB200C1

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11a3f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11c000	0x4680	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11d200	0x1de0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x122000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x118444	0x118600	d71e49b622ba31162b858e1e05d0ecb4	False	0.7731518892108783	data	7.6261958267331735	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x11c000	0x4680	0x4800	8c60c9d67aee4379a1ff131394617d11	False	0.1767035590277778	data	3.8356122775690147	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x122000	0xc	0x200	b8e961d4f2ebc37d776375b0f26cc245	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x11c130	0x4028	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.15172917681441792
RT_GROUP_ICON	0x120158	0x14	data	1.05
RT_VERSION	0x12016c	0x328	data	0.44925742574257427
RT_MANIFEST	0x120494	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T16:13:50.479156+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49711	132.226.8.169	80	TCP
2024-12-18T16:13:53.431769+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49711	132.226.8.169	80	TCP
2024-12-18T16:13:55.044063+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49714	104.21.67.152	443	TCP
2024-12-18T16:13:56.619228+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49715	132.226.8.169	80	TCP
2024-12-18T16:13:58.234798+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49716	104.21.67.152	443	TCP
2024-12-18T16:13:59.822439+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49717	132.226.8.169	80	TCP
2024-12-18T16:14:03.994296+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49720	132.226.247.73	80	TCP
2024-12-18T16:14:06.166173+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49720	132.226.247.73	80	TCP
2024-12-18T16:14:07.791964+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49724	104.21.67.152	443	TCP
2024-12-18T16:14:09.275525+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49726	132.226.247.73	80	TCP
2024-12-18T16:14:11.460582+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49729	104.21.67.152	443	TCP
2024-12-18T16:14:12.666218+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49730	132.226.247.73	80	TCP
2024-12-18T16:14:15.775639+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49734	132.226.247.73	80	TCP
2024-12-18T16:14:26.878765+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49742	104.21.67.152	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 16:13:48.365176916 CET	49711	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:48.484692097 CET	80	49711	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:48.484797955 CET	49711	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:48.485104084 CET	49711	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:48.604923010 CET	80	49711	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:49.873003006 CET	80	49711	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:49.891974926 CET	49711	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:50.011601925 CET	80	49711	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:50.358077049 CET	80	49711	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:50.479156017 CET	49711	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:50.913600922 CET	49713	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:50.913645029 CET	443	49713	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:50.913733006 CET	49713	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:50.928776026 CET	49713	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:50.928788900 CET	443	49713	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:52.156198978 CET	443	49713	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:52.156358004 CET	49713	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:52.162786961 CET	49713	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:52.162800074 CET	443	49713	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:52.163136005 CET	443	49713	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:52.231103897 CET	49713	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:52.271370888 CET	443	49713	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:52.595294952 CET	443	49713	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:52.595479012 CET	443	49713	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:52.595691919 CET	49713	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:52.602221966 CET	49713	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:52.605963945 CET	49711	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:52.827008963 CET	80	49711	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:53.379232883 CET	80	49711	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:53.382155895 CET	49714	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:53.382193089 CET	443	49714	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:53.382309914 CET	49714	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:53.382764101 CET	49714	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:53.382777929 CET	443	49714	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:53.431768894 CET	49711	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:54.595895052 CET	443	49714	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:54.600210905 CET	49714	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:54.600234985 CET	443	49714	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:55.044079065 CET	443	49714	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:55.044143915 CET	443	49714	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:55.044192076 CET	49714	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:55.044673920 CET	49714	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:55.048093081 CET	49711	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:55.049032927 CET	49715	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:55.168488026 CET	80	49711	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:55.168569088 CET	49711	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:55.168734074 CET	80	49715	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:55.168808937 CET	49715	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:55.168952942 CET	49715	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:55.288594007 CET	80	49715	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:56.568368912 CET	80	49715	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:56.569544077 CET	49716	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:56.569586039 CET	443	49716	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:56.569658041 CET	49716	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:56.569891930 CET	49716	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:56.569905996 CET	443	49716	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:56.619227886 CET	49715	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:57.782308102 CET	443	49716	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:57.784584999 CET	49716	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:57.784605980 CET	443	49716	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:58.234893084 CET	443	49716	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:58.235059977 CET	443	49716	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:58.235167027 CET	49716	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:58.235745907 CET	49716	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:58.240556002 CET	49715	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:58.241933107 CET	49717	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:58.360698938 CET	80	49715	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:58.360845089 CET	49715	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:58.361424923 CET	80	49717	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:58.361521006 CET	49717	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:58.361814022 CET	49717	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:13:58.483304977 CET	80	49717	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:59.781853914 CET	80	49717	132.226.8.169	192.168.2.8
Dec 18, 2024 16:13:59.783514977 CET	49718	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:59.783555984 CET	443	49718	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:59.783646107 CET	49718	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:59.783955097 CET	49718	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:13:59.783965111 CET	443	49718	104.21.67.152	192.168.2.8
Dec 18, 2024 16:13:59.822438955 CET	49717	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:14:01.003209114 CET	443	49718	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:01.005106926 CET	49718	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:01.005146980 CET	443	49718	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:01.462357998 CET	443	49718	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:01.462423086 CET	443	49718	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:01.462646961 CET	49718	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:01.466464996 CET	49718	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:02.086787939 CET	49719	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:02.091787100 CET	49720	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:02.206398964 CET	80	49719	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:02.206481934 CET	49719	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:02.206729889 CET	49719	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:02.211328983 CET	80	49720	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:02.211481094 CET	49720	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:02.211699963 CET	49720	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:02.327023983 CET	80	49719	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:02.331615925 CET	80	49720	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:03.512824059 CET	80	49719	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:03.514363050 CET	49721	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:03.514405966 CET	443	49721	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:03.514642954 CET	49721	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:03.515045881 CET	49721	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:03.515064955 CET	443	49721	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:03.521325111 CET	80	49720	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:03.524835110 CET	49720	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:03.558406115 CET	49719	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:03.644412041 CET	80	49720	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:03.948292971 CET	80	49720	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:03.981977940 CET	49722	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:03.982050896 CET	443	49722	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:03.982182026 CET	49722	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:03.986258984 CET	49722	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:03.986275911 CET	443	49722	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:03.994296074 CET	49720	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:04.729022026 CET	443	49721	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:04.730914116 CET	49721	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:04.730932951 CET	443	49721	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:05.180620909 CET	443	49721	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:05.180679083 CET	443	49721	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:05.180871964 CET	49721	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:05.181540012 CET	49721	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:05.185224056 CET	49719	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:05.186538935 CET	49723	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:05.203922987 CET	443	49722	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:05.204108000 CET	49722	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:05.205691099 CET	49722	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:05.205698013 CET	443	49722	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:05.205976963 CET	443	49722	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:05.253166914 CET	49722	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:05.295336962 CET	443	49722	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:05.306613922 CET	80	49719	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:05.306723118 CET	49719	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:05.307344913 CET	80	49723	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:05.307431936 CET	49723	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:05.307610035 CET	49723	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:05.427107096 CET	80	49723	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:05.683803082 CET	443	49722	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:05.683885098 CET	443	49722	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:05.683938026 CET	49722	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:05.694282055 CET	49722	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:05.697760105 CET	49720	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:05.817264080 CET	80	49720	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:06.121397018 CET	80	49720	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:06.123822927 CET	49724	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:06.123859882 CET	443	49724	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:06.123954058 CET	49724	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:06.124275923 CET	49724	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:06.124294043 CET	443	49724	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:06.166172981 CET	49720	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:06.611430883 CET	80	49723	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:06.612931967 CET	49725	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:06.612988949 CET	443	49725	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:06.613073111 CET	49725	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:06.613368988 CET	49725	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:06.613384008 CET	443	49725	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:06.658178091 CET	49723	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:07.346842051 CET	443	49724	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:07.352097034 CET	49724	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:07.352113962 CET	443	49724	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:07.792047977 CET	443	49724	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:07.792190075 CET	443	49724	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:07.792257071 CET	49724	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:07.792706966 CET	49724	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:07.798114061 CET	49720	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:07.799762011 CET	49726	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:07.826385021 CET	443	49725	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:07.828445911 CET	49725	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:07.828478098 CET	443	49725	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:07.922234058 CET	80	49720	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:07.922296047 CET	49720	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:07.923185110 CET	80	49726	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:07.923335075 CET	49726	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:07.923475027 CET	49726	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:08.047430038 CET	80	49726	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:08.280697107 CET	443	49725	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:08.280770063 CET	443	49725	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:08.280848980 CET	49725	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:08.292202950 CET	49725	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:08.307481050 CET	49723	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:08.332956076 CET	49727	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:08.429064989 CET	80	49723	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:08.429120064 CET	49723	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:08.452721119 CET	80	49727	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:08.452812910 CET	49727	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:08.453006983 CET	49727	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:08.572463036 CET	80	49727	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:09.232743979 CET	80	49726	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:09.233966112 CET	49728	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:09.234015942 CET	443	49728	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:09.234101057 CET	49728	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:09.234342098 CET	49728	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:09.234357119 CET	443	49728	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:09.275525093 CET	49726	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:09.766730070 CET	80	49727	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:09.768414974 CET	49729	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:09.768461943 CET	443	49729	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:09.768548012 CET	49729	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:09.768810034 CET	49729	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:09.768822908 CET	443	49729	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:09.822382927 CET	49727	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:10.451467991 CET	443	49728	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:10.457011938 CET	49728	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:10.457103014 CET	443	49728	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:10.903820992 CET	443	49728	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:10.903867960 CET	443	49728	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:10.904000044 CET	49728	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:10.911710978 CET	49728	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:10.981543064 CET	443	49729	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:10.983692884 CET	49729	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:10.983709097 CET	443	49729	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:11.040821075 CET	49726	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:11.048897028 CET	49730	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:11.163558006 CET	80	49726	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:11.163659096 CET	49726	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:11.168658018 CET	80	49730	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:11.168739080 CET	49730	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:11.168901920 CET	49730	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:11.289721966 CET	80	49730	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:11.460630894 CET	443	49729	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:11.460707903 CET	443	49729	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:11.460891962 CET	49729	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:11.461273909 CET	49729	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:11.469105005 CET	49727	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:11.469858885 CET	49731	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:11.589468956 CET	80	49727	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:11.589575052 CET	49727	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:11.589704037 CET	80	49731	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:11.589802980 CET	49731	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:11.589962959 CET	49731	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:11.709594011 CET	80	49731	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:12.611285925 CET	80	49730	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:12.612703085 CET	49732	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:12.612732887 CET	443	49732	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:12.613022089 CET	49732	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:12.613363981 CET	49732	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:12.613373995 CET	443	49732	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:12.666218042 CET	49730	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:12.893821955 CET	80	49731	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:12.895138025 CET	49733	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:12.895195007 CET	443	49733	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:12.895257950 CET	49733	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:12.895689011 CET	49733	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:12.895699024 CET	443	49733	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:12.947446108 CET	49731	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:13.834189892 CET	443	49732	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:13.839483023 CET	49732	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:13.839504957 CET	443	49732	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:14.113512993 CET	443	49733	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:14.115958929 CET	49733	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:14.115981102 CET	443	49733	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:14.294065952 CET	443	49732	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:14.294137955 CET	443	49732	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:14.294281960 CET	49732	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:14.294833899 CET	49732	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:14.298883915 CET	49730	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:14.300430059 CET	49734	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:14.419604063 CET	80	49730	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:14.419722080 CET	49730	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:14.420814037 CET	80	49734	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:14.420907021 CET	49734	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:14.421118975 CET	49734	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:14.540971994 CET	80	49734	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:14.570053101 CET	443	49733	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:14.570132017 CET	443	49733	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:14.570187092 CET	49733	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:14.570611000 CET	49733	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:15.728234053 CET	80	49734	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:15.729711056 CET	49735	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:15.729748011 CET	443	49735	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:15.729832888 CET	49735	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:15.730253935 CET	49735	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:15.730268955 CET	443	49735	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:15.775639057 CET	49734	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:16.945391893 CET	443	49735	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:16.947154045 CET	49735	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:16.947206020 CET	443	49735	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:17.396804094 CET	443	49735	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:17.396891117 CET	443	49735	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:17.396995068 CET	49735	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:17.397440910 CET	49735	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:17.401916027 CET	49736	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:17.523200989 CET	80	49736	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:17.523303986 CET	49736	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:17.523447990 CET	49736	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:17.649955988 CET	80	49736	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:18.834517956 CET	80	49736	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:18.835741997 CET	49737	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:18.835850000 CET	443	49737	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:18.836042881 CET	49737	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:18.836337090 CET	49737	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:18.836371899 CET	443	49737	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:18.884947062 CET	49736	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:20.087872982 CET	443	49737	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:20.089780092 CET	49737	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:20.089870930 CET	443	49737	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:20.540353060 CET	443	49737	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:20.540419102 CET	443	49737	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:20.540649891 CET	49737	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:20.547946930 CET	49737	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:20.664061069 CET	49736	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:20.665020943 CET	49738	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:20.784236908 CET	80	49736	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:20.784375906 CET	49736	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:20.784581900 CET	80	49738	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:20.784672976 CET	49738	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:20.784822941 CET	49738	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:20.904522896 CET	80	49738	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:22.099952936 CET	80	49738	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:22.104973078 CET	49739	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:22.105029106 CET	443	49739	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:22.105115891 CET	49739	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:22.105473995 CET	49739	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:22.105494976 CET	443	49739	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:22.150594950 CET	49738	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:23.315727949 CET	443	49739	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:23.344027996 CET	49739	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:23.344064951 CET	443	49739	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:23.770185947 CET	443	49739	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:23.770251989 CET	443	49739	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:23.770345926 CET	49739	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:23.770827055 CET	49739	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:23.774194956 CET	49738	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:23.775429010 CET	49741	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:23.894191980 CET	80	49738	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:23.894356012 CET	49738	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:23.894917011 CET	80	49741	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:23.895036936 CET	49741	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:23.895309925 CET	49741	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:24.015341043 CET	80	49741	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:25.210124969 CET	80	49741	132.226.247.73	192.168.2.8
Dec 18, 2024 16:14:25.211311102 CET	49742	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:25.211375952 CET	443	49742	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:25.211469889 CET	49742	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:25.211769104 CET	49742	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:25.211783886 CET	443	49742	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:25.259960890 CET	49741	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:14:26.422811031 CET	443	49742	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:26.424547911 CET	49742	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:26.424566984 CET	443	49742	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:26.878787041 CET	443	49742	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:26.878870010 CET	443	49742	104.21.67.152	192.168.2.8
Dec 18, 2024 16:14:26.879184961 CET	49742	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:14:26.879543066 CET	49742	443	192.168.2.8	104.21.67.152
Dec 18, 2024 16:15:04.785927057 CET	80	49717	132.226.8.169	192.168.2.8
Dec 18, 2024 16:15:04.786046982 CET	49717	80	192.168.2.8	132.226.8.169
Dec 18, 2024 16:15:17.895073891 CET	80	49731	132.226.247.73	192.168.2.8
Dec 18, 2024 16:15:17.895138025 CET	49731	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:15:20.729832888 CET	80	49734	132.226.247.73	192.168.2.8
Dec 18, 2024 16:15:20.729897022 CET	49734	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:15:30.210395098 CET	80	49741	132.226.247.73	192.168.2.8
Dec 18, 2024 16:15:30.210481882 CET	49741	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:15:52.903701067 CET	49731	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:15:53.023226023 CET	80	49731	132.226.247.73	192.168.2.8
Dec 18, 2024 16:16:05.243838072 CET	49741	80	192.168.2.8	132.226.247.73
Dec 18, 2024 16:16:05.365019083 CET	80	49741	132.226.247.73	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 16:13:47.967701912 CET	58226	53	192.168.2.8	1.1.1.1
Dec 18, 2024 16:13:48.129795074 CET	53	58226	1.1.1.1	192.168.2.8
Dec 18, 2024 16:13:50.399488926 CET	60721	53	192.168.2.8	1.1.1.1
Dec 18, 2024 16:13:50.851803064 CET	53	60721	1.1.1.1	192.168.2.8
Dec 18, 2024 16:14:01.642708063 CET	61666	53	192.168.2.8	1.1.1.1
Dec 18, 2024 16:14:02.085194111 CET	53	61666	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 16:13:47.967701912 CET	192.168.2.8	1.1.1.1	0xce4	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:13:50.399488926 CET	192.168.2.8	1.1.1.1	0xaac0	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:14:01.642708063 CET	192.168.2.8	1.1.1.1	0xc393	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 16:13:48.129795074 CET	1.1.1.1	192.168.2.8	0xce4	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 16:13:48.129795074 CET	1.1.1.1	192.168.2.8	0xce4	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:13:48.129795074 CET	1.1.1.1	192.168.2.8	0xce4	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:13:48.129795074 CET	1.1.1.1	192.168.2.8	0xce4	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:13:48.129795074 CET	1.1.1.1	192.168.2.8	0xce4	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:13:48.129795074 CET	1.1.1.1	192.168.2.8	0xce4	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:13:50.851803064 CET	1.1.1.1	192.168.2.8	0xaac0	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:13:50.851803064 CET	1.1.1.1	192.168.2.8	0xaac0	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:14:02.085194111 CET	1.1.1.1	192.168.2.8	0xc393	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 16:14:02.085194111 CET	1.1.1.1	192.168.2.8	0xc393	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:14:02.085194111 CET	1.1.1.1	192.168.2.8	0xc393	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:14:02.085194111 CET	1.1.1.1	192.168.2.8	0xc393	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:14:02.085194111 CET	1.1.1.1	192.168.2.8	0xc393	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 18, 2024 16:14:02.085194111 CET	1.1.1.1	192.168.2.8	0xc393	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49711	132.226.8.169	80	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:13:48.485104084 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 16:13:49.873003006 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:13:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 18, 2024 16:13:49.891974926 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 16:13:50.358077049 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:13:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 18, 2024 16:13:52.605963945 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 16:13:53.379232883 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:13:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49715	132.226.8.169	80	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:13:55.168952942 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 16:13:56.568368912 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:13:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49717	132.226.8.169	80	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:13:58.361814022 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 16:13:59.781853914 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:13:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49719	132.226.247.73	80	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:14:02.206729889 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 16:14:03.512824059 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6517c3256bf349f2d7316097d73986b3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49720	132.226.247.73	80	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:14:02.211699963 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 16:14:03.521325111 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 723a0d557d8355bfacf7d929b03f99ea Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 18, 2024 16:14:03.524835110 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 16:14:03.948292971 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9db7efb333a4b498402f077f455454c9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 18, 2024 16:14:05.697760105 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 16:14:06.121397018 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 78090a2a02bcdf74c6ed4a4b952652e9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49723	132.226.247.73	80	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:14:05.307610035 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 16:14:06.611430883 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3d0a71575fa093a98caa7142524a7fb9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49726	132.226.247.73	80	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:14:07.923475027 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 16:14:09.232743979 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 945d302c82250d7ad248d6c926c6237b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49727	132.226.247.73	80	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:14:08.453006983 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 16:14:09.766730070 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 39aba669e614605db1497241339a25bb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49730	132.226.247.73	80	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:14:11.168901920 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 16:14:12.611285925 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 10bda8b50d95e825de691344dc0711c1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49731	132.226.247.73	80	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:14:11.589962959 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 16:14:12.893821955 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ccb22b0de7b412d09e501788f51949f4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49734	132.226.247.73	80	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:14:14.421118975 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 16:14:15.728234053 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 43bdd532f972a296fb751794a4985f5a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49736	132.226.247.73	80	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:14:17.523447990 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 16:14:18.834517956 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 00cde9789d4302ba7b54cb5aeaf913d9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49738	132.226.247.73	80	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:14:20.784822941 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 16:14:22.099952936 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f96bbb8cf13662b3eb5624260a80a8d7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49741	132.226.247.73	80	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 16:14:23.895309925 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 16:14:25.210124969 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b4d8b9f0bc09240b9af2a525e90e64be Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49713	104.21.67.152	443	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:13:52 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 15:13:52 UTC	878	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:13:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523601 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1ipI3B65QilHYsBr1Eo%2BoZ76VylMrI%2BWp%2FeRPdQOOkLPypXMKJtIRjJjuZ44hd6%2F4AXZcmnq1Qq5nFS5hOYTrxPq9rBiO6CwiGxMxpgHVd0gIrRoQA2ayvSyxYCQfTihyhfJx7qi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f40196eaac0ef9d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1828&min_rtt=1827&rtt_var=687&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1589548&cwnd=121&unsent_bytes=0&cid=bc9300bf6de84b8c&ts=458&x=0"
2024-12-18 15:13:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49714	104.21.67.152	443	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:13:54 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-18 15:13:55 UTC	882	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:13:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523603 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1HrfNmHZ%2FPFP0K%2BoP9z1hzBRl6kn1b4dryEX0Rp66lNGwAPBJeMyUTx3o4K97JxQBiftE4qjW5CUIqXPJkiZn%2BcfVivtyLsc%2Bh%2FUAzVxjfz0sB6b2RSzl4nhRo2p8ZFTEkv0%2BJmO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f40197dfcbe0cb2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1500&min_rtt=1494&rtt_var=574&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1885087&cwnd=152&unsent_bytes=0&cid=44dbded664e432e6&ts=455&x=0"
2024-12-18 15:13:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49716	104.21.67.152	443	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:13:57 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-18 15:13:58 UTC	882	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:13:58 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523607 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nYkzakn%2B%2FAfk%2B4s4h2xwu8MjkVPU2i10393Uj6l%2BQ%2FOqnsJJqpbgW7zfZqpueLpyJQyL7AnkH9M92Gy3LeEhg9cbBoAkEP%2FQd3PEi4P4tKzOwyhcnpnOj5o3FEgy2S4NcANMAdW1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f401991ec9e43b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1578&rtt_var=625&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1705607&cwnd=198&unsent_bytes=0&cid=7345989381db2b9e&ts=458&x=0"
2024-12-18 15:13:58 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49718	104.21.67.152	443	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:01 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 15:14:01 UTC	880	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:01 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523610 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LjqKHYAExdD1nzKxry5scGc9%2FRMMpKRMkDq3QxlVCydOntFc9%2FLZOLWcG5RG5oR0QWGzs7WNHPon5U68w4SoNDB4ahHWfDZ0GWMnpTjG%2B%2FwWTa4h8xgi8qs2Z9%2FXS2cGwlQfUDNS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4019a60cac8c6c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2034&min_rtt=2025&rtt_var=778&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1389814&cwnd=168&unsent_bytes=0&cid=0b208869ae070ce4&ts=470&x=0"
2024-12-18 15:14:01 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49721	104.21.67.152	443	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:04 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 15:14:05 UTC	874	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523614 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lI48PuJGPapsnfd9echeepQmEqRBlAabhLJxUUEzronc%2FAMCOK19zkYtUxCXLV1Jm1JdSC5pUuKOiHMNd8to85vGfOs0KnO4fHbwWx0idbi8rmYKIoQasXFo9N4x177hz2P%2BEETt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4019bd5adf6a57-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2366&min_rtt=2352&rtt_var=910&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1185064&cwnd=231&unsent_bytes=0&cid=7a824abf8fe3e18b&ts=457&x=0"
2024-12-18 15:14:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49722	104.21.67.152	443	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:05 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 15:14:05 UTC	878	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523614 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m7j55v%2B2sPb380lbsB1H2dzvTnWO1NcsFZ%2BKgUQpjuZ82r7jT9nYylPAJujLsPJiI7E%2F9utBDdYCzlEj60sKfNbqgKs1kxxqQcALst%2B7glldIVWTiRbPEaXw5TmoObg36rA6IATJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4019c04d0f4204-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1617&min_rtt=1609&rtt_var=620&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1742243&cwnd=234&unsent_bytes=0&cid=273d5608a07e666e&ts=486&x=0"
2024-12-18 15:14:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49724	104.21.67.152	443	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:07 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-18 15:14:07 UTC	874	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523616 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7k3ZxFT75kd1HD8giq5mx5mwpyvh8tqg5ecGfMKKaXaFtIDcGoLHtBfrFg0j1ONqRoZJvn7q7wxeLr4RSzGEb3as%2BvrR%2FHw8nhKlFxexjU8v0kn1EAGqu50FavV8x4V5R7fmtoTa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4019cdae874267-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1544&rtt_var=600&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1793611&cwnd=234&unsent_bytes=0&cid=6654c6a9587d5b93&ts=456&x=0"
2024-12-18 15:14:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49725	104.21.67.152	443	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:07 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 15:14:08 UTC	877	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523617 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QQxRX519VzgB%2FIoCxL06Bg%2FLv9wMoSv9AxG2w8J7nZ1EYCx1RbLRHycnLBXA3CFy3S0gJXqZGsjOQCBqB6ArqtWdxCQK4l18NI6%2Fu9VY%2BnDPkJii3p0wKoJGaH2dbBLSk8fVUoVi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4019d0bfb442a9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1614&min_rtt=1609&rtt_var=613&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1770770&cwnd=32&unsent_bytes=0&cid=c90bdea48c2fc68a&ts=460&x=0"
2024-12-18 15:14:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49728	104.21.67.152	443	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:10 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 15:14:10 UTC	882	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523619 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8mReifrCPdy7DyOfVzyg5LLZpBvHnxf3djKWIpqL51pg6zb4pF6aJ0t%2BpZ%2FKVPrbuWHJuWiGR0DOa1R61LB5Lv0TtOM7lUpB4quSA5Mtq1W5enWroL6%2BqY%2FtNjn%2FZS%2FrybqTxTaj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4019e11f2f42f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1637&rtt_var=615&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1777236&cwnd=231&unsent_bytes=0&cid=53f26ac2b043be7f&ts=460&x=0"
2024-12-18 15:14:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49729	104.21.67.152	443	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:10 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-18 15:14:11 UTC	876	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523620 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t0CVBveQZrx33ZW8%2BwAx9n51ctU83d3sGk%2B2VZH3vW85CnhRDDxojcbVC1lF347lWKmHd6HJcTfmfVnsFN3C%2BqudzlEiglJdIqoSkLeWNmB6W1ucH0T3WeN0Qx2uMnZvAugw7OY1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4019e46f840f78-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1507&min_rtt=1489&rtt_var=595&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1784841&cwnd=220&unsent_bytes=0&cid=c2f3300e2810d214&ts=482&x=0"
2024-12-18 15:14:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49732	104.21.67.152	443	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:13 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 15:14:14 UTC	878	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523623 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hetMM6TWu4WIN%2FPFG%2BwVwc0AOC9YapNTAnSJODt25mQkliVY%2Fl0dUlIRoLJsUGpPbNTor5kTgRr27K5Wf%2BazCNLgFbzVROMqlRtlFoIRyi2F9MMa0lzF2ZHPbwInuBptLldvCmh1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4019f63fd380d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1514&min_rtt=1514&rtt_var=568&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1927392&cwnd=230&unsent_bytes=0&cid=a607806170b51a0f&ts=465&x=0"
2024-12-18 15:14:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49733	104.21.67.152	443	7112	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:14 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 15:14:14 UTC	880	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523623 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WxQwgrj8%2F5xR5B8FP71yZj3sWwLTnePjL%2FFBMHY41B%2BJGozSaSDC4DBJsK%2BuX8TjQZOxN9%2FV2RYBYx94IwPupAoibmlaHU67IaMeib3ujOObQPdVjRi63cJPW05PBFQU9BNh7XSZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4019f7fa4f6a4f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2054&min_rtt=2044&rtt_var=787&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1371535&cwnd=237&unsent_bytes=0&cid=2f1df54889baf7ec&ts=464&x=0"
2024-12-18 15:14:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49735	104.21.67.152	443	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 15:14:17 UTC	872	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523626 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XJuUwUkJS6RSx4pqdkOSJlZk1AAfk0jNQbEOoG0VlwsBxM9BWfkNN1jqxAZ5Z14pVJOVYUNa8Y2HBpfk0hhraNUwKSBpa71qYR%2FfDYHy29kP3wVXDaRekH2FmZmeAT8liQjCN7h7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f401a09aade7d13-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1821&min_rtt=1821&rtt_var=684&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1599123&cwnd=252&unsent_bytes=0&cid=d753b942364126cc&ts=459&x=0"
2024-12-18 15:14:17 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49737	104.21.67.152	443	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:20 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 15:14:20 UTC	880	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523629 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v84ZbhM%2F5DeOm3ADOGq5b%2BfT9zPk%2BqHQaRzA1RQCI7Hyge58KWQilrqUv1nxQd6nrf9hCYBmfIMebdRsewS5rEn7IpalP%2F%2FQucktyCg1TpsrF13o7w5WvUVS1tZDHRVnhjIAGwBv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f401a1d4dc69e02-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1795&min_rtt=1791&rtt_var=680&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1599123&cwnd=244&unsent_bytes=0&cid=a8393a44e833bba1&ts=459&x=0"
2024-12-18 15:14:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49739	104.21.67.152	443	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:23 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 15:14:23 UTC	880	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523632 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oKKkykPhxi9ZYQaNc4%2FQ0iyJoym1dPjSCMrvsnz2JayfbjXkpFPmAnJjhLqkb8hxDG8X7onY7Owj%2Bk1aiGrHKILjGlEcsSDuAwcZKkg2x%2FKhMEsZG1p%2BiZJgbmb5V%2Bz0hjK4CFAx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f401a31786a43ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1594&rtt_var=613&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1763285&cwnd=230&unsent_bytes=0&cid=b6884fe86fa24d13&ts=459&x=0"
2024-12-18 15:14:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49742	104.21.67.152	443	5216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 15:14:26 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-18 15:14:26 UTC	878	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 15:14:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 523635 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pugzEZFK6o2w9o5khWsbt3tcnwDWkBSoF%2FD5tQpNZ26NL%2B%2FGh1PCv4F6FqVqD7LU3NA9mEK9urVDBYgo2LEYbjFVuJyJ1STPRLFT0ef7a%2FdJOSoMbxufZWJgN1FUXoVLe8fjlW89"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f401a44efdef797-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1530&min_rtt=1528&rtt_var=577&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1889967&cwnd=161&unsent_bytes=0&cid=8583b151cea296ba&ts=460&x=0"
2024-12-18 15:14:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	10:13:24
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\0001.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0001.exe"
Imagebase:	0x60000
File size:	1'175'520 bytes
MD5 hash:	50BB47BB771B4140A514B309B643711E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1716994586.00000000055E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1689348386.0000000002523000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1709684554.0000000003545000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1709684554.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:13:46
Start date:	18/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs"
Imagebase:	0x7ff6ee680000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:13:46
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x5d0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3931049967.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3931049967.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:13:49
Start date:	18/12/2024
Path:	C:\Users\user\AppData\Roaming\svcost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\svcost.exe"
Imagebase:	0xfd0000
File size:	269'736'446 bytes
MD5 hash:	DD9799233734DDEB80E69E46D3FAF0B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.1832153792.0000000003453000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.1846968405.000000000457A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:14:00
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x7ff7194a0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.3930502992.0000000002D0B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000002.3927157231.0000000000418000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.3930502992.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.6%
Total number of Nodes:	41
Total number of Limit Nodes:	1

Executed Functions

Function 0234529A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02345355

Strings

ysEP, xrefs: 023452C5

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: ysEP
API String ID: 2706961497-2275478711
Opcode ID: d15ba42fa121252e9dd248632201f3f12d5b5a0d770a174fbc2f543a98ef0eff
Instruction ID: 099520e6e288727fbad8bcd80b0303488a196daa2c8d1275cbf83b43b18c6487
Opcode Fuzzy Hash: d15ba42fa121252e9dd248632201f3f12d5b5a0d770a174fbc2f543a98ef0eff
Instruction Fuzzy Hash: 8B41AAB5D002589FCF10CFAAD980ADEFBB1BB49310F14902AE818B7210D775A945CF54

Function 023452A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02345355

Strings

ysEP, xrefs: 023452C5

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: ysEP
API String ID: 2706961497-2275478711
Opcode ID: fd0d1412b8f27b17749df0adcdbbea76bf64ab6347348df958ea90cbbf8d3a4e
Instruction ID: ee4d1abf5a2ad2806183a6a4c2f3b824e2ec7e7c8f72ed61ddec6481c9077055
Opcode Fuzzy Hash: fd0d1412b8f27b17749df0adcdbbea76bf64ab6347348df958ea90cbbf8d3a4e
Instruction Fuzzy Hash: A24197B9D04258DFCF10CFAAD980ADEFBB5BB49310F14942AE818B7210D775A945CF68

Function 02347D38 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 02347DCE

Strings

ysEP, xrefs: 02347D5F

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID: ResumeThread
String ID: ysEP
API String ID: 947044025-2275478711
Opcode ID: 38793f5c1511acac65c5e1d840b4331009ed9e36d5ebaf14a0b3f7ec1848cfcc
Instruction ID: 268b5de8d5d0c5902c817b0b7655ae63bd84faebda750d457401d054c2ab3973
Opcode Fuzzy Hash: 38793f5c1511acac65c5e1d840b4331009ed9e36d5ebaf14a0b3f7ec1848cfcc
Instruction Fuzzy Hash: C431AAB5D012189FCB14CFAAD981AAEFBF5BB49310F14942AE814B7340C775A946CF94

Function 02347D40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 02347DCE

Strings

ysEP, xrefs: 02347D5F

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID: ResumeThread
String ID: ysEP
API String ID: 947044025-2275478711
Opcode ID: 17f3a2ed52552e258d881ee12c0340963d44671b774985d64f31fde8fb93ec46
Instruction ID: 709afdf6e9935495ddc77b91edec21636a2c04a90b3bf00dfdbe4c8bb3e03322
Opcode Fuzzy Hash: 17f3a2ed52552e258d881ee12c0340963d44671b774985d64f31fde8fb93ec46
Instruction Fuzzy Hash: 0531A9B5D01218DFCB10CFAAD980AAEFBF5BB49310F20842AE814B7240C775A946CF94

Function 02341D98 Relevance: 1.9, Strings: 1, Instructions: 614
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 02341EA2

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 824388e68c02802d57afbe633ae91788fcf23f21519c2a0d770f73ce94a90ac4
Instruction ID: a73de5454de9e344d443d1127c39b3f89efe2c33beffa11c880c5c1422687c8c
Opcode Fuzzy Hash: 824388e68c02802d57afbe633ae91788fcf23f21519c2a0d770f73ce94a90ac4
Instruction Fuzzy Hash: B152C375E006298BDB64DF69C894AD9B7B1FB89300F1085EAD90DB7355DB30AE81CF50

Function 02341D88 Relevance: 1.4, Strings: 1, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h, xrefs: 02341E96

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 1b3a1f5ff9fe318ad7ff269784eda15a7e90a9d6ab8166d5aafeb6d8e734d63a
Instruction ID: 3e90b02d2a1ce4657a4637474ab2f981f3432b00639eeef1d601c56cee71ccef
Opcode Fuzzy Hash: 1b3a1f5ff9fe318ad7ff269784eda15a7e90a9d6ab8166d5aafeb6d8e734d63a
Instruction Fuzzy Hash: 44710475E00629CBDB64DF69D850BDAB7B2FF89300F1082AAD50DA7254DB30AE85CF51

Function 0228E270 Relevance: 1.0, Instructions: 983COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58fe4e5c159c8422be5983f7fd77ef6e817ebcc0445a73ec2f83e735e771291
Instruction ID: b1f24b1f7906a0f34a5092d700cb68bb912956a3c232eecd2adab02639d385f0
Opcode Fuzzy Hash: c58fe4e5c159c8422be5983f7fd77ef6e817ebcc0445a73ec2f83e735e771291
Instruction Fuzzy Hash: 5FA2E875E01228CFDB64DF69C884A99BBB2FF89304F1581E9E509AB365D7319E81CF40

Function 02289B19 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4456bc752448c11ba81d613bf7349ce6549757678d0ab1864cc6f719433dfffd
Instruction ID: f06a4f1db5d4c597466db473edc195464c34ea73449d6c8860110b826429c9c3
Opcode Fuzzy Hash: 4456bc752448c11ba81d613bf7349ce6549757678d0ab1864cc6f719433dfffd
Instruction Fuzzy Hash: 50712E74E12645DFEB48EF6EE840699BBF2BFC8300F54C12AD005AB269EF7459059F42

Function 02289B28 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06bbda144f7edadc5c91a2c37c6a63b9f508af62b4ec55f08c7f46ae68607203
Instruction ID: 6be97579f5252125d9078b189ffc5891dcd8494ded959a3a82c7561e8b538208
Opcode Fuzzy Hash: 06bbda144f7edadc5c91a2c37c6a63b9f508af62b4ec55f08c7f46ae68607203
Instruction Fuzzy Hash: 73711E74E12645DFEB48EF6EE840699BBF2BFC8300F54C12AD005AB269EF7459059F42

Function 05FEE990 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dddb933dc70c55bfe41010c238a433e1f4daccc828a20f2d6cd1f08ff215840
Instruction ID: be7f3c2012dec215ddc9fcd6d95acc3fcd01405db1d067bfec67821c76a3980c
Opcode Fuzzy Hash: 6dddb933dc70c55bfe41010c238a433e1f4daccc828a20f2d6cd1f08ff215840
Instruction Fuzzy Hash: 79613D78A14218DFDB84DF28D855BADB7F6FB49300F5181AAE50EAB350DB359A80CF01

Function 02345EAC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 265
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0234611F

Strings

ysEP, xrefs: 02345F1B
ysEP, xrefs: 02345EEC

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID: CreateProcess
String ID: ysEP$ysEP
API String ID: 963392458-282066709
Opcode ID: f103cfd723b354a89d7879f2bb42c9bd37424f5328700b4ce2bfff2377981f3e
Instruction ID: 937608bea8db36a6a7e9a3c209f28358eb694c910a0aa17dbf427d05aaa7567e
Opcode Fuzzy Hash: f103cfd723b354a89d7879f2bb42c9bd37424f5328700b4ce2bfff2377981f3e
Instruction Fuzzy Hash: B1A1F170D00319CFDB10CFA9D8467EEBBF1BB0A314F1491AAE859A7290DB74A985CF45

Function 02345EB8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0234611F

Strings

ysEP, xrefs: 02345F1B
ysEP, xrefs: 02345EEC

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID: CreateProcess
String ID: ysEP$ysEP
API String ID: 963392458-282066709
Opcode ID: 08ba069ccdc669863935f6b68d980ddc2094e61e91e92249b74d8e0634923f4b
Instruction ID: edce094afe50bc8e231e11128ea0194da8be5167bc0d74795658f485db2134a0
Opcode Fuzzy Hash: 08ba069ccdc669863935f6b68d980ddc2094e61e91e92249b74d8e0634923f4b
Instruction Fuzzy Hash: 19A1F270D00318CFDB10CFA9D8467EEBBF1BB0A314F1491AAE858A7281DB74A985CF45

Function 023468F0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 452
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02346C6F

Strings

ysEP, xrefs: 02346BDF

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID: ContextThreadWow64
String ID: ysEP
API String ID: 983334009-2275478711
Opcode ID: ed85d8643ce076e89e0d73c835462fcaa5d17b5fb312d3ba5075bcae81e4ab12
Instruction ID: 8ae158fda4361f1b1b4cda5f30dcddb913009d975a1a59cd231a28ea179809c7
Opcode Fuzzy Hash: ed85d8643ce076e89e0d73c835462fcaa5d17b5fb312d3ba5075bcae81e4ab12
Instruction Fuzzy Hash: 3641DCB5D012589FCB10CFAAD884AEEFBF4BF49310F14802AE414B7240D738AA45CF64

Function 02347610 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 023476EB

Strings

ysEP, xrefs: 0234763A

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: ysEP
API String ID: 3559483778-2275478711
Opcode ID: 7b33a793b12fced0d20b00b8adbcb944bae5a8a9d8b44670b8ee0458c42bfed9
Instruction ID: 99a6daafb672b142b94ec08546aa077dfb943cdac4ad7073dc295db2dcf0640e
Opcode Fuzzy Hash: 7b33a793b12fced0d20b00b8adbcb944bae5a8a9d8b44670b8ee0458c42bfed9
Instruction Fuzzy Hash: 3641ABB5D012589FCF00CFA9D984AEEFBF1BB49310F14942AE818B7250D779AA45CF64

Function 02347618 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 023476EB

Strings

ysEP, xrefs: 0234763A

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: ysEP
API String ID: 3559483778-2275478711
Opcode ID: 02796d5b9c4bccac93b5759c98f4e3577222e98c12419daec1f75da5fd1b356a
Instruction ID: d1086212afca56a4b896c093e42c521d217b3e72962bda0051b08b2bfc758058
Opcode Fuzzy Hash: 02796d5b9c4bccac93b5759c98f4e3577222e98c12419daec1f75da5fd1b356a
Instruction Fuzzy Hash: 5941ABB5D012589FCF00CFA9D984AEEFBF1BB49310F14942AE818B7250D779AA45CF64

Function 023472B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0234736A

Strings

ysEP, xrefs: 023472DA

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID: AllocVirtual
String ID: ysEP
API String ID: 4275171209-2275478711
Opcode ID: 117ee6a3eef08240d66050b3efca10ae6ad7c7f676477545c02567ebbbeb3dbf
Instruction ID: 485aef9aefdfc140f3af0da02f5524c8b904a782bbac01292b306fba7e607463
Opcode Fuzzy Hash: 117ee6a3eef08240d66050b3efca10ae6ad7c7f676477545c02567ebbbeb3dbf
Instruction Fuzzy Hash: 9D3177B9D002589BCF14CFA9D984A9EFBB1BB49310F10942AE815B7310D735A946CF55

Function 023472C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0234736A

Strings

ysEP, xrefs: 023472DA

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID: AllocVirtual
String ID: ysEP
API String ID: 4275171209-2275478711
Opcode ID: 3ce046510fd11d47e4638a5da88f483b72166fec0ab3d69f5574d97a9909f051
Instruction ID: c796544486bd0db97994c46320caa5d4ab57933af855e919e7088f7393cda81e
Opcode Fuzzy Hash: 3ce046510fd11d47e4638a5da88f483b72166fec0ab3d69f5574d97a9909f051
Instruction Fuzzy Hash: 3E3188B9D042589FCF10CFA9D984A9EFBB5BB49310F10942AE815B7310D735A945CFA4

Function 02346BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02346C6F

Strings

ysEP, xrefs: 02346BDF

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID: ContextThreadWow64
String ID: ysEP
API String ID: 983334009-2275478711
Opcode ID: 5f6b6148a7d36710dbf1f8b90b0e522d79781927e62e2bff0a94611f4bba3dfa
Instruction ID: e26385ddd133647862779514f5634e5c224c417a6e07ae83c8a95a0c5e894bb2
Opcode Fuzzy Hash: 5f6b6148a7d36710dbf1f8b90b0e522d79781927e62e2bff0a94611f4bba3dfa
Instruction Fuzzy Hash: D531DCB4D012589FDB10CFAAD885AEEFBF4BF49310F14802AE414B7240C738AA45CF54

Function 05FD639F Relevance: 2.5, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%, xrefs: 05FDAB9A
*, xrefs: 05FDABC9

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID: %$*
API String ID: 0-3952375145
Opcode ID: 4b3d896420cf99108101b4dd81f74f6dd46a50e50f6ed7ed85fd83ff3975f494
Instruction ID: b8fcc79452c023421baf372a25dc36bbd1e1eb88373d49cf3438296cdb1cb8a4
Opcode Fuzzy Hash: 4b3d896420cf99108101b4dd81f74f6dd46a50e50f6ed7ed85fd83ff3975f494
Instruction Fuzzy Hash: 9D113730901219CFEB68DF58C94DBAAB7B6FB45300F0090E9E548A3241EB388E81DF12

Function 05FD6B50 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

u, xrefs: 05FD6B5D

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID: u
API String ID: 0-4067256894
Opcode ID: 97f823652dec63f53b0fd62ead954a41134b32c451ef286cb0c7ee2b7b34df9f
Instruction ID: d0dcfe33b409cb762328e4cd94e5b7c2766d154d66d58d20bc2eea513ddac417
Opcode Fuzzy Hash: 97f823652dec63f53b0fd62ead954a41134b32c451ef286cb0c7ee2b7b34df9f
Instruction Fuzzy Hash: 6B011934A08218CFCB64DF58C99DA9AB7BAFB49300F1080D5E50DA7345DB349E85CF22

Function 0228FBB8 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccd6820d958c4c987f93282ec7cc214596d976c520adbef3ab1c98bed10f77f
Instruction ID: fcb6380e9052193d574ea84dee445dc3c99483ff7e51286d424b10322b9756af
Opcode Fuzzy Hash: 7ccd6820d958c4c987f93282ec7cc214596d976c520adbef3ab1c98bed10f77f
Instruction Fuzzy Hash: 04C11F323002458FDB15EFA9D844BAE7BE6EFC5710B64806AE905CB396CB34DC42CB91

Function 022819D7 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82faa1e7fc4dae3698c2baecc2890bc87cac253825ebdd71253b97ce8bd5a369
Instruction ID: a8ce48c12d2aefb13ff500a2ab574d5ef74b348adeaa2f2814c54a853b8d9aea
Opcode Fuzzy Hash: 82faa1e7fc4dae3698c2baecc2890bc87cac253825ebdd71253b97ce8bd5a369
Instruction Fuzzy Hash: CA715B34A26205CFD709DF98C444B99B7F2FF8A300F5581A1D009AB2D9D7B9ED96CB60

Function 02281730 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09baf7eefb32f8f31545340ef2021148ff6945b8203bc8f02339227fe7f373ae
Instruction ID: 76885a5995511ae69d44e5a13f1f25df682e9a9e9397b081b966d6e55cffe13f
Opcode Fuzzy Hash: 09baf7eefb32f8f31545340ef2021148ff6945b8203bc8f02339227fe7f373ae
Instruction Fuzzy Hash: 4541A934A21204DFDB04EBA8D444BE9B7F2FB89310F1480B9D009AB6E9C775E896CB50

Function 02281740 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe6d99dc9468accedc7c072378b0c4846dd67ef37b489b6c527bbe3017ee272
Instruction ID: a26535395c4d382a0f15a441217e04b6c5cb53c6ad08ceb0dff8284c2dfc9a6f
Opcode Fuzzy Hash: efe6d99dc9468accedc7c072378b0c4846dd67ef37b489b6c527bbe3017ee272
Instruction Fuzzy Hash: 60318B34A21204CFDB04EBA9D444BE9B7F2FB89310F1484B9D009AB6D9D775EC96CB50

Function 0228183B Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a5e8cf377a150c1565d1c3478c4d908883fbf39ebcf0e3a9d0d7c08d5aa3e9
Instruction ID: 43624c2d9b6ec5de4db8c1b15ef3860310aa4c27895e1f096e090efc146b601c
Opcode Fuzzy Hash: 49a5e8cf377a150c1565d1c3478c4d908883fbf39ebcf0e3a9d0d7c08d5aa3e9
Instruction Fuzzy Hash: 90311634A21205DFDB04EB98D444BE8B3F2FB89310F5484A9D009AB6E9D775E8A6CB11

Function 02289DD1 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b163a16bb5006cfed0c114662a2225096cd95882cbf5e67f980da6707933be
Instruction ID: 8931ad1a20d5a5879ab8ed50f0b22eba4ebc81a45d561c500bd6d5e7f12736a2
Opcode Fuzzy Hash: a4b163a16bb5006cfed0c114662a2225096cd95882cbf5e67f980da6707933be
Instruction Fuzzy Hash: 45314276E2120ACFDB04DFA9D5846AEBBF1FB48304F108466D505A7360EB719A84CF50

Function 02281CD0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9773c2a920bcbefb3b3278d8b41dd1a3e4d175f72b1c4ab9e905c4edd9893e
Instruction ID: ea5a7b47f50de779b1939d0e02cfbab1962f940cad69740798e93ebe7a2a135b
Opcode Fuzzy Hash: fe9773c2a920bcbefb3b3278d8b41dd1a3e4d175f72b1c4ab9e905c4edd9893e
Instruction Fuzzy Hash: A5217531B016059FDB14EBA8D4407DEF7F6EFC8610B14842AE409A7395DB71ED55CB90

Function 02289DE0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e031b5b8e470189debe75bfc9a88ef4ff9cdc77035ff84fc6d1c18c29556cbf
Instruction ID: f86529f22fe52d43a57ad33225e8dd2cd33fc584eed52147cdc1ef9de3c46875
Opcode Fuzzy Hash: 8e031b5b8e470189debe75bfc9a88ef4ff9cdc77035ff84fc6d1c18c29556cbf
Instruction Fuzzy Hash: 1A314476E2120ACFDB04EFA9D5846ADBBF5BB88300F108466D505A7364EB719A84CF50

Function 02281CC1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7b9032130141cac52aaf9ac2c2538ec75054772469b88327e33a229ae6a02b
Instruction ID: 44d6b48d002b97e334451a3de9e95731e358722b44dcbc7037310c716c48a610
Opcode Fuzzy Hash: ac7b9032130141cac52aaf9ac2c2538ec75054772469b88327e33a229ae6a02b
Instruction Fuzzy Hash: D721D371E052059FDB04EFA4C8406DEFBF6FFC9610F14846AE849A7251DB319D55CB90

Function 0088D048 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688299341.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88d000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b710711e3f6a989b04a8c768db40636f23401b8eb0fdbeda4d949f1a61e0e2
Instruction ID: d5d8530d1fdae6a8de67979b4a811798930c2c6d7dd01249af13f6d6e4fe9bb0
Opcode Fuzzy Hash: 07b710711e3f6a989b04a8c768db40636f23401b8eb0fdbeda4d949f1a61e0e2
Instruction Fuzzy Hash: B62104B5504744EFDB14EF10D9C4B26BBA5FB84714F24C569E9098B282C336D85BCBA2

Function 02289A01 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba7ebb06898823e01db8ec5d341f2b49b4b71cc8c12180a71b5381d78a3a0b5
Instruction ID: d03f7c32cfe500589664cab049387a968a2a697d5c941c6bc6a9ca831b96f895
Opcode Fuzzy Hash: bba7ebb06898823e01db8ec5d341f2b49b4b71cc8c12180a71b5381d78a3a0b5
Instruction Fuzzy Hash: 512126B0922209DFDB44EFA8D4497ADBBF1FB4A304F50C1A5E409A7345DB788A84CB45

Function 02289A10 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d300932ebce3260624d16b04666b5b4e0831d25a650ba37968c5f6fa03e9225d
Instruction ID: e3bc981faa366a9117070b72b654785f16df092d55750a4b69fc408e71b07d43
Opcode Fuzzy Hash: d300932ebce3260624d16b04666b5b4e0831d25a650ba37968c5f6fa03e9225d
Instruction Fuzzy Hash: 80211470926209DFDB44EFE8D4497ADBBF1FB4A304F50C0A5E409A7389DB788A84CB45

Function 0228F4A8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193c7ad3af357c2bc82d6f75767086ad40749cca7af56fa43616cbfed2683d0c
Instruction ID: e1bafd0dc0ff3880830af69492438a41525702077fd6277701eecddc92b393b1
Opcode Fuzzy Hash: 193c7ad3af357c2bc82d6f75767086ad40749cca7af56fa43616cbfed2683d0c
Instruction Fuzzy Hash: 26113771D1520ACFCB08EFD9D9446EEBBFAFB88310F10802AD608B3654EB709955CB90

Function 05FD22DC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32092a2c3d4635a3bae610958c429eeed0dd3ddfe745e6ea6eb902c9017d596d
Instruction ID: 1214457d88e8df7fb267d003148c0e723d2401816239fcf3af283a5f39a7c500
Opcode Fuzzy Hash: 32092a2c3d4635a3bae610958c429eeed0dd3ddfe745e6ea6eb902c9017d596d
Instruction Fuzzy Hash: 76319E78A022288FCB64DF58C9A4AD9B7F5FB48300F1181EAE809A7351D734AE81CF41

Function 0088D043 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688299341.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88d000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c363dfc6928ab46034bd901ce650e8bb33f27982f9aee3ce90425bf9c31c636e
Instruction ID: 8f205bdbb1f48023178054882448da19c2f9a2ee22188df40f3252c2ae79b81d
Opcode Fuzzy Hash: c363dfc6928ab46034bd901ce650e8bb33f27982f9aee3ce90425bf9c31c636e
Instruction Fuzzy Hash: A711D376504640CFCB11DF10D9C4B16FF71FB84314F24C1A9D8098B696C33AD85ACBA2

Function 022818D0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82bb55c4ea8219444b0be66d23a58f322648d559ad9bf5105fbd04802db0470b
Instruction ID: 7236bccb7d569a0d21c02b797261d0de5e4d72e207c34103a26d543ca2ab811b
Opcode Fuzzy Hash: 82bb55c4ea8219444b0be66d23a58f322648d559ad9bf5105fbd04802db0470b
Instruction Fuzzy Hash: EE01D232D1578B9BCB029BB4D8404DEBF76EFCB620F1A4652D540B7191EB70258EC7A1

Function 05FD8BC1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed3416205ddf6e8594f182102bf7ad54f736ed1820aa89a7e9af70eb451bd59
Instruction ID: 5e23503231d72f78ccba0246ecffa008f5750e32e878bb4c636d6623aec6623f
Opcode Fuzzy Hash: fed3416205ddf6e8594f182102bf7ad54f736ed1820aa89a7e9af70eb451bd59
Instruction Fuzzy Hash: D821D874A14218CFCB64DF59E9996D9B7F1FB48340F1040EAE908A7784DB749E85CF42

Function 05FEF678 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce852a8a8fc15e707205094916de8136b21964c5602b0e48de075ba5030fd91
Instruction ID: 3175a7f094a8848c5ef35c1ad64dd096219ab812f86d7046e9ca2f2c938c2dfc
Opcode Fuzzy Hash: 9ce852a8a8fc15e707205094916de8136b21964c5602b0e48de075ba5030fd91
Instruction Fuzzy Hash: 841109B0E003099FDB48DFA9C9417AEBBF1FF88300F60806A9518E7354DB309A019F95

Function 0087D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688131252.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87d000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3512cee57b2cbedf93a340be66e7e469a95739188aa432dda7820dd17a419186
Instruction ID: 3feefa9d3f44568d09f8521458fb216c793c5b2709fa36776b8b0e8cf348213f
Opcode Fuzzy Hash: 3512cee57b2cbedf93a340be66e7e469a95739188aa432dda7820dd17a419186
Instruction Fuzzy Hash: 1A01A771404744ABE7208A25C8C4767BBE8FF51724F18D519ED4D8A186C379D845C6B1

Function 02281957 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f755a9ebd23b2db795d3591db845ff2810990f02a0781bfb631b77496b72090c
Instruction ID: 9ebdbb26e1fba5d06bbaa5e9d8b390227b2e189efc9aedddb7b91c11349e41de
Opcode Fuzzy Hash: f755a9ebd23b2db795d3591db845ff2810990f02a0781bfb631b77496b72090c
Instruction Fuzzy Hash: A6F0C8329252499BEB16DB70C455AEFBFB25F85300F15456ED403BB2C1DE70594AC781

Function 05FD1F86 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9c55ac3486cc3f0fbc45f7c218d245e732422c0bf0cb2784c723001edd4b03
Instruction ID: 3518665cda366159a9f6de0b91a86fca8247a3f6e894a3c46df0dbda05bf95c5
Opcode Fuzzy Hash: 5f9c55ac3486cc3f0fbc45f7c218d245e732422c0bf0cb2784c723001edd4b03
Instruction Fuzzy Hash: 1C018B30918208CFCB55EF68C89D6CAB7F1FB4A320F104291951E9B2D9DB344E85CF42

Function 0087D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688131252.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87d000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b8e26d2a9890116ba42dc38cb34631bcf070dc62a5d5ed88dfe648f3a681d8
Instruction ID: 226d8fb380611058252dbf0fe0336fe3b7f84958c317da75f57776ef4d13cf93
Opcode Fuzzy Hash: e5b8e26d2a9890116ba42dc38cb34631bcf070dc62a5d5ed88dfe648f3a681d8
Instruction Fuzzy Hash: 79F04971408744AEEB208A16D9C4B62FBE8EF51734F18C55AED488A286C2799844CAB1

Function 02281968 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba75a3ad848b23a933cf513193ee4fd020e73c32c1ebdfe41ba47fc8a7c6fcf
Instruction ID: e38fb0da1f097f14c93f8921eeeef6aaa60c0697a154cf047c07a8965571cfa0
Opcode Fuzzy Hash: eba75a3ad848b23a933cf513193ee4fd020e73c32c1ebdfe41ba47fc8a7c6fcf
Instruction Fuzzy Hash: C7F0E931A10109D7DB14D7A0C415AEFBBF69F84300F004425C003A73C0DE715906C6C1

Function 02281F2D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f1e620b1e864befab9ba16852710fd7d57287292d22d48c37e53b21711bfbe
Instruction ID: 3f8ca225e2e45f631232603ad6a98d9fefb330db7d10da9828730a5ca7dda69f
Opcode Fuzzy Hash: 10f1e620b1e864befab9ba16852710fd7d57287292d22d48c37e53b21711bfbe
Instruction Fuzzy Hash: A5011970A26308DFD710EF99C448B98B7F1EB04329F45C166D008AB6E9C7B4D896CF55

Function 02289F92 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e71f55f2eb822c246419dd761070b48ecfd3b126d7b36ee39f0caf0a1ca2c06
Instruction ID: 86327f35727b99faf6cba9415e0af89ef572ea6f59bee8813d20ea08e2199609
Opcode Fuzzy Hash: 7e71f55f2eb822c246419dd761070b48ecfd3b126d7b36ee39f0caf0a1ca2c06
Instruction Fuzzy Hash: C7E02B30569215DFE704EFA8D9057ADBBF9E706304F100058D549D32D2DFB1DA40C35A

Function 0228F280 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374d21d0e25dc6ce0e5b5f80c2fc721fa1170740e0085d9f64940b4c09724027
Instruction ID: a0049ed087b14cb506d62f73acf07eb158de5146841e532c98eb33f6e7f86b4b
Opcode Fuzzy Hash: 374d21d0e25dc6ce0e5b5f80c2fc721fa1170740e0085d9f64940b4c09724027
Instruction Fuzzy Hash: C8F0A578E15208EFCB84EFA8D941A9CBBB5EB49300F10C0AA9C1893354D6719A55DF81

Function 02289FA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c3abdf1b380681f30efbbce380eefc785acdd0b727738648ebdfabb6120800
Instruction ID: 9af3d560fdf9c64a8e92f9e3c864d9b4a35b7a2e816f47b981e67d33c8f312d2
Opcode Fuzzy Hash: 70c3abdf1b380681f30efbbce380eefc785acdd0b727738648ebdfabb6120800
Instruction Fuzzy Hash: 5AE0D83096A215DFDB18EFE8950477CBBE9A707304F000099D509D3292DFB19940C31B

Function 05FE5FF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc097b5bb2debb25b8491f52c78e0772ae17ec6876c5136f9ace2b6579b7f19
Instruction ID: d127799cda516b443f51653ec207a29fa9edec8e39c2b91ae8806f932a4e53dd
Opcode Fuzzy Hash: 2bc097b5bb2debb25b8491f52c78e0772ae17ec6876c5136f9ace2b6579b7f19
Instruction Fuzzy Hash: F7E0C974E05208EFCB84DFA8D540A9DBBF5EB49300F10C0AA991893351D6359A51EF40

Function 05FEDD68 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc097b5bb2debb25b8491f52c78e0772ae17ec6876c5136f9ace2b6579b7f19
Instruction ID: c2b8e0bae26a8352ea38ebe62a005751fc5c992b14e9277a7c00ca67f1dbd2fb
Opcode Fuzzy Hash: 2bc097b5bb2debb25b8491f52c78e0772ae17ec6876c5136f9ace2b6579b7f19
Instruction Fuzzy Hash: DDE0C974E05208EFCB54DFA8D941A9CBBF5FB49310F10C1A9980993354D6359A51DF40

Function 05FEA768 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc097b5bb2debb25b8491f52c78e0772ae17ec6876c5136f9ace2b6579b7f19
Instruction ID: 4cebd047d38b8ba0a500e4088c5c70948df781c3471ba65ed3f1bc15f1bac6e6
Opcode Fuzzy Hash: 2bc097b5bb2debb25b8491f52c78e0772ae17ec6876c5136f9ace2b6579b7f19
Instruction Fuzzy Hash: 77E0E574E09208EFCB44DFA8D985AACFBF5FB49300F10C5EA9859A3350D6369A51DF80

Function 05FD16F6 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c476ae12a4f9fd70e1cdf0929f8f05b74a984dc4ba91147b48006d781393a950
Instruction ID: a37fa7173a5da20479001cd756e55a0ac897508fee12b67b6a12b018488ce14e
Opcode Fuzzy Hash: c476ae12a4f9fd70e1cdf0929f8f05b74a984dc4ba91147b48006d781393a950
Instruction Fuzzy Hash: D6F01734A04218CFCB58EF58D99DA8AB7B6FB99300F1080A5E50DA7349DB309E858F52

Function 05FED848 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc097b5bb2debb25b8491f52c78e0772ae17ec6876c5136f9ace2b6579b7f19
Instruction ID: c95201a6e8a256e2559e7028a60c289e1e546180efdc3872bcd39b136791aec5
Opcode Fuzzy Hash: 2bc097b5bb2debb25b8491f52c78e0772ae17ec6876c5136f9ace2b6579b7f19
Instruction Fuzzy Hash: CEE0C274E09208EFCB44DFA9D940AADBBF5FB49310F10C0AA9819A3350D6359A51DF80

Function 05FEA3F8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869a248732fa2b413c7bed545f1334f5dc8fa10791337cc9873e4562dec6e6ba
Instruction ID: 759cd579b18453d9d06648ff4a14d2dc20f9da577998cd2a43eeb66d08e472b5
Opcode Fuzzy Hash: 869a248732fa2b413c7bed545f1334f5dc8fa10791337cc9873e4562dec6e6ba
Instruction Fuzzy Hash: 02E0E574E09208EFCB44DFA8D5486ACBBF4EB49200F10C0BA881893350D6359A02CF40

Function 05FEF760 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869a248732fa2b413c7bed545f1334f5dc8fa10791337cc9873e4562dec6e6ba
Instruction ID: 97a5d30fe9535476587f4ce453a75e67a66083faa741295dc2519dc95c53f24a
Opcode Fuzzy Hash: 869a248732fa2b413c7bed545f1334f5dc8fa10791337cc9873e4562dec6e6ba
Instruction Fuzzy Hash: 48E01A74E19208EFCB84DFA8D5406ACFBF4FB49304F10C4E9881893340D6359A01CF80

Function 0228FB70 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1d18113950564b3f45bd6a0265461ae072ba6d513ee756adcdf3e801ae62b
Instruction ID: 5bf2f2f4edacef5c82359ff1905426707596ce7eac321bfb7b17bea738950c01
Opcode Fuzzy Hash: 52a1d18113950564b3f45bd6a0265461ae072ba6d513ee756adcdf3e801ae62b
Instruction Fuzzy Hash: A4E08674919208EFC704DFD4DA50A6DBBB8AB8E310F1080A9DC4457385C631DA51DB94

Function 05FE8BF0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fed6fde7cb002ae264f9fe5b7403f39ae8b63912f1bc9bfed014208cedfe41e
Instruction ID: 85e076dd621a3697eca7ff559fef907fce85db9eb7270aa91e566d7700f2271c
Opcode Fuzzy Hash: 0fed6fde7cb002ae264f9fe5b7403f39ae8b63912f1bc9bfed014208cedfe41e
Instruction Fuzzy Hash: 4FE04F34D09208EFCB04EFA8D5406ACFBB5EB4A204F1081E9C81863341D7359A01DF40

Function 0228E220 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b162a238d094de37749685128ed3e94e9f263f1b6e956a89c80f5758edb601f8
Instruction ID: d34d03c1a56d83586ebbdd60a048284e8bd12cb54dd0f454687065c38a7c6ec4
Opcode Fuzzy Hash: b162a238d094de37749685128ed3e94e9f263f1b6e956a89c80f5758edb601f8
Instruction Fuzzy Hash: A7E0C231912308EFCB00EFF4E50869E7BF8EB4A210F0004E9E504D3110FF318A14AB96

Function 05FEE5C0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e09dfbde7fe7c3f0143948232cb250bc492671bcfac20bf70e53237453c23e0
Instruction ID: 40f9523e2e799f3af1c97c0db5236602bc3a7e4b10371f06dbf9109cc7ca7bb3
Opcode Fuzzy Hash: 2e09dfbde7fe7c3f0143948232cb250bc492671bcfac20bf70e53237453c23e0
Instruction Fuzzy Hash: 43E0C234909208DBCB04DF94E94096DBBB9FB46300F1081ECC80863341DB319E02CB80

Function 05FEB630 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abff315e8eff723f788dd55a3ad15716a349c4e7b2275452ffee4c73c5358f42
Instruction ID: d982ce114b2751f2efa2d29d463d77a6bdce9fe2867dbcfe09c25f913148fefc
Opcode Fuzzy Hash: abff315e8eff723f788dd55a3ad15716a349c4e7b2275452ffee4c73c5358f42
Instruction Fuzzy Hash: 7BE01271916308DBCB04EBF4A909A9E77F9AB46310F0005E5950997150FE719E14AB96

Function 05FEBE20 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8207fb1fadc6b6e1b642114954edfc7b355df5abbda83996effb61d4ab8f4623
Instruction ID: 60c873ce2c281c908fca25f22481c35e1a95c03449080b98fb4e3395270975af
Opcode Fuzzy Hash: 8207fb1fadc6b6e1b642114954edfc7b355df5abbda83996effb61d4ab8f4623
Instruction Fuzzy Hash: 83E01274E19308DFCB44EFB8D5456ACBBF8EB49211F1000B9D949A3350EB309A54CB91

Function 022808C1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee8393851bee99955d257fef3c0c702f791ead48ab3d3ddf3c4e62bca77394e
Instruction ID: 8e2667d9b9a85133c4e2a2826a60dd9027339389f89158a4c0c2876f2c6c7ae1
Opcode Fuzzy Hash: eee8393851bee99955d257fef3c0c702f791ead48ab3d3ddf3c4e62bca77394e
Instruction Fuzzy Hash: 4BE086A482B3C0EED7533F5454002443F70AF1735078990D3C485CB29BD628C98CC742

Function 02289EF9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb2e760f51587e4f74a358cdd91ddb25b29dbd9f799ffddc83c7e692cac9c77
Instruction ID: 4b3eb471f3f88d53ed0caa67c1a03e331850e629a44a3ccf77b1bf1afba68b35
Opcode Fuzzy Hash: 5fb2e760f51587e4f74a358cdd91ddb25b29dbd9f799ffddc83c7e692cac9c77
Instruction Fuzzy Hash: C7D013320F751547E5095794ED59376726CD71620DF443810564D425D1DE60C454C5D5

Function 02280878 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6130dc08969f476d41fdc4d3accf45c1c5a1a2de83ea8b2f83daeac47893c5c
Instruction ID: d75678d05afd58ef2257233840613cc804cb4eaa28fa67fba5813fb36dcca183
Opcode Fuzzy Hash: c6130dc08969f476d41fdc4d3accf45c1c5a1a2de83ea8b2f83daeac47893c5c
Instruction Fuzzy Hash: 43D0126050E7C12EDF07577849683487F72AF83204F0900CBD185DF093CA19488CC763

Function 0228142D Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c7ff0f9c5b1f3defb3527642fc9329d6c5c7848b1dfddd8e19ffd64a28465a
Instruction ID: 5fb7a2c4a5bac29b1359de13b32c35e79bb82a06b204e985243af8e68a0cc107
Opcode Fuzzy Hash: 85c7ff0f9c5b1f3defb3527642fc9329d6c5c7848b1dfddd8e19ffd64a28465a
Instruction Fuzzy Hash: F2D0A734A12111DBEBA4BBD4D80539C3298FF40700F409864D546A7089D720DE0E8783

Function 022808A1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1316e245ea1d161a6bcfe5c59c194ff0b017eba1cebf8a53f4b74746f9c1d64
Instruction ID: 81ffc8de2d316bfa41aa8980655039c29c509dc3c3ffaf5f1f3de2610d465657
Opcode Fuzzy Hash: a1316e245ea1d161a6bcfe5c59c194ff0b017eba1cebf8a53f4b74746f9c1d64
Instruction Fuzzy Hash: B1C04C2004E7C4AED30717696C144A1BFBC9C9741174A40D7F588CA16385455A589772

Function 05FEE960 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94533873eb3384bddbb00fbd32c5a03fa84bc9580ee8eb05855a44d3ea39392a
Instruction ID: da227b2e888efedebf89a3caeaf20c6174a8bdf6bd3a2b56fc02acc95f26d2f6
Opcode Fuzzy Hash: 94533873eb3384bddbb00fbd32c5a03fa84bc9580ee8eb05855a44d3ea39392a
Instruction Fuzzy Hash: A5C02B3109F3058BDA441344750C33D33DDA307301F002950630D001320F6480B8C245

Function 0228E048 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11c22d33023e5b4e23bd0a6dbaf58bde65092fc5cc70ec6471b7405de46ee05
Instruction ID: 88877b41911b24f821d42b17815bc76ab0a00198f8c12ed088e6dcaa45dd8fcb
Opcode Fuzzy Hash: c11c22d33023e5b4e23bd0a6dbaf58bde65092fc5cc70ec6471b7405de46ee05
Instruction Fuzzy Hash: A9C08C320722098BEB0837E8BA0E7283B6C6B02306F440020F70C20060AFB48024D73A

Function 022825A0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f364fc73469b04ab52e48821867a02c6c712d7a3492c63a468a9040030a06631
Instruction ID: 15d98834d1eccb15211fb7c8a958af84f7330e4c451fcd3fbdc1612aa098e5a7
Opcode Fuzzy Hash: f364fc73469b04ab52e48821867a02c6c712d7a3492c63a468a9040030a06631
Instruction Fuzzy Hash: 1DB0924540E3D12ECB0B122869560042FB08E1321039A40EBE0C8CF0B3C88C4A8D83AA

Function 022808B0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348190a74ab6430a7b151c6ddd045a3e679aac8777993aa9835e5062a1f7573d
Instruction ID: 1b534543588e12cbc874814fd6a3a64bf55c02b8ff38f04545e6f04bef3616e1
Opcode Fuzzy Hash: 348190a74ab6430a7b151c6ddd045a3e679aac8777993aa9835e5062a1f7573d
Instruction Fuzzy Hash: BD900231044B0CCB954037997809595779CE5449267C05051A50D415155A5565504695

Non-executed Functions

Function 05FD0040 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

=, xrefs: 05FDE21D

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 3d592e29ee1817731bd5b55158b68ecb261c053b0e41d8e0b1843e9809208cf3
Instruction ID: 1857a272eedf358aed0b31bfdbaf0135d68225145a3fb53bf75dfb9d72d9c0eb
Opcode Fuzzy Hash: 3d592e29ee1817731bd5b55158b68ecb261c053b0e41d8e0b1843e9809208cf3
Instruction Fuzzy Hash: 2341EA71E05219CBEB68CF5ACA48799F6F7AF88300F04C0FA950DAB254EB744AC58F11

Function 0234391A Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

ysEP, xrefs: 0234393A

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID:
String ID: ysEP
API String ID: 0-2275478711
Opcode ID: 40c5cf06d9f4ef7feab6e6ab429c7c4bc62a86e005f00fa78012ff9f855b4771
Instruction ID: 0792983333bd0ead6aeb048e4c3af674e3e1ff04d54e27bc67537a63074bdfe7
Opcode Fuzzy Hash: 40c5cf06d9f4ef7feab6e6ab429c7c4bc62a86e005f00fa78012ff9f855b4771
Instruction Fuzzy Hash: D021DEB5D042189BDB14CFAAD981AEEFBF4BB49310F14915AE814B7210CB356905CFA4

Function 02343920 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

ysEP, xrefs: 0234393A

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID:
String ID: ysEP
API String ID: 0-2275478711
Opcode ID: 382ff809fa98b15b851f9a31694dd81cfe987f11438bc89d771fe5e8d5398116
Instruction ID: d284b6021c2fefdbeeb9fdc07140766b2bbec71886ab3f8edadd48f6253b66cf
Opcode Fuzzy Hash: 382ff809fa98b15b851f9a31694dd81cfe987f11438bc89d771fe5e8d5398116
Instruction Fuzzy Hash: 0221CDB5D04218DFDB14CFAAD980AEEFBF4BB49310F24906AE815B7250CB356945CFA4

Function 02348EC0 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88443cbdf6b9270ca6ea7b4b92b648a8e73dd1d40a4fae6893daecf46e187de
Instruction ID: 8da1bda08a626c31794067f3a0faf82cd23cd3d7be8baaf436c7451d2deb3653
Opcode Fuzzy Hash: c88443cbdf6b9270ca6ea7b4b92b648a8e73dd1d40a4fae6893daecf46e187de
Instruction Fuzzy Hash: AFA14974A14208CFDB48EFA8E448BAEB7F6FB49304F108169E409BB695DF74A945CF05

Function 02348EB0 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6630fb1961a6f32a69ffdfe0cb7d0fb212d4e3f1e529b6a30306d78e59f7ec
Instruction ID: cab6dc2eab60d56bf49e766a38888d8aa2a76620f31b111b74132a0193214c1f
Opcode Fuzzy Hash: cf6630fb1961a6f32a69ffdfe0cb7d0fb212d4e3f1e529b6a30306d78e59f7ec
Instruction Fuzzy Hash: 22A13A74A14208CFDB48EFA8E488BAEB7F6FB49304F108169E509BB655DF34A945CF05

Function 023488CD Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689164028.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2340000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea07292a04919df96e875175d15c9f732badd676e30fb5f27aa2bd61e4e5d5a
Instruction ID: 78f982fa30512065a6013bbe9f0183b86fe8294499c3648506646e3ac93455f1
Opcode Fuzzy Hash: eea07292a04919df96e875175d15c9f732badd676e30fb5f27aa2bd61e4e5d5a
Instruction Fuzzy Hash: 21512A74A141088FCB94EFA8D854A9AB7F2FB89304F10C0AAE509EB759DF749D45CF42

Function 05FD0006 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717860754.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4097d1408f437d3456509e37acc8fdf97ac731b0e79940daff0231625142ac6
Instruction ID: 2f1bf4dbc76b2cf89b5c66dbc2a419ca2fbf169389e543740ad58fc698419483
Opcode Fuzzy Hash: f4097d1408f437d3456509e37acc8fdf97ac731b0e79940daff0231625142ac6
Instruction Fuzzy Hash: EC314D71D057548FDB29CF6ACD4578ABAF7EF85300F08C0FAC548AA255EB784A868F10

Function 0228A55D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331ca32e5f6a460d79f52c66a887ce608933176aea36f70c0d0726b2180c33fa
Instruction ID: e6268d04d6de4d39969eec6a1890694c4c5ca435ed0b4d6635eab4a91712f8a4
Opcode Fuzzy Hash: 331ca32e5f6a460d79f52c66a887ce608933176aea36f70c0d0726b2180c33fa
Instruction Fuzzy Hash: 2131DA71D066588BEB59CF6AC85438DFBF2BFC9304F14C0AAC448AB269DB754989CF01

Function 0228A5C8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d0ce8fdc03ae9840daa72a16ac77360496f5648b3c9c1449cd2efd19d5ba2e
Instruction ID: 02c5c038fedfa893d37ed29b5ff942c6a837e3fd02e96c4f5ce531e26f8b5d65
Opcode Fuzzy Hash: 49d0ce8fdc03ae9840daa72a16ac77360496f5648b3c9c1449cd2efd19d5ba2e
Instruction Fuzzy Hash: 16319CB1D166188BEB18CF5BC94478EFAF7BFC8304F14C1AAC40CA6264EB7549458F00

Function 0228A5B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688870126.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2280000_0001.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3420ebe9837dee333ad6b7c73746f00c97e95f2eedb168d2b148a829799d6ffd
Instruction ID: e364e0240d4c467cc2849f1de95473dfdc1c45b98fcb014f077deb3d4e456e31
Opcode Fuzzy Hash: 3420ebe9837dee333ad6b7c73746f00c97e95f2eedb168d2b148a829799d6ffd
Instruction Fuzzy Hash: DE314CB1D016188BEB58CF6BC95478EFBF3BFC8304F14C1AAC408A6264EB7549858F41

Analysis Process: InstallUtil.exePID: 7112, Parent PID: 4084COMMON

Executed Functions

Function 027F9868 Relevance: .9, Instructions: 862COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0ab4abb498eb94906a92cc6f41c80a33a194865f1c08fe649d3948682157a1
Instruction ID: f775a933a0d62ea854b0574a24714b3b4a77d7b806a85fba303d45a8efbf30b2
Opcode Fuzzy Hash: ae0ab4abb498eb94906a92cc6f41c80a33a194865f1c08fe649d3948682157a1
Instruction Fuzzy Hash: 7A728131A08209DFCB55CF68C984AAEBBF2FF88314F158559EA09EB365D730E941CB51

Function 063111A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecfeac211dde99ec31f3b11609c086e3f268440d32698c7c74b831c0b060c4f8
Instruction ID: a5b780f803a5635eaf127973c3ed51b1c4e2c3bf2bd18ecf0a8c41db88a74299
Opcode Fuzzy Hash: ecfeac211dde99ec31f3b11609c086e3f268440d32698c7c74b831c0b060c4f8
Instruction Fuzzy Hash: E1826F74E012288FEB64DF65C898BDDBBB2BB89700F1481EAD50DA7265DB305E85CF44

Function 027FF017 Relevance: .7, Instructions: 718COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7543dcaead8ab371d0a654b7adacb12030f0447ac0df426cc8a5de8771d8376
Instruction ID: ee0960d3b7bdbfa04b1362a5998a73201e665a99e60d4adc12c2260681188a17
Opcode Fuzzy Hash: c7543dcaead8ab371d0a654b7adacb12030f0447ac0df426cc8a5de8771d8376
Instruction Fuzzy Hash: 4E72CE74E04229CFDB64DF69C884BD9BBB2BB49304F1481E9D508AB3A5DB349E81CF51

Function 027F6120 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e894627d403a9ad6390adb832eb8fd171fd6a4f7838fb779646c55c1ef21e9d7
Instruction ID: b7b4349f6d8d620a59bd12ae7b4e7ae08b77f810b9e0294a54e2eb5ee3fdf9fe
Opcode Fuzzy Hash: e894627d403a9ad6390adb832eb8fd171fd6a4f7838fb779646c55c1ef21e9d7
Instruction Fuzzy Hash: 3C12AD70A042199FDB58DF68C944BAEBBFABF88700F148529E516EB391DB34DD41CB90

Function 027F6748 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25975eb49f59c45ece9eef016dd63eac685041279fc3e5f18cc5ea9e318fa9c
Instruction ID: 3ca724c045328717c013c25779a01420706f473a35aef2e7390fc2cc8352e144
Opcode Fuzzy Hash: f25975eb49f59c45ece9eef016dd63eac685041279fc3e5f18cc5ea9e318fa9c
Instruction Fuzzy Hash: B5125D70A08209DFDB54CF69C988AADBBFAFF88304F158069E565AB361D731EC41CB50

Function 027F3570 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2736e41573dd117ac0c3ec93bac418025a2576c37aa0c5cb4ef84d25a16b2333
Instruction ID: a9c3e48f5604e80da3c9885f4e995577b35367889fef83a08da5e6e577cf0e1e
Opcode Fuzzy Hash: 2736e41573dd117ac0c3ec93bac418025a2576c37aa0c5cb4ef84d25a16b2333
Instruction Fuzzy Hash: C7E16F34F052888FDB48EFB5D8556AEB7B2BF89700B148569E906EB354DF399802CF50

Function 027FB338 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da1c52a9e859a502ea34438fe402074a3047ecbce5b66e89d587fc31f061f94
Instruction ID: 8212c5176204890597c4d1764b59ad11bf16a04ab2db375278aa7a70d852cb8c
Opcode Fuzzy Hash: 6da1c52a9e859a502ea34438fe402074a3047ecbce5b66e89d587fc31f061f94
Instruction Fuzzy Hash: 8AE12A75E04218CFDB54DFA9C984AADBBB2FF49314F1590A9E909AB361DB30E841CF50

Function 06318608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91c91cf8debf14b85cd5b81719c2242afe458973643a471624ed928f0e14f2a
Instruction ID: df801afc2cb860bb17ea1ef32eedb5fe5c3800e443185e730e21386ad7630141
Opcode Fuzzy Hash: d91c91cf8debf14b85cd5b81719c2242afe458973643a471624ed928f0e14f2a
Instruction Fuzzy Hash: 13E1D174E00218CFEB64DFA5C844BDDBBB2BF89304F2081AAD409AB395DB355A85CF54

Function 0631D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0762dcd9a6c1f6e18a524ae8d2d92578a0e39804925ef225b52596815d01446
Instruction ID: 6f6fbc60aa331962c435fb226acd98346b90818b781cb4678a3463869374ea0f
Opcode Fuzzy Hash: d0762dcd9a6c1f6e18a524ae8d2d92578a0e39804925ef225b52596815d01446
Instruction Fuzzy Hash: 52A19475E012188FEB68CF6AC944B9DBBF2BF89300F14C0AAD40DAB255DB745A85CF51

Function 0631B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9f6db975f338ecff316c1a53b4fefefc9084c94ec06e15443370cef0e0a346
Instruction ID: c109e5015e5a528dc67fb100015a9d5850b25422b323c6f5f67466613f328c60
Opcode Fuzzy Hash: 9f9f6db975f338ecff316c1a53b4fefefc9084c94ec06e15443370cef0e0a346
Instruction Fuzzy Hash: 8EA19275E01218CFEB68CF6AC944B9DFAF2BF89300F14C0AAD409AB255DB345A85CF51

Function 0631C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3800bb9f405836e7532658e40604e6eac445a50c1e9b28cc0b63253c4ad7e097
Instruction ID: ed0c642060dac257964ea6cfa211bdc4a447136ace6467476622ce2c00b9ffe5
Opcode Fuzzy Hash: 3800bb9f405836e7532658e40604e6eac445a50c1e9b28cc0b63253c4ad7e097
Instruction Fuzzy Hash: 99A19375E01218CFEB68CF6AC944B9DFBF2AF89300F14D0AAD409AB255DB345A85CF51

Function 0631A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20949e9e08591bb07102eca54de0f7f6639a3500e5b53cf42cfa3851e9f3ac5c
Instruction ID: 9682c83ce7b8aefba6d49e75bb58e75d184816975ff4826ec685f61a2691bdbd
Opcode Fuzzy Hash: 20949e9e08591bb07102eca54de0f7f6639a3500e5b53cf42cfa3851e9f3ac5c
Instruction Fuzzy Hash: 3EA19275E012188FEB68CF6AC944B9DBBF2AF89301F14C0AAD40DAB255DB345A85CF51

Function 0631BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09e6a9d0aecbe948b3ec98f01d17ca008019035b39cd2f79e7a40adee88b445
Instruction ID: dbea1ed052892cfb53015bcd2f8291786c58391b92260c8a4ea2ec5f3b23a6ed
Opcode Fuzzy Hash: e09e6a9d0aecbe948b3ec98f01d17ca008019035b39cd2f79e7a40adee88b445
Instruction Fuzzy Hash: 7AA1A275E012188FEB68CF6AD944B9DFBF2BF89300F14C0AAD409AB255DB345A85CF51

Function 0631C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66a6dd356e78e866d8c94276b144d92d9d0662eb8c1e21b68879a289137a2ce
Instruction ID: a6c76820bdd725dedecff970b189cf52bd0abdbae7a7b67db6ce09d410b07a61
Opcode Fuzzy Hash: e66a6dd356e78e866d8c94276b144d92d9d0662eb8c1e21b68879a289137a2ce
Instruction Fuzzy Hash: 1DA1B475E012288FEB68CF6AD944B9DBBF2BF89300F14D0AAD40DA7250DB345A85CF51

Function 0631AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b595610eddd984557727e040fa31e2234d9a787dc65402ce601449ff38bc17
Instruction ID: 3f65c903c8cf9b31a52a19fa55dc8b0f3575db5cf04745852a3fcbecf4f97619
Opcode Fuzzy Hash: 25b595610eddd984557727e040fa31e2234d9a787dc65402ce601449ff38bc17
Instruction Fuzzy Hash: BCA19275E012188FEB68CF6AC944B9DBBF2AF89301F14C0AAD409AB251DB345A85CF51

Function 0631D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a6db7ae343e87aae82d8c3a41f734e4666405d412e9d5d7f7ed670e686d418
Instruction ID: b01deb15d26e3bcde13838c95e0d95051af6b63696013976717694b71abe364a
Opcode Fuzzy Hash: 30a6db7ae343e87aae82d8c3a41f734e4666405d412e9d5d7f7ed670e686d418
Instruction Fuzzy Hash: 29A18375E012188FEB68DF6AC944B9DBBF2BF89300F14C0AAD40CA7255DB345A85CF51

Function 0631B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea86a4ba944f09078696b75932da3ea654f5422cdd093588ddf350c7b3d97c5
Instruction ID: 14d05e24ea6dca3ac181660d80fbbe32e6822acc5c3fdafbc28ea5ee9f4c51a3
Opcode Fuzzy Hash: dea86a4ba944f09078696b75932da3ea654f5422cdd093588ddf350c7b3d97c5
Instruction Fuzzy Hash: B5A1A275E012188FEB68DF6AC944B9DFBF2BF89300F14C1AAD409AB254DB345A85CF51

Function 027FBAC0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfcd94c01bd97165ce007f916c1e2a5dfb90c0d859d19917ac57f150bf4127a0
Instruction ID: 0e2a8bc3a08385f7f9c238a1c8c5deeedc6ab26c0830b6a3a2b2e3f33d561789
Opcode Fuzzy Hash: dfcd94c01bd97165ce007f916c1e2a5dfb90c0d859d19917ac57f150bf4127a0
Instruction Fuzzy Hash: AC81E574E04208CFDB58DFAAD984A9DBBF2BF89304F14D069E519AB365DB309942CF10

Function 027FB7E2 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185cede19bc0ce48cbfb5aa575ab3dfa330704f6cfaeffafde7786184455e534
Instruction ID: c5664deea3cf4567fa3f5c1cdd90c858ab62be82cadcf7bc70f3f00bfe69adbc
Opcode Fuzzy Hash: 185cede19bc0ce48cbfb5aa575ab3dfa330704f6cfaeffafde7786184455e534
Instruction Fuzzy Hash: 4081D574E04218CFEB54DFA9D884A9DBBF2BF89304F14D06AD949AB365DB305945CF10

Function 027FBDA0 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc6bfe28ff297a36fad885f1e430b323424a2593bbd2101b69736c51ef54609
Instruction ID: ecdf232611a23288617358e51c0b48fc790c34d84208d9f8f0c00a3fcffd0260
Opcode Fuzzy Hash: dcc6bfe28ff297a36fad885f1e430b323424a2593bbd2101b69736c51ef54609
Instruction Fuzzy Hash: 2281D374E04218CFDB58DFAAD984A9DBBF2BF89304F14D06AE519AB365DB309941CF10

Function 027FC761 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7119267aa48a355a99cc1ce5f866c3de991de769188efa40571fda9a671afb
Instruction ID: 7c409290c43a2abe5a9becf9fd60ca06db0ef976ba44d0b9b4b0de09be547dc5
Opcode Fuzzy Hash: de7119267aa48a355a99cc1ce5f866c3de991de769188efa40571fda9a671afb
Instruction Fuzzy Hash: A981B374E04218DFEB58DFA9D984B9DBBF2BF89300F14806AD949AB365DB309941CF50

Function 027FC080 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30256ce531374db0c3ee2f0601f5e833e2e6d2e45835038dd088d6ca5594326
Instruction ID: 1a8d3d994cb4cd198f80349f1fa86f480b12667cf2d2f47760a6d8dd4cd6aad3
Opcode Fuzzy Hash: b30256ce531374db0c3ee2f0601f5e833e2e6d2e45835038dd088d6ca5594326
Instruction Fuzzy Hash: AC81A2B4E04218CFEB58DFAAD984B9DBBF2BF89710F14806AD509AB365DB305941CF50

Function 06318C51 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d8bd0845640265e642c9b97dde31bdeb0881da96144cbae353a3c902538904
Instruction ID: 507e3ff9a6458676045a962531ea9d68d7358778a5ccea14a7645b8ad5a8152c
Opcode Fuzzy Hash: d3d8bd0845640265e642c9b97dde31bdeb0881da96144cbae353a3c902538904
Instruction Fuzzy Hash: C881D174E00218CFEB58DFA9D954BEDBBF2BF89300F20816AD419AB255DB315946CF44

Function 027F46D9 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee35bed4b088b43bec677e04578da8b256766c6426a80959dbd764ac87b51682
Instruction ID: 8a750862c2ac2984fc4f5c7c854330dc63629085abfca302d0c284a76d63c853
Opcode Fuzzy Hash: ee35bed4b088b43bec677e04578da8b256766c6426a80959dbd764ac87b51682
Instruction Fuzzy Hash: 1A81D274E04258CFEB54DFA9D994A9EBBF2BF88300F14C069E919AB364DB309941CF50

Function 027FCA41 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e2f5e99263bcbe3cd9065257db8eeeff9da34dce3265535db0ac2a9103b216
Instruction ID: 7f9893b19929fadd2cde12dbfa1b4ff6e7ed9cb72d10d75e580f544ef2273c96
Opcode Fuzzy Hash: 98e2f5e99263bcbe3cd9065257db8eeeff9da34dce3265535db0ac2a9103b216
Instruction Fuzzy Hash: 9481A174E05218CFDB59DFAAD984A9DBBF2BF88300F14C06AD909AB365DB309941CF54

Function 06311191 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc891d383b42b2abc3bf83d675b0119feb45fa813c4139a154ddc0030c65dc15
Instruction ID: db459f25bee2c4c06e620a21bc7f7bf63f068ed8fdce45300f77fd9be50cd53e
Opcode Fuzzy Hash: dc891d383b42b2abc3bf83d675b0119feb45fa813c4139a154ddc0030c65dc15
Instruction Fuzzy Hash: 5481B374E412289FEB64EF25D895BDDB7F2BB89300F1481EAD809A7254DB305E85CF84

Function 0631B08F Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcba5331ea39603050007488947e972a98ce177e0d894e45df88d33993ca541
Instruction ID: cb9b48968b8fd15505106f99762d8be37c006a87969ea038b7d3aa34b617a62d
Opcode Fuzzy Hash: cdcba5331ea39603050007488947e972a98ce177e0d894e45df88d33993ca541
Instruction Fuzzy Hash: F0817571E016188FEB68CF6AC944B9EFAF2AF89300F14C1AAD40DA7255DB345A85CF51

Function 0631AA48 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41717bae2b6c21d17f4b0bf8ecd2309183f81f9971acbad077a37987f357406
Instruction ID: 8c0177268a1883c06d0a6ffe4b95460ae26a33c16fde46eefa7f1c96aab2eb43
Opcode Fuzzy Hash: e41717bae2b6c21d17f4b0bf8ecd2309183f81f9971acbad077a37987f357406
Instruction Fuzzy Hash: C3717671E016188FEB68CF6AC944BDDBBF2AF89301F14C1AAD40DA7255DB344A85CF51

Function 0631D018 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cedf3d1d573939836b88a5dbcd070f315480259cae44f8bf706de831afe54efe
Instruction ID: da4372e7a471c4b98a5bfc6c6cca6070f3b7442f96a7b6933b024490c0500f3c
Opcode Fuzzy Hash: cedf3d1d573939836b88a5dbcd070f315480259cae44f8bf706de831afe54efe
Instruction Fuzzy Hash: 6C817571E016188FEB68CF6AC944BDEBBF2AF89300F14C1AAD44DA7255DB344A85CF51

Function 027FB502 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f103008166795bf3c2abcd036f32b61457fb3626b36fe659a3544854f1708d0
Instruction ID: 248488db45073e8511203d65fbcd43739a256fc00f8d375561d93af9452c496a
Opcode Fuzzy Hash: 6f103008166795bf3c2abcd036f32b61457fb3626b36fe659a3544854f1708d0
Instruction Fuzzy Hash: 6A61F6B4E042088FEB58DFAAD984A9DBBF2FF89304F14D06AD519AB365DB345941CF10

Function 0631C9C8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755be8b65d85542ffb220b5a40fd3234f7d7c8ac9657127acbe9168c7e5eeebe
Instruction ID: 90345af833dbebf8327db3b0114647a3fbb66e291f17eec56f0cfebe34f5c8bf
Opcode Fuzzy Hash: 755be8b65d85542ffb220b5a40fd3234f7d7c8ac9657127acbe9168c7e5eeebe
Instruction Fuzzy Hash: 1E518971E016588BEB58CF6BD9447DAFAF3AFC9310F14C1AAC44CAA255DB340A86CF51

Function 0631C378 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5624cdf12e56fb68ecacf744a336408814be85693e824e44ce7cfc75ad367e3
Instruction ID: 07ed225a3d1194f95dfd75e94991cbe365f526266a9afc8ce5fad4b9f3d9b6e8
Opcode Fuzzy Hash: f5624cdf12e56fb68ecacf744a336408814be85693e824e44ce7cfc75ad367e3
Instruction Fuzzy Hash: 4451BB71D016588BEB58CF6BC85478AFBF3AFC9204F14C0AAC44CAA265DB740986CF50

Function 063185FC Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eca89956a5d590c2e700a073618f2cf8664da0c9eadc8fbce1f27449c33f470
Instruction ID: c969d9e7332dce076876f942917ae0f18b71da71a80dcb88dd1669541a637b89
Opcode Fuzzy Hash: 6eca89956a5d590c2e700a073618f2cf8664da0c9eadc8fbce1f27449c33f470
Instruction Fuzzy Hash: 8741B1B1E002088BEB58DFAAC9547DEBBF2AF89304F24C16AC418BB254DB755946CF54

Function 0631A3F8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c217e1a324dd048da8ad195264eb933bc62930b068d04da14be7a4d3b803ee33
Instruction ID: ff0eca6241ac9acb3d301651de8709bb0ec61dae7df24bd0be6829227077a8e3
Opcode Fuzzy Hash: c217e1a324dd048da8ad195264eb933bc62930b068d04da14be7a4d3b803ee33
Instruction Fuzzy Hash: 634168B1D016188BEB58CF6BC9457DAFAF3AFC9300F14C1AAC50CA6264DB340A858F50

Function 0631BD28 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1d3954aaa3c82612c6c4bd709af8acf53fbd90ca838044e9a8426c508657c0
Instruction ID: c6c0ffe58e21f70f13a8d178216c9dece3cfe5d13181de6d0b163685cba1936f
Opcode Fuzzy Hash: ff1d3954aaa3c82612c6c4bd709af8acf53fbd90ca838044e9a8426c508657c0
Instruction Fuzzy Hash: 98415A71D016188BEB58CF6BD9457CAFAF3AFC9300F14C1AAC54CA6265DB740A86CF51

Function 0631D662 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39d2738c7aa44f6fb50064a7c25d824ae01659705c3ca45bec6f49583fbbe00
Instruction ID: 50d8d44f978e37359e3553150e87423aee82f2272a728c697ca487ce534b168f
Opcode Fuzzy Hash: a39d2738c7aa44f6fb50064a7c25d824ae01659705c3ca45bec6f49583fbbe00
Instruction Fuzzy Hash: 5B416AB1E016189BEB58CF6BC9447CAFAF3AFC9300F14C1AAC54CAA255DB740A85CF51

Function 0631B6D9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1227b1e31cb7d491086d032bfa2b2eaa828aa1f5fe0c50a06412cb38ea557e8c
Instruction ID: c10d5225225d5a14854ca0204170d6477a380a4ede21ea8078aee75265b578fd
Opcode Fuzzy Hash: 1227b1e31cb7d491086d032bfa2b2eaa828aa1f5fe0c50a06412cb38ea557e8c
Instruction Fuzzy Hash: AD417971E016188BEB58CF6BC9457CAFAF3AFC9310F14C1AAC44CA6265DB740A86CF50

Function 027F7808 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60cf1530dfb1b05e1d8bab81902fc25cf2afcd6e77a0206e7ba9ca175c55495d
Instruction ID: cf8cc35d9f2220b20b45ba51b6769e61aebf815ee97a16ac9be3e14ed9c49ca6
Opcode Fuzzy Hash: 60cf1530dfb1b05e1d8bab81902fc25cf2afcd6e77a0206e7ba9ca175c55495d
Instruction Fuzzy Hash: BA52FD74A042188FFB54EFA4C864BAEB7B2EF88700F1081A9D10A6B3A5CF355E45DF55

Function 027F8801 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a658d710155c16454b9583f564a0da7e30680894cb3351c9b13152356948f5
Instruction ID: 9883418d407a8cc144c18f2eb12b1ae8a4fb75a3e4c619c77c22036b4d333674
Opcode Fuzzy Hash: 30a658d710155c16454b9583f564a0da7e30680894cb3351c9b13152356948f5
Instruction Fuzzy Hash: 15F18D3131C6018FDBA99B29C85873D77A6EF85744F1904AAE652CF3B1EB29CC81C742

Function 027F6E70 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c6bd4f25f7be4796c16f83d3d1fa0ee3985f2588481eccb8aadfbacd7d12e5
Instruction ID: 5a45cb75d40dafd44b61c5e3dd012b872161b99335e5ad4c47cabca1bfa412c8
Opcode Fuzzy Hash: b5c6bd4f25f7be4796c16f83d3d1fa0ee3985f2588481eccb8aadfbacd7d12e5
Instruction Fuzzy Hash: B0126B30A042489FCB58CF68D884AAEBBF2FF89714F148599E915EB361DB31ED45CB50

Function 027FA828 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e48433f53a1f4bf07d345702ab7343e3d418a0ebdb9f31c358d5398fcd7189
Instruction ID: 48007b26d214953d2855df80436ec5a4f3d1b46a09997f3fd114eadb2c753e0b
Opcode Fuzzy Hash: 05e48433f53a1f4bf07d345702ab7343e3d418a0ebdb9f31c358d5398fcd7189
Instruction Fuzzy Hash: 6BF13C75A04215CFCB45CFA8C588AADBBF2FF88714B1A8069E519EB361DB35EC41CB50

Function 027F0C8F Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ada61ffedc38ee5c7c41bfe614354df07f95d2a0dd6d148ec6e53531aae4e6a
Instruction ID: 7c3b7941d462bb6d079c05adc5dc9b0b53f435ba0aca57cf1b58c46cc9514c82
Opcode Fuzzy Hash: 6ada61ffedc38ee5c7c41bfe614354df07f95d2a0dd6d148ec6e53531aae4e6a
Instruction Fuzzy Hash: 0622F934904619DFCB55EF64E988A9DBBF2FF89700F1086AAD849AB318DB305D45CF80

Function 027F0CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297b491fec42e76c01003fd0ef2908ab54df1c10eb494cad3402f8388729ee29
Instruction ID: cdd7ef1f0f72ba74f69bc2bef47bca51a18bab1cb59f1875070c62fabf0a595e
Opcode Fuzzy Hash: 297b491fec42e76c01003fd0ef2908ab54df1c10eb494cad3402f8388729ee29
Instruction Fuzzy Hash: 6622EA74904619DFCB55EF64E988A9DB7F2FF89701F1086AAD809AB318DB305D45CF80

Function 027F56B0 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80bf789aa6290e1b970a21e092ff8fa93d576343eccd2b1fff51827e6573836
Instruction ID: 15e129769b1ece3ffd10858c7defa21dbfb0d8f9e58b44177a93ca58fea3615e
Opcode Fuzzy Hash: a80bf789aa6290e1b970a21e092ff8fa93d576343eccd2b1fff51827e6573836
Instruction Fuzzy Hash: 07B1D1307082118FDB659F38C898B7E7BE2AF89714F548569E906DB391DB35CC52CBA0

Function 027F5C10 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dddcbb69b41645c7900bf82ef71f109e85d177e9cd81b2d6dbeb19ab39162c2
Instruction ID: e7ad1629bc5707c5ed0b5b09610ff6da459b65f8443331135f1a3e13961a4767
Opcode Fuzzy Hash: 7dddcbb69b41645c7900bf82ef71f109e85d177e9cd81b2d6dbeb19ab39162c2
Instruction Fuzzy Hash: 3C81C235B09505CFCB94DF69C488AAABBF2FF89704B948069D606EF365D731D841CB90

Function 063123E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746fa56cc1b268f0a7a1db53e7c90b41c821413cfd116eabca21107e0b35c241
Instruction ID: 5701846e38661db348cb598ebd0048e654b503401c4f693e12b9292080df90e9
Opcode Fuzzy Hash: 746fa56cc1b268f0a7a1db53e7c90b41c821413cfd116eabca21107e0b35c241
Instruction Fuzzy Hash: B9818B31B001068FDB48EB79D894A6E77F6EF88640B1581A9E406DB3A5DB31ED42CBD0

Function 06319510 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea023c55e72e9239a10a362a096268be1f4900fee09b0fb935f801ca70b48a39
Instruction ID: e3c9fa4cd091e761b1af28412bd95a9efbc89117d95b4bdd32f5019182acbcc7
Opcode Fuzzy Hash: ea023c55e72e9239a10a362a096268be1f4900fee09b0fb935f801ca70b48a39
Instruction Fuzzy Hash: A4718E31F002199BDB49DFA4C8647AEBBF6AFC8610F548429E405AB380DF749D46C7D1

Function 027F7450 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ff48053c9766f65427d0a56c4998a05b05291d327c713d6257eccaf21d0ab1
Instruction ID: 5451955c45c9a01f424314be90958f3dc01c2e1a822220d4e6ad6a472f33c439
Opcode Fuzzy Hash: b3ff48053c9766f65427d0a56c4998a05b05291d327c713d6257eccaf21d0ab1
Instruction Fuzzy Hash: C0712A34B082158FCB99DF2CC898A6ABBF6AF49704F1500A9EA15DB371DB71DC41CB51

Function 027FCED7 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a263039dd72b56482fe44589a7925d14c0f96f6eadc95ec4ae04379679e9835a
Instruction ID: bcd347a98288afb413d318b97b2613a857fc28665a6a434a09a15193e49c3fda
Opcode Fuzzy Hash: a263039dd72b56482fe44589a7925d14c0f96f6eadc95ec4ae04379679e9835a
Instruction Fuzzy Hash: 0C51C270AA96438FD3152F21AAEC57A7BA4FB0F31B3496D0AE02E824659F305465CB20

Function 027FCEE8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b2241e11495369b6551e24018726b1381289c04deb91f56fa6dde8e60b84ee
Instruction ID: 834a9d91fc46b0967c64cb06ff827be18765d73518cb6084e523f97f4494d174
Opcode Fuzzy Hash: c5b2241e11495369b6551e24018726b1381289c04deb91f56fa6dde8e60b84ee
Instruction Fuzzy Hash: B051A030AA97478FD2152F21AAEC53E7BA4FB4F31B7496C0AE02E824659F305465CB70

Function 027FE2E9 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf15a6a2ae0b9d4fb9d9604a15a8ee736227a37cbda0c016c00fed0576916613
Instruction ID: 4be5277ba0030411bba6d4757dd87e62b018b93482eab675592ce9d819abeeac
Opcode Fuzzy Hash: cf15a6a2ae0b9d4fb9d9604a15a8ee736227a37cbda0c016c00fed0576916613
Instruction Fuzzy Hash: AE61F274D01218CFEB14EFA5D888AAEBBB2FF89704F608529D805AB365DB355946CF40

Function 027FCD20 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b765047b60ef02fe88b043cc8ea3ed2f22602b24697e526bebc6efdd131535
Instruction ID: ef3ea3a34d7152d6a0e4f6804e4d83f422af3b9429578c33ab265202ca881452
Opcode Fuzzy Hash: b8b765047b60ef02fe88b043cc8ea3ed2f22602b24697e526bebc6efdd131535
Instruction Fuzzy Hash: 35519675E01208DFDB44DFA9D98499DBBF2FF89700F24816AE409AB365DB319905CF50

Function 0631DCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3150c1378bbd33fca366cd3bc4a3d1403c256e3fa860512a27096db2e3c50cd9
Instruction ID: d53d35b82ffcf964db0c452abde29df8cc46bd4a775851cc261e7140f045359e
Opcode Fuzzy Hash: 3150c1378bbd33fca366cd3bc4a3d1403c256e3fa860512a27096db2e3c50cd9
Instruction Fuzzy Hash: DA416731945319CFEB49AFA0D55C7EEBBB2EF4A316F105829D102672E0CB780A49CF90

Function 027F3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73aac247e09b26652f5727a78b7779faef71a7f2ebe90b114be752deaeda127b
Instruction ID: fc336e2bed0b747d4397e755a9c0675d8f46a5b357b3ba321abd9ec7ba127ce0
Opcode Fuzzy Hash: 73aac247e09b26652f5727a78b7779faef71a7f2ebe90b114be752deaeda127b
Instruction Fuzzy Hash: 9B51B374E05248CFCB48DFA9D99499DBBF2FF8A301B208569E805AB324DB35AC05CF50

Function 027FF0F9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cea91ea85f5f7554e43e3758ca7f655a430ae91e1631a239da011ba3551323d
Instruction ID: c51aa1c3e24919c506fd1cb386dddba4455511587011b733898bbc0082fccd5e
Opcode Fuzzy Hash: 7cea91ea85f5f7554e43e3758ca7f655a430ae91e1631a239da011ba3551323d
Instruction Fuzzy Hash: 2D51CC75E05228CFCB64DF64C984BEDBBB2BF89301F1055AAD409A7790DB35AA81CF50

Function 06319A49 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a90f93accfc78ee0f293e8b5261aa32f79839c83eb2fa05000eede341ae8bef
Instruction ID: 367b37c3899ececd0a59fb4a67625582220481d4a092b9f7b714abe3654c9836
Opcode Fuzzy Hash: 2a90f93accfc78ee0f293e8b5261aa32f79839c83eb2fa05000eede341ae8bef
Instruction Fuzzy Hash: 0B512178E04208CFCB44DFA9D4847EDBBF2EF89314F20802AD455AB2A5D7345A4ACF90

Function 027FA660 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339d1b013a859225b8772ed126e1de24d64c713ee06fcf84402e0ca31380bddc
Instruction ID: dfada85905940eec65b5480e41f711ae928898d8a6e94cbb0a09673825e34c56
Opcode Fuzzy Hash: 339d1b013a859225b8772ed126e1de24d64c713ee06fcf84402e0ca31380bddc
Instruction Fuzzy Hash: 5641D231B042049FDB19AB75D858BAE7BF7AFC9610F24446DD506E7391CE359C06CBA0

Function 027F9A73 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40f5f453d87aacf673307a04d57e43ed309f5930dc73459a6a223258398ccb3
Instruction ID: 4a6c41b9345a21159e30ac6f85fc3a18e56d17d2b4594e07537cf75b6cea2724
Opcode Fuzzy Hash: c40f5f453d87aacf673307a04d57e43ed309f5930dc73459a6a223258398ccb3
Instruction Fuzzy Hash: 9541AC31A08249DFCF52CFA4C844BAEBBB2EF89314F008456EA05AB395D331E955CB90

Function 06319500 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc5520d65d52781377a5700130cbefd8f6d8cbc8c4429a25889ff815af4a91b
Instruction ID: fa99260f3f60f98144fbdc9d9e98f6e0cfbb467143c8fed0487d3489c9dca5a1
Opcode Fuzzy Hash: 0dc5520d65d52781377a5700130cbefd8f6d8cbc8c4429a25889ff815af4a91b
Instruction Fuzzy Hash: 08411F71E00219DBDB58DFA5C890BDEB7F5BF88710F158129E415BB280EB71A946CBE0

Function 027FD7DE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1f052d00115ed92cc8c37280d690955e1dae4d52c735cb4683d03bbda0762f
Instruction ID: 1881150ef4140fd537bba98d64d88f1991e7b6d1eca55efe9da829a48da28cb4
Opcode Fuzzy Hash: fc1f052d00115ed92cc8c37280d690955e1dae4d52c735cb4683d03bbda0762f
Instruction Fuzzy Hash: D8414674E08209CFDB65DFA8D4986ACBBF2FF4A301F209569D609AB344D7319842CF24

Function 027F3428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cae90dc0bd952eecfb37aac387637785e75fc8a743f8c7f676cbfa2ed3c832f
Instruction ID: c04bc24d10ff63ed44bcb2c63484494e26f18cfc0db42a97996c49f888b80ea7
Opcode Fuzzy Hash: 4cae90dc0bd952eecfb37aac387637785e75fc8a743f8c7f676cbfa2ed3c832f
Instruction Fuzzy Hash: C5313871B0C3A58BEF9D9A75899837E71DABBC4610F14047DEA06D7380DF74CC0586A1

Function 06319A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6418395513111a09979c69a4fd306d0308cf7b7a056510d6c6cdcecd1e4fbc64
Instruction ID: 353b8c3f7ecbccda202f640667a5e6c61cb5c0471e7d033d001d95bb0e7eebb2
Opcode Fuzzy Hash: 6418395513111a09979c69a4fd306d0308cf7b7a056510d6c6cdcecd1e4fbc64
Instruction Fuzzy Hash: E641CF74E01208CFDB48DFA9D5947EDBBF2BF89304F10852AD415AB2A4DB345A46CF90

Function 027FD77E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f90c8da5ec0b9dd43e92c396f1c7c63418ad50ca85c763b43248def84d35719
Instruction ID: 48a5053c786f9626e8948ef3bb70b24082122ef902193edfeca85ba4cfa00e4f
Opcode Fuzzy Hash: 5f90c8da5ec0b9dd43e92c396f1c7c63418ad50ca85c763b43248def84d35719
Instruction Fuzzy Hash: 46411470D08209CFDB64DFA8D4986ADB7B2FF4A311F209529D509BB344D7349841CF24

Function 027FD630 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2793c4538f1caf5fb7789ff9ed8da64a82abf4dea5d54f47c3bed1dff843d6a
Instruction ID: d8bd415164fb7fe479bd8fd595aa6e85123117820e603bbcd00c5d98ab88cce2
Opcode Fuzzy Hash: e2793c4538f1caf5fb7789ff9ed8da64a82abf4dea5d54f47c3bed1dff843d6a
Instruction Fuzzy Hash: 10410670E08208CBDB59EFA9D448AAEF7B2BF8A301F14D169D508BB355DB319841CF64

Function 027F4DD0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e585e22dc997938ff767db2d9724dd9d36b641127ff75e6d250b3210d265e8c
Instruction ID: c067b08c51da8e7187d324059633e3eb1877d700a053808c87657a4bb97ad7c2
Opcode Fuzzy Hash: 2e585e22dc997938ff767db2d9724dd9d36b641127ff75e6d250b3210d265e8c
Instruction Fuzzy Hash: F9318F316082099FDF05AFA4D868ABF7BE2EF88710F044419FA059B365DB34CD61DBA0

Function 027F76E8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be8896211c1e1363d603cfd0bc97a2e8686ab8e82e38c601ba9c98b6126206e
Instruction ID: b25d1a687c05ddca086193c10aab54484af09590eed4bd902f1fc8b36bc5c802
Opcode Fuzzy Hash: 4be8896211c1e1363d603cfd0bc97a2e8686ab8e82e38c601ba9c98b6126206e
Instruction Fuzzy Hash: D521D33432C2028BEB9D2629D49867DB7D7AFC5A54B284079D602CB395FF35CC42D7A1

Function 027FA819 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057f302a77e37a7bec237ecc69f3dd28fffe7c6a4712dd3ebb132e8b66ea8cdc
Instruction ID: aa3212ffa6bed17c5dfdeffe5377191b3f32cf34c37584eaf5af53fe9f55a431
Opcode Fuzzy Hash: 057f302a77e37a7bec237ecc69f3dd28fffe7c6a4712dd3ebb132e8b66ea8cdc
Instruction Fuzzy Hash: C9319570A045058FCB04DF69C8889AEB7F3FF89764B158169E959D73A5CB349D02CB90

Function 0631DCB1 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80efa59229413ffce34aad1bced96a1712b9f6a5a1bd1609f35c7b1eee6f9add
Instruction ID: 4bb18ca66e2ce9fc7427a69895b4599c9b542e20f94300ff000ff3bc66c1ff20
Opcode Fuzzy Hash: 80efa59229413ffce34aad1bced96a1712b9f6a5a1bd1609f35c7b1eee6f9add
Instruction Fuzzy Hash: 05318D31805319CFDB05AFA4D86C7EEBBB1EF4A311F04485AD101672E0CB780A49CF90

Function 027F76F8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4f50a3a893782f9caa51f58bb0c3d03de795cd21eee78e0703e92448aad1f3
Instruction ID: 7e831514994ac8e40fae119c5482ca26e9d234bc7ae054d7e63be586b44ab09f
Opcode Fuzzy Hash: 9b4f50a3a893782f9caa51f58bb0c3d03de795cd21eee78e0703e92448aad1f3
Instruction Fuzzy Hash: 6121803432C2028BEB986629D45477EB6DB9FC4654F244079D606CB794FF35CC82D7A1

Function 027F5A68 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6f4de57d3dab3197a61edc2d9ab982a14880db2dd625287ef48864679242e1
Instruction ID: ab4b10d1bcef068a7f33ee562ff31c15a3d4a75449c3becb72cf718bb7d6ee32
Opcode Fuzzy Hash: ab6f4de57d3dab3197a61edc2d9ab982a14880db2dd625287ef48864679242e1
Instruction Fuzzy Hash: F8210030709A128FC3269A69D49853ABBE2FF856647084169E946DB356CF34DC06CBC0

Function 027F2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60159febafeddab4b23e1f8fb599621b648cbaf11804bc94660de8f079d23e7c
Instruction ID: 430f2d4a37f39b663ded0614a0a93b81c62409428e0869f82808140c914d1a23
Opcode Fuzzy Hash: 60159febafeddab4b23e1f8fb599621b648cbaf11804bc94660de8f079d23e7c
Instruction Fuzzy Hash: 1921AE31A00209EFCB54EF24D840AAE37A6EB99260B50C519D91A9B344DB32EA42CBD1

Function 00B8D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3927991901.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b8d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12421185ff03601bc9440ad0f3da4bddd2a9b744fdca3cd8fdb563d361d76497
Instruction ID: 26c104915ebde6044faf83114efb3153528e9804bda9d22d5b1173c798999d65
Opcode Fuzzy Hash: 12421185ff03601bc9440ad0f3da4bddd2a9b744fdca3cd8fdb563d361d76497
Instruction Fuzzy Hash: 39212871504240EFDB04EF50D8C0F16BBE5FB94314F28C1AAE9090B3A6C336E856C7A1

Function 06319338 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5812c3127fafcc31ce6814e1839f641fd494dda71e28d3e9490444ab05ca0906
Instruction ID: 9c120f00623a504941a4a1bf19f72ebf3eba419e67e7d17c8f3d25eefb6b8aa2
Opcode Fuzzy Hash: 5812c3127fafcc31ce6814e1839f641fd494dda71e28d3e9490444ab05ca0906
Instruction Fuzzy Hash: 6721BA72804389AFEB00CF99C855BDEBFF4EF48210F14885AE558AB291C3359954CFA6

Function 00B9D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3928153484.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b9d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ffffe45d3b63583041c2cba28f936ad9e3fdc20d87e98b3bca4ee01068ab4ad
Instruction ID: 21f2315f3c3331ff59c23534b2d58c050b73190fbc9f9644f8eb58e67fa08b9e
Opcode Fuzzy Hash: 5ffffe45d3b63583041c2cba28f936ad9e3fdc20d87e98b3bca4ee01068ab4ad
Instruction Fuzzy Hash: A821DEB1604204AFDF14DF25C9D4B26BBE5FB84318F20C5B9E8494B292C73AD846CA62

Function 027F4DC1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012b3ded1ac0b062b6f2006a9587b3c9f0cc68dd5c97b713c4cd0fab06d344b6
Instruction ID: 75d3fcf2111dedee6ce6b689f678ae60ab303da29ac53a55527de28899dec04f
Opcode Fuzzy Hash: 012b3ded1ac0b062b6f2006a9587b3c9f0cc68dd5c97b713c4cd0fab06d344b6
Instruction Fuzzy Hash: F921F33164C2059FDB15AFA4D4587AB3BE2EF84714F044469FA058B365DB38CD56CBE0

Function 027F39ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8082dcede67eae032cd708e8b3c9830b7e185b6beb31dc66749cb794c31d8262
Instruction ID: 9fff5ba6505307dd520e54a75eddbc4a3b4e5701b4bcaa99b9e3612185f52481
Opcode Fuzzy Hash: 8082dcede67eae032cd708e8b3c9830b7e185b6beb31dc66749cb794c31d8262
Instruction Fuzzy Hash: 4231A078E05209DFCB44DFA8E59489DBBF2FF4A701B208569E819AB324DB31AC05CF40

Function 063196F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2029645f3632f2c426fde906fce70ce2cfddddacfb6c820688a5dd773a9e0de5
Instruction ID: 8edd24d0795a224ad270eccd80045419af7a403f188aaff2e6901be6b495599b
Opcode Fuzzy Hash: 2029645f3632f2c426fde906fce70ce2cfddddacfb6c820688a5dd773a9e0de5
Instruction Fuzzy Hash: 6E112B367042545FDB0A6EB858283AE3BE3DFC9610B54446AE505DB381DF744D56C3E2

Function 027FD61F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c69fd9eecf64a5553b1e5bac1f9640a4369fde9183341668bf429501db503c
Instruction ID: 202eddbf12d27de18e465f71b8d75c01bdac460c32ad38de070feb329dcd2c59
Opcode Fuzzy Hash: 05c69fd9eecf64a5553b1e5bac1f9640a4369fde9183341668bf429501db503c
Instruction Fuzzy Hash: 90114CB1E082058BEF18DFAA98486DEB7B3AFCA340F58D029D508BB259D73454068F54

Function 027FE208 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5aefad03191a784e1faff8e2456ec4a278e9324c184028223027f6eff70342
Instruction ID: e8992c8c43d690c8bdad6de8f8a11fa7b26542d52217783be521ad43844f065a
Opcode Fuzzy Hash: 4d5aefad03191a784e1faff8e2456ec4a278e9324c184028223027f6eff70342
Instruction Fuzzy Hash: C8218170A04209DFEB45FFB4D581A8EBBF1FF85704F4086AAC0449B225EB344A06CB81

Function 0631E0C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89652470f882f8b88de8ebc0df4ca65606d3dad0f26cbf6cba7f36911856d58
Instruction ID: 5bbb570051a57fb5aa8bd93eb2ebacc46fc457f1eb95c34305d9c785bbdf0fd2
Opcode Fuzzy Hash: d89652470f882f8b88de8ebc0df4ca65606d3dad0f26cbf6cba7f36911856d58
Instruction Fuzzy Hash: 6B110C317082509FD7051B799C686FBBFEBAFCA610B14487AD546C7296CE258C07C3A0

Function 027F5A78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677fc306d2347aad4eab1febe713ee28c28e365b68929358fc8dbca7cbdd0f8d
Instruction ID: 9dd6b7a40332979c6eea9c29009c0c2144200f59f450250ec2a01bf4b4e38cb1
Opcode Fuzzy Hash: 677fc306d2347aad4eab1febe713ee28c28e365b68929358fc8dbca7cbdd0f8d
Instruction Fuzzy Hash: A0112130709A028FC7199A6AC89893ABBD6FF846603080169EA06DB350CF30DC12C7C0

Function 027F1EF8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f7936608ec70c037a47c1245f4b09f8477caf857a79a2d828a0b3696d0a559b
Instruction ID: 6745ebfc5c4988adc2d6beb75c7e04cbf208aef7314c1495885a1e13d40cf30b
Opcode Fuzzy Hash: 0f7936608ec70c037a47c1245f4b09f8477caf857a79a2d828a0b3696d0a559b
Instruction Fuzzy Hash: 712102B4D0920ACFCB40EFA8D9545EEBFF1BF4A300F50456AD805B7224EB305A58CBA1

Function 00B8D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3927991901.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b8d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 719a5a120d518472d199a8a27c23ad5cad10926bb708f943bd4c1433be88a03c
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: E811B176504280DFCB15DF10D5C4B16BFB1FB94324F28C6AAD8094B666C33AE85ACBA1

Function 06319328 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0228c031b31d0febf56827588ff285b0176037c62c0ef816416f02a27874716d
Instruction ID: 0f4c86c46b437499240d36fd4f60e0075902785a34d2e0c34ee90b837f93d3d2
Opcode Fuzzy Hash: 0228c031b31d0febf56827588ff285b0176037c62c0ef816416f02a27874716d
Instruction Fuzzy Hash: 671126768002499FDB10DF99C844BDEBBF4EB48320F148419E914A7250C379A954DFA5

Function 027FE218 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449ad79cbe79444d1cccc61661e4a653e86709aa06c8f4a4cb7129cc5618e921
Instruction ID: 802d017ea31bd57a8cac75ae1559a501201b485771c691cf9f5d57e7948ed67d
Opcode Fuzzy Hash: 449ad79cbe79444d1cccc61661e4a653e86709aa06c8f4a4cb7129cc5618e921
Instruction Fuzzy Hash: A5114F74A04209DFDB44EFB9D581A9EBBF1FF85704F1086AAC0089B324EB305A069B81

Function 06318EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9b73c6e39bac49feb5203cbd4f31b6e21c4963c61e43f0d064fc555f93662f
Instruction ID: 3fe07f38225bc78e54113990906cd99d66c0ed7f0bfe4654ffe894642ab4c53d
Opcode Fuzzy Hash: 4f9b73c6e39bac49feb5203cbd4f31b6e21c4963c61e43f0d064fc555f93662f
Instruction Fuzzy Hash: AC113034F00149CFEB18DFE8E850B9EBBF6EB48310F009065E818EB345E6309D428B94

Function 06319999 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984ad86997f475d8d5e7b1009c5eae2e869027b5c78576a0effcccb02f2800b0
Instruction ID: a0b4610e58aa71c09a4cc353c08b02b5c8dfd8aaf98d6f77e5be6b97041f3cda
Opcode Fuzzy Hash: 984ad86997f475d8d5e7b1009c5eae2e869027b5c78576a0effcccb02f2800b0
Instruction Fuzzy Hash: D81167B6800249DFDB11CF99C944BDEBFF4EF48320F24841AE554A7251C339A554CFA1

Function 00B9D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3928153484.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b9d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: cc4feb651edf130b7077d30aa2b98584f5cc935a9c5b0954425c7958ba7eaa95
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: 29119D76504284DFCB15CF14D9D4B15BFA2FB84318F24C6ADE8494B656C33AD84ACF62

Function 027F1F61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acce4d86fed839bfcf9638e4444f7f86a88760c5ade27da429ada35c834238ed
Instruction ID: 9f183253351c91c43fad9f8563a8ded37dff52518d12df672d7f648f2c1d5473
Opcode Fuzzy Hash: acce4d86fed839bfcf9638e4444f7f86a88760c5ade27da429ada35c834238ed
Instruction Fuzzy Hash: 3E21C2B4D0920A8FCB40EFA8D9545EDBFF1BF4A300F10456AD809B7264EB305A59CBA1

Function 06312670 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d97ea5da1cab0fac6aeb234a749e0de93a661a7d998c3e76c770db365e07f2c
Instruction ID: f12c910faa00fd59a1a0f6b41e24d2cfaf67adfd89b225289ed17304d940c36b
Opcode Fuzzy Hash: 1d97ea5da1cab0fac6aeb234a749e0de93a661a7d998c3e76c770db365e07f2c
Instruction Fuzzy Hash: 34116D75B502258FC794EB78E4486AF7BF4EF89711B1105AAE405DB316DB32C9068BD0

Function 027F560F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd76b436e02bfe3220949e1c561be7e6992326044c037760f456810dc70a04f
Instruction ID: 71ba92fe2f41147f5b8f46c84e18315459b82bd042fe919312f928db2bed774e
Opcode Fuzzy Hash: bbd76b436e02bfe3220949e1c561be7e6992326044c037760f456810dc70a04f
Instruction Fuzzy Hash: 8001B572B081146FCB419E64E814ABF3BE7DBC9B51B18806AF914D7290DA758D129B90

Function 063125E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd60c7f38282289abd03e98e08996885e749467651f45b9786fb6f196639103
Instruction ID: b4c27a481a3799c07a2235a47c5471d3f1b9255750e782333b86b3303fa89054
Opcode Fuzzy Hash: cfd60c7f38282289abd03e98e08996885e749467651f45b9786fb6f196639103
Instruction Fuzzy Hash: 3801A470E00219DFDF88EFB9C8046AEB7F5AF48201F10856AD819E7250E7759A11CBD0

Function 06319760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3938261067.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6310000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de37d04972cb641d1a3acd282ecebc5243a7eacf843d0f559cb5452891633b1
Instruction ID: fc80d341dc422cd7b6d7297da4b6d16cd6c1330cadb304db14a6805176e44e1d
Opcode Fuzzy Hash: 5de37d04972cb641d1a3acd282ecebc5243a7eacf843d0f559cb5452891633b1
Instruction Fuzzy Hash: 6FF0E9323002186F8F055E98AC40AEF7BABEBC8610B40482AFA09C7350CF314C2197A2

Function 027FD459 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd908e65b3b2ca9c338ef05278acfd98c49416d1737dea36cd8525779fb580f0
Instruction ID: 1a71fcc4090a01b68546e4a4528b7ffe8963249391535354b33b6614428eb288
Opcode Fuzzy Hash: bd908e65b3b2ca9c338ef05278acfd98c49416d1737dea36cd8525779fb580f0
Instruction Fuzzy Hash: 4AE02B70A0C0018FEB4DAB59AD042FD7372A787345FC4303AC106E72A5CF34A51B8750

Function 027FDF18 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5cb03bf5386214bedb45ac2fb6b61ca17708e6a976029e97176c1c74adb5aa
Instruction ID: 7d287ad67d1efc7dbf756f854c5d6c91c5e32de68f455276241ded403aefc7f6
Opcode Fuzzy Hash: bf5cb03bf5386214bedb45ac2fb6b61ca17708e6a976029e97176c1c74adb5aa
Instruction Fuzzy Hash: 43E0ED30A1C0068FEB08AB59A9186E973B2E78B281F84142AD108E32A2CF74911F8684

Function 027FD4C4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da161a9b15ecfb2c66db51cca6d669eb175784f026488a44227ca0330e7515f2
Instruction ID: cb437cd16a27ff2969603ddc9c6d5287c5257cd6a69f1c5148d2392775ee737a
Opcode Fuzzy Hash: da161a9b15ecfb2c66db51cca6d669eb175784f026488a44227ca0330e7515f2
Instruction Fuzzy Hash: B2E026B2D0C280CFE7658BE658260B9BFB0EDE328574460CBC549DB631D618E206DB26

Function 027F2010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0db7aa8191dcb9709be6e433af261b9ad8b29557b45403718d7bf0d00de9da
Instruction ID: 8e0918483ec7f47b299aa45117464210adb15e96bebe9e47c760ccb11a0a14e2
Opcode Fuzzy Hash: 2e0db7aa8191dcb9709be6e433af261b9ad8b29557b45403718d7bf0d00de9da
Instruction Fuzzy Hash: 43E0D831E283A75FCB12A7789C540EEBF719DD7214B1945BAD0D0AB052DB31191BC791

Function 027F2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456b5772b35ecc2b5d8210e08ac7a4cfc7c6a65cdf6033afea97c33d06de97ee
Instruction ID: def143b6059df658e2089b5dc3948d17b27f13cf8b47f3e2ae2ef0d4750922b5
Opcode Fuzzy Hash: 456b5772b35ecc2b5d8210e08ac7a4cfc7c6a65cdf6033afea97c33d06de97ee
Instruction Fuzzy Hash: 1FD05B31D2022B97CB00E7A5DC044DFF738EED5261B504666D51537140FB713659C6E1

Function 027F8270 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 280859704ccce44aa7a9cbbabdd90002b897e91efb86623b9135fcc3b2f05271
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: FDC08C3320C5286EA6A4108F7C48FABBB8CE3C17B5A260137F61CD33009842AC8041F6

Function 027FA71D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f7c0c7a2c9bf4e0357fcdf4dff6d03ed10f448b59fecc678ec18fd94b4061e
Instruction ID: 539179602d238adf709c86d3a21e85d70a8b1d9c090d167baedd47e5656b0e32
Opcode Fuzzy Hash: 40f7c0c7a2c9bf4e0357fcdf4dff6d03ed10f448b59fecc678ec18fd94b4061e
Instruction Fuzzy Hash: 81D0677BB51008AFCB049F98EC449DDB7B6FB9C221B448526E915A3260C6319961DB90

Function 027F5EB0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2de1f43fd34982a44bd9f141c062a4b61a6b2bf053830dca277d2f889e3add
Instruction ID: ef70f4ecd32e919dac63ffca320f0136cc1d4c8b1ee76e9c2e83753aa1557b9a
Opcode Fuzzy Hash: ee2de1f43fd34982a44bd9f141c062a4b61a6b2bf053830dca277d2f889e3add
Instruction Fuzzy Hash: 1FE0CD3050C3811BCB12F374E4564D83B717E80D08B004294EC405E117DB7909068791

Function 027FFBFB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9252a4f7062b0511e841212cb822d958b49632d7a9a678e32d510e4cc76e233
Instruction ID: c264cf9a7a99f03dcd98f838db51db7e93507446e63efaef5ea5d6c0823dc936
Opcode Fuzzy Hash: d9252a4f7062b0511e841212cb822d958b49632d7a9a678e32d510e4cc76e233
Instruction Fuzzy Hash: 2DD06775D4911C9BCB60DF54DA542ECB7F0EF85300F0014E7D909B2200D7305A609F12

Function 027F5EC0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3929975685.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763520fae83d69fd4d3fdd9e7997c7e2df9a7a9beb040dd139413db5764ca349
Instruction ID: 77009f5a837d8ec03edbf038f94443f175feb51fae730af98a85caee3384ddf9
Opcode Fuzzy Hash: 763520fae83d69fd4d3fdd9e7997c7e2df9a7a9beb040dd139413db5764ca349
Instruction Fuzzy Hash: 94C0123050870947D901F7F5E94A59533DABAC0E14F404650B8091D11BDF7C294447D1

Analysis Process: svcost.exePID: 1280, Parent PID: 6396COMMON

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	0

Executed Functions

Function 05F53540 Relevance: 1.6, APIs: 1, Instructions: 107
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05F535FD

Memory Dump Source

Source File: 00000005.00000002.1848441752.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5f50000_svcost.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 1a3aa298785063fbfe0b1b8a7c58726309279760b9043c3cf4e1a9937b13b8aa
Instruction ID: 0a0dbc6975b8e54e2ab89bafb7d1db86b7f64e251f1dd343506810320409f0a9
Opcode Fuzzy Hash: 1a3aa298785063fbfe0b1b8a7c58726309279760b9043c3cf4e1a9937b13b8aa
Instruction Fuzzy Hash: C24197B9D042589FCF10CFAAD880ADEFBB5BB49310F14942AE818B7210D735A905CF68

Function 05F53548 Relevance: 1.6, APIs: 1, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05F535FD

Memory Dump Source

Source File: 00000005.00000002.1848441752.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5f50000_svcost.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: fd7adc09a8327dab084ed50578e479942913364ce1f5151c3ae9277f4bc0b97f
Instruction ID: ecc61e521c88f65f2a5f4878c3ea10fc962e746c684d8349c5cd68450ee8570a
Opcode Fuzzy Hash: fd7adc09a8327dab084ed50578e479942913364ce1f5151c3ae9277f4bc0b97f
Instruction Fuzzy Hash: 3C4188B9D04258DFCF10CFAAD880ADEFBB5BB49310F10942AE815B7250D735A905CF68

Function 05F55BE3 Relevance: 1.6, APIs: 1, Instructions: 86
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 05F55C76

Memory Dump Source

Source File: 00000005.00000002.1848441752.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5f50000_svcost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b562f7dcb2c181ba4b446d68fb872d69c1acb4fb008bccd447576fe1b62c0870
Instruction ID: cfeb160fab798475fc89b6d5e0a6aa0efc6669a68ccaf0f0cb4ae1f3a4d213ce
Opcode Fuzzy Hash: b562f7dcb2c181ba4b446d68fb872d69c1acb4fb008bccd447576fe1b62c0870
Instruction Fuzzy Hash: D631CBB5D012189FCB10CFAAD984ADEFBF5BB49310F10942AE815B7300C739A905CFA4

Function 05F55BE8 Relevance: 1.6, APIs: 1, Instructions: 82
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 05F55C76

Memory Dump Source

Source File: 00000005.00000002.1848441752.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5f50000_svcost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 73116d420594065cad5abc4158ef423c9499c5a096af0f54df3110121cb2bfa0
Instruction ID: 5e10f680db2080d3405f3d0470c129ca78c4eede9ab757a8070a1d875d574050
Opcode Fuzzy Hash: 73116d420594065cad5abc4158ef423c9499c5a096af0f54df3110121cb2bfa0
Instruction Fuzzy Hash: C731A9B5D012189FCB10DFAAD984A9EFBF5BB49310F10942AE915B7300C779A905CF94

Function 0326E270 Relevance: 1.0, Instructions: 983COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d2b4cbc66ecda3842aa9f1597b7fa0d063b2054b41b5b56268e36b24cca029
Instruction ID: 921b2eb34ee097dddf75ecc7adbb6b3a944a012121b57057ecfc97fd294737d1
Opcode Fuzzy Hash: a9d2b4cbc66ecda3842aa9f1597b7fa0d063b2054b41b5b56268e36b24cca029
Instruction Fuzzy Hash: 98A2B275A00228CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB365DB319E81CF50

Function 03269B19 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1edfad4a3b4b896eff7bb688f77305f2bf5c0a0709d88299d32772191109f19
Instruction ID: 2ab68f2fa4a66e23b01f5bcd8103cf36d4506cbe1068181605e413730bfd0871
Opcode Fuzzy Hash: a1edfad4a3b4b896eff7bb688f77305f2bf5c0a0709d88299d32772191109f19
Instruction Fuzzy Hash: 25714E70E062459FDB08DF7AE9807AEBBF6FFC8310F04D12AC405AB668DB7459458B42

Function 03269B28 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885fb55f4a31cd7ad7448040aef4250654033a4024fb8a6166dbcb8c6d9f18c3
Instruction ID: bddbb1b60c7c8fc2869907eefb199fa6c35d4ee6817cd74dde23250002a463e7
Opcode Fuzzy Hash: 885fb55f4a31cd7ad7448040aef4250654033a4024fb8a6166dbcb8c6d9f18c3
Instruction Fuzzy Hash: 81712C70E062099FDB08DF6AE9807AEBBF6FFC8310F04D129D405AB668DB7459458B42

Function 06F5E990 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c161e33439f709a23d9e44b7bcb0e6a14fe90b196a416f04d3ffb68dcc00ec
Instruction ID: 436b18db8cf1513ae60344dbb321bc1267006aaf473ff514e174e56de7457c3d
Opcode Fuzzy Hash: b0c161e33439f709a23d9e44b7bcb0e6a14fe90b196a416f04d3ffb68dcc00ec
Instruction Fuzzy Hash: 71610974A15218DFDB94CF29D855BA9B7F2FB49310F5180AAE90EA7390DB349E84CF01

Function 06F4639F Relevance: 2.5, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*, xrefs: 06F4ABC9
%, xrefs: 06F4AB9A

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID: %$*
API String ID: 0-3952375145
Opcode ID: 078670a44891b8ff142581dd6efbbfb8b25285fd121a1faffbb4605110dda1cd
Instruction ID: 2d96345e5f2603003e982397d11bd8d898159d71012ee2bbd967f157b71be036
Opcode Fuzzy Hash: 078670a44891b8ff142581dd6efbbfb8b25285fd121a1faffbb4605110dda1cd
Instruction Fuzzy Hash: ED113A74D4122DCFEBA4DF14C948BAAB7B6FB48304F0050E9D618A7644DB385EC09F41

Function 05F5415B Relevance: 1.8, APIs: 1, Instructions: 265
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05F543C7

Memory Dump Source

Source File: 00000005.00000002.1848441752.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5f50000_svcost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: eb316b1152f65abaaa0486ead2025442ada5f6443b934f7451ea3071e3853188
Instruction ID: a3a1467858ff2af574aae7a9b76d6340c93b777d3c4826393020d621d3e415e4
Opcode Fuzzy Hash: eb316b1152f65abaaa0486ead2025442ada5f6443b934f7451ea3071e3853188
Instruction Fuzzy Hash: FDA11270D04218CFDF10CFA9D889BEEBBF2BB09310F149169E959A7290DB788985CF55

Function 05F54160 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05F543C7

Memory Dump Source

Source File: 00000005.00000002.1848441752.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5f50000_svcost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 46f8e32b4594c7ead4dd0ba4dad6c399d1fe7d09069bfeb04749c35b58e75513
Instruction ID: f44cef29f5e63c3c8677b7a21a82d4cdd770d8920208ba67db59eea8075a0ef3
Opcode Fuzzy Hash: 46f8e32b4594c7ead4dd0ba4dad6c399d1fe7d09069bfeb04749c35b58e75513
Instruction Fuzzy Hash: 6AA10270D04218CFDF10CFA9D889BEEBBF1BB09310F149169E959A7290DB789985CF45

Function 05F554BB Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05F55593

Memory Dump Source

Source File: 00000005.00000002.1848441752.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5f50000_svcost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 07412e94fd160b426cb171279263b1e25ce9eb245d6d318c0c0b6dbdefc54311
Instruction ID: 1cb3eb2daedf39284d35f47b22d3cd18d17c20d9b39322328b9f966e32dca2cb
Opcode Fuzzy Hash: 07412e94fd160b426cb171279263b1e25ce9eb245d6d318c0c0b6dbdefc54311
Instruction Fuzzy Hash: B541A8B5D052589FCB00CFA9D984AEEFBF1BB49310F14942AE819B7250C739AA45CF64

Function 05F554C0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05F55593

Memory Dump Source

Source File: 00000005.00000002.1848441752.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5f50000_svcost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5837288f173ca480aebb9ccfbcc17e7f5289748b1b8dba122341705b6964b429
Instruction ID: 5e746ad21b4857f1764dd9b7aa490eec9f4969f8f10f1270ac1c52c05d31f4e1
Opcode Fuzzy Hash: 5837288f173ca480aebb9ccfbcc17e7f5289748b1b8dba122341705b6964b429
Instruction Fuzzy Hash: 2241A9B5D012589FCF00CFA9D984ADEFBF1BB49310F14942AE819B7210C739AA45CF64

Function 05F55160 Relevance: 1.6, APIs: 1, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05F55212

Memory Dump Source

Source File: 00000005.00000002.1848441752.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5f50000_svcost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b4abaa33e6ea0385c98d6b244893f1a7db28d82ffd95e9f82e65a923e84d06cd
Instruction ID: a933a8457d10f9e0c72d63b9624cafe3c55063d3fa6abdd748363ececcf7251b
Opcode Fuzzy Hash: b4abaa33e6ea0385c98d6b244893f1a7db28d82ffd95e9f82e65a923e84d06cd
Instruction Fuzzy Hash: F541B8B9D04248DFCF10CFA9D880AEEFBB5BB49310F14942AE814B7210D735A902CF64

Function 05F55168 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05F55212

Memory Dump Source

Source File: 00000005.00000002.1848441752.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5f50000_svcost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 86e8406903ae0832dc1a80ea617baadc959a611cd25ba1eb97a75691c6b57058
Instruction ID: 8644547ec221f4c578d26947e2ea8e5b5c574fde3c6593e155417bb9ef8ea4dd
Opcode Fuzzy Hash: 86e8406903ae0832dc1a80ea617baadc959a611cd25ba1eb97a75691c6b57058
Instruction Fuzzy Hash: 6E3188B9D04258DFCF10CFA9D880ADEFBB5BB49310F14942AE815B7210D735A906CF64

Function 05F54A60 Relevance: 1.6, APIs: 1, Instructions: 101
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05F54B17

Memory Dump Source

Source File: 00000005.00000002.1848441752.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5f50000_svcost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 25d9b739d3922d768f388da7c7ab17dc3949621b6cd108205df7b7bee83e5239
Instruction ID: 420925e1c2bfb1e7806bf10cdadc7c4f6b1222cde0d41fa37f91f41db1daf458
Opcode Fuzzy Hash: 25d9b739d3922d768f388da7c7ab17dc3949621b6cd108205df7b7bee83e5239
Instruction Fuzzy Hash: F741ACB5D012589FDF14CFAAD884AEEBBF1BB49314F24842AE419B7240C739A985CF54

Function 05F54A68 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05F54B17

Memory Dump Source

Source File: 00000005.00000002.1848441752.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5f50000_svcost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d498d1cfc5fbe863898767e5b63b0cf5fc40d0efcfa0670d339a7707c19bc7bc
Instruction ID: a857d2c41cbe5976d59d1aea13e755843bd71cee90fe9c0dbd5bed79e148ff3c
Opcode Fuzzy Hash: d498d1cfc5fbe863898767e5b63b0cf5fc40d0efcfa0670d339a7707c19bc7bc
Instruction Fuzzy Hash: 5631BAB5D012589FDF10CFAAD884AEEBBF1BF48314F14802AE419B7240C739A985CF54

Function 06F46B50 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

u, xrefs: 06F46B5D

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID: u
API String ID: 0-4067256894
Opcode ID: 6110a2e089e8275a46854f9fe8bdf89e69e48ba45f0dedfe6044aed49ef36906
Instruction ID: b1dfcc5b619a0700f59ba100c4022ba10e7832d9739b1c6def0e14db26a080df
Opcode Fuzzy Hash: 6110a2e089e8275a46854f9fe8bdf89e69e48ba45f0dedfe6044aed49ef36906
Instruction Fuzzy Hash: 91018C74A082288FDB64DF54C988BAAB7B5FB98300F0080E9E60DA3240DB385EC1CF51

Function 03261672 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b0d2116f64e39ce58b82e66c3c228d9242bdf0f618dfee760769ff24db915b
Instruction ID: cded8bf05d14e97886137cf95a4576617877b91d59d22ac0b2ecee870cc0ad5a
Opcode Fuzzy Hash: 60b0d2116f64e39ce58b82e66c3c228d9242bdf0f618dfee760769ff24db915b
Instruction Fuzzy Hash: 4361D135A14341CFCB05CB68D884BA5BBF6FF8A304F1881A9D444DB696DB34B8E5CB51

Function 032619D7 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e27076a277243b611285d60722cf7ca5069de91874a6e14247f59f9366c81df
Instruction ID: dfa3247f98aca5b93e88e2f3fdf3f90182634a0d4c198670e484eefbb494790f
Opcode Fuzzy Hash: 1e27076a277243b611285d60722cf7ca5069de91874a6e14247f59f9366c81df
Instruction Fuzzy Hash: FB714831A24245DFDB09CF18C884BE9B7F2EF8A300F6981A4D441AB255D7B5BDD5CB90

Function 032619E8 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6ac4a6ad3e005a3ea5e8da92956b0a0498c2309a7f517715a342941a19197b
Instruction ID: 6b37798eb33ca89cfab920fc6e4b4713ed7400b8507c121d88e5737335884c16
Opcode Fuzzy Hash: ce6ac4a6ad3e005a3ea5e8da92956b0a0498c2309a7f517715a342941a19197b
Instruction Fuzzy Hash: 58614671A24205DFDB09CF58C884BE9B3F2EF89300F6981A4D402AB695D7B5BDD5CB90

Function 03261740 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d068489410423b41eb03d7a3ddc95de410f95860bd7eb6183413d7075952c3cf
Instruction ID: 48adf3c674c86a0775a4dda3d250939327fbb11743fcae6ec2d151a2cd0001b4
Opcode Fuzzy Hash: d068489410423b41eb03d7a3ddc95de410f95860bd7eb6183413d7075952c3cf
Instruction Fuzzy Hash: 8E51FF31A10209CFDB05CBA9D884AEDB7F6FF89310F1981A5D405AB290DB75B9D4CB90

Function 032624F0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e8950f4799f0010986edf25c0516111eb35372d2162df05e11fa139d60a26a
Instruction ID: 924fe98afb70f52af4f8f278fe90fdece547e1851de96c9ed1b6dca148789540
Opcode Fuzzy Hash: a7e8950f4799f0010986edf25c0516111eb35372d2162df05e11fa139d60a26a
Instruction Fuzzy Hash: 3CD017A902E3D28EE31B862529760942FB0BA5321238A04DBC0808B1A3C40852DAA3A3

Function 03261CC1 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd0b05c191c8f251d96b49276cf8cc99c1fc27ce1ade379929cc57560e6eba7
Instruction ID: d74abbf8e10335fae53402095b73bb7cce88a379e71a16e2b585e4b483775630
Opcode Fuzzy Hash: 7bd0b05c191c8f251d96b49276cf8cc99c1fc27ce1ade379929cc57560e6eba7
Instruction Fuzzy Hash: 53319131B002099FDB14DF69C8806DEF7FAEFC9610B14846AD805A7355DB71BD95CB90

Function 0326183B Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c965372df6e04e202aaf7d7a1b29a0dbc7ae54204df5fdf9a35d21a5e319c24e
Instruction ID: 2c99bdf43887cb75ced4f14706b10bdfc755f6ee1090e38d766c73fe6c247a5d
Opcode Fuzzy Hash: c965372df6e04e202aaf7d7a1b29a0dbc7ae54204df5fdf9a35d21a5e319c24e
Instruction Fuzzy Hash: 73316730B20205DFDB05CB68D488BA8B3F6FF89310F5890A4D4099B661CB79BCE4CB54

Function 03269DD1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1228ff6661384ead2870ef51b4d1e91de125471ef1cf33c315164ff5b65f6f35
Instruction ID: 79243adac44b73db0565c99ac819d9a2e47f03d4de92b6c363d489d912e32cfb
Opcode Fuzzy Hash: 1228ff6661384ead2870ef51b4d1e91de125471ef1cf33c315164ff5b65f6f35
Instruction Fuzzy Hash: B53134B5E1420ADFDB04DFA9D484AAEBBF1FF48304F1484AAD405A7260DB749AD4CF90

Function 03269DE0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7441e1be3dab20590b80a48cce989338ead5ceb39364a80e892e3351edc55d
Instruction ID: a721489a66535fb4cde3252542655a3b7844f7af706bcd56c5ea612e023ba03e
Opcode Fuzzy Hash: 2e7441e1be3dab20590b80a48cce989338ead5ceb39364a80e892e3351edc55d
Instruction Fuzzy Hash: CA310574E14209DFDB04DFA9D484AADBBF5FF48304F1484AAD405A7220EB749AD4CF90

Function 017CD048 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1830635811.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17cd000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce9f7b7f88bbf267477013a162c0a72d82f68d37d3184ecdcebd649edf500e5
Instruction ID: b5a786e817286d43d3e6f4802a9d49bebe7b2878c998870ae69897eaecda4ba9
Opcode Fuzzy Hash: 7ce9f7b7f88bbf267477013a162c0a72d82f68d37d3184ecdcebd649edf500e5
Instruction Fuzzy Hash: 2A21C1B15042449FDB25DF98D9C0B26FBA5FBC4B14F2485BDE9090B242C336D456CAA2

Function 03269A01 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42242b5d8e336843fe187865971c8ef69c17e7c93f2665fe196b07fd1fe36e0
Instruction ID: ee314367bcff76b739465a9fb499ee5d252c27bcfb140f2258a105a277158439
Opcode Fuzzy Hash: e42242b5d8e336843fe187865971c8ef69c17e7c93f2665fe196b07fd1fe36e0
Instruction Fuzzy Hash: DD2128B0D25209DFDB44DFA9D8497ADBBF6FF4A320F1081A9D809A3244DB7859C4CB51

Function 03269A10 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ed713a9a7366e98d90bc3fd468ec3998888c9bcd484155122dadc2122c02bd
Instruction ID: ddb450779e4a14b2c71c68c2b0b11825f24c35faeab90156dad324d7b86b376e
Opcode Fuzzy Hash: e9ed713a9a7366e98d90bc3fd468ec3998888c9bcd484155122dadc2122c02bd
Instruction Fuzzy Hash: DC2107B0D25209DFDB04DFA9D8487ADBBF6FF4A310F1090A9D809A3204DB7859C4CB51

Function 0326F4A8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1741c2bd7ff6003eb3c1552773074885e92aa4a72a1328fae11f2f689bba0ffc
Instruction ID: 3293e53362d596d5da8d28d8cbec814c1551783d2bee52e69b2ca9329461d25f
Opcode Fuzzy Hash: 1741c2bd7ff6003eb3c1552773074885e92aa4a72a1328fae11f2f689bba0ffc
Instruction Fuzzy Hash: 11112671D1820ADFCF04CF99E6446EEBBBAFF89310F10802AE608B3250D7705985CB90

Function 06F422DC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca8185090c9cd5fbaae8cde8a20818467c015d8d83cebf1641a604f026d121b
Instruction ID: a75eece7eb313adb91403c21db8657146cc194e1a00d893b04cd5a7486ea583f
Opcode Fuzzy Hash: 9ca8185090c9cd5fbaae8cde8a20818467c015d8d83cebf1641a604f026d121b
Instruction Fuzzy Hash: 52319278A022298FCB64CF58C8A4AD9B7F5FF48300F0181EAE819A7351D734AE81CF41

Function 017CD043 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1830635811.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17cd000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c363dfc6928ab46034bd901ce650e8bb33f27982f9aee3ce90425bf9c31c636e
Instruction ID: b2b2b045f05b57f6ac8524c07114ebf45493a38d241a73901494d8b4c1204a9b
Opcode Fuzzy Hash: c363dfc6928ab46034bd901ce650e8bb33f27982f9aee3ce90425bf9c31c636e
Instruction Fuzzy Hash: D3119A76504284CFCB16CF54D9C4B16FBA2FB84714F2482ADD8494B656C33AD45ACBA2

Function 032618D0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7153d46768d3a407ff0c1d70eb39ff740f378b1a75e97cea1b0f05e2d56309d3
Instruction ID: de557e5fdd2db1967683bfa7f4f5bea63e98b4bf7df3374b361d7884ebf7becd
Opcode Fuzzy Hash: 7153d46768d3a407ff0c1d70eb39ff740f378b1a75e97cea1b0f05e2d56309d3
Instruction Fuzzy Hash: FC01D232D0474B9BCF019BB5D8405DEBBB6EFC6720F154626D500B7150EBB0258AC7A1

Function 06F5F678 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fb49efd678e749d64d89170b8cce34f657c1509b5dbb00d3f87a930f11a2e9
Instruction ID: f117d8b4a6ecdf89d60b558b873d6f1b7dab279e5bbf23d3d83550eae4a38e2b
Opcode Fuzzy Hash: 70fb49efd678e749d64d89170b8cce34f657c1509b5dbb00d3f87a930f11a2e9
Instruction Fuzzy Hash: 3B1109B0E0030A9FDB48DFA9C9857AEFBF5FF88300F5080699518A7354DB309A419F95

Function 06F48BC1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70920eff5ce41cef20d3b2660a306547f8b70442173c37d677922c83e90e6ba
Instruction ID: a9bb79d9da6c092b7aa7c46f404425fab6badd164d5b1bdab8560da74092fd12
Opcode Fuzzy Hash: a70920eff5ce41cef20d3b2660a306547f8b70442173c37d677922c83e90e6ba
Instruction Fuzzy Hash: CA21B478A04229CFCB64DF58E894ADAB7F2FB58344F0040EAD909A7784D7745E85CF41

Function 017BD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1830519094.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17bd000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37584375b3fc934b4271e34cb25560d55158355b7c9a6b2220a6eb5600069b2
Instruction ID: 704d0939586fffe92c9e085803d45284459439d5e9daa89c4959ff5c0ef2f143
Opcode Fuzzy Hash: b37584375b3fc934b4271e34cb25560d55158355b7c9a6b2220a6eb5600069b2
Instruction Fuzzy Hash: 7301A771504340ABE7304AA5C8C47A7FFD8EF416A8F18C459ED494A283C3799441CAB1

Function 03261957 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e522a854baf7fdd046455440079fb09b570388cf4755298a1a923de8c2aa51
Instruction ID: 59a04228f88325526c2082d31839c3242f888d23c0e9ebb389536ab26b5f1d08
Opcode Fuzzy Hash: 80e522a854baf7fdd046455440079fb09b570388cf4755298a1a923de8c2aa51
Instruction Fuzzy Hash: EDF0C231E2021ADFDB15DB71C459AEFBBF2AF88710F04846AD413BB280DE716946CB81

Function 06F41F86 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a989e4a0bc1ea354bc1229054f976ee857eba938aaa8a85affe9a3bc1673d9
Instruction ID: d3cfc736c249d47006e8d9c152925a7b1040ef8d9a7a3787c213c2c817444baf
Opcode Fuzzy Hash: 32a989e4a0bc1ea354bc1229054f976ee857eba938aaa8a85affe9a3bc1673d9
Instruction Fuzzy Hash: 2C11AD35908215CFCB11DF68C8986EABBB6FB59320F0002D98A1A972C5DB385D82CF81

Function 017BD01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1830519094.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17bd000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3388e96df60187ad0bae9d4cf6dcd7ead2533f84e9f376a8e58ebaf975943b5b
Instruction ID: c5e369c8b64644f07112db3a39f0e33ed50f96a4222b758b7f7b0ac0f84808d1
Opcode Fuzzy Hash: 3388e96df60187ad0bae9d4cf6dcd7ead2533f84e9f376a8e58ebaf975943b5b
Instruction Fuzzy Hash: 28F06272404344AEE7208E5AC8C4BA2FFD8EB41678F18C55AED484A287C3799844CAB1

Function 03261F2D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe8afe1e8aa7d8350efc14f5ceb82295b2649049af285f2c254df23d7648e93
Instruction ID: 7c6680cca90a140d714d51aea4907bd792aea85153e639e353d460ac3122ee5b
Opcode Fuzzy Hash: efe8afe1e8aa7d8350efc14f5ceb82295b2649049af285f2c254df23d7648e93
Instruction Fuzzy Hash: DA011930E24308DFD720CB58C588BA8B7F5EF08325F4991A5D0049B6A2C7B4B8D4CF91

Function 0326081F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38745e402b7e19deb94477f9cfad75ef7be1ed9ffaa8ba38990dad499b652590
Instruction ID: 20b5c3b8bf42fc75ef0e6ed55fb8c4b2d403c830b693ee12f3ae3f867eb4b08d
Opcode Fuzzy Hash: 38745e402b7e19deb94477f9cfad75ef7be1ed9ffaa8ba38990dad499b652590
Instruction Fuzzy Hash: EBF0393142E7D19FCB639B3998A82D63FF09E8322470E44DBC0D6CB0A7D528144ACB67

Function 03260860 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91021691de87147e35939e735abec6d7ccf547d2c7b3303e60ab2b0c95127b9
Instruction ID: 480e5a3aa65905c0c72cbc78644478b8e06311878ed9f6fd8d7445996ca1e9bf
Opcode Fuzzy Hash: b91021691de87147e35939e735abec6d7ccf547d2c7b3303e60ab2b0c95127b9
Instruction Fuzzy Hash: 88F0C22410E3D26FCB23577258682947FF1AF8320438E54DBC0C1CF0ABD2A96889CB63

Function 0326F280 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da1dee5fa5ee393a6f23a68497ff07b854123ff7ca4a6e39784961de634e874
Instruction ID: c97db59db6379e8d371c0e5e1b46a1083bdf020d937118fdb86232993c528b84
Opcode Fuzzy Hash: 1da1dee5fa5ee393a6f23a68497ff07b854123ff7ca4a6e39784961de634e874
Instruction Fuzzy Hash: AAF0A578E15208EFCB94DFA9D541A9DFBB5EF49310F10C0AAAC1993350D6319A95DF40

Function 03269F92 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77e5cde85e01864a8360f5d98ebcb877e45b77397e252df7b2921dabe801754
Instruction ID: fd9e89f4511566310943dfede6c2e558444a708274b1f99c386cbc4586bdf5ac
Opcode Fuzzy Hash: b77e5cde85e01864a8360f5d98ebcb877e45b77397e252df7b2921dabe801754
Instruction Fuzzy Hash: A3E022B1C6D242EFEB20CFE0968436CBAE89F0A300F2544ADC00EE3151CB729AC4C306

Function 06F416F6 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e10f520f322c9e459fac3c01c263d48bd4097f68525e23537876cc3abff718
Instruction ID: 53198a8ee3055ee813c4f3e9759181720fff11d7860f94a5f46f27b4967c99c4
Opcode Fuzzy Hash: 35e10f520f322c9e459fac3c01c263d48bd4097f68525e23537876cc3abff718
Instruction Fuzzy Hash: 62F03074A081199FCB54DF54D998A9AB3B5FB98300F1080E5A50997344DB385D81CF51

Function 06F5D848 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee69d29c6933a92b090b79ced27cf1dfbbefc515c03a892a396cc27da2a84fe
Instruction ID: 6cf9689623e809d9f5cf80cc45c7a690a3066d26b3e90b25179a05c7c31d37ab
Opcode Fuzzy Hash: aee69d29c6933a92b090b79ced27cf1dfbbefc515c03a892a396cc27da2a84fe
Instruction Fuzzy Hash: 5EE0C274E09208EFCB84DFA9D980AACBBF4EF59311F10C0AA9C08A3340D6359A51DF85

Function 06F55FF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee69d29c6933a92b090b79ced27cf1dfbbefc515c03a892a396cc27da2a84fe
Instruction ID: 754e80a0a9c1abb2d414328254286d36fef57a319ded6665d6254cebb46fdba8
Opcode Fuzzy Hash: aee69d29c6933a92b090b79ced27cf1dfbbefc515c03a892a396cc27da2a84fe
Instruction Fuzzy Hash: 19E0C974E05208EFCB94DFA8D540A9CBBF4EB49310F50C0AA9C1893351D6319E51EF80

Function 06F5DD68 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee69d29c6933a92b090b79ced27cf1dfbbefc515c03a892a396cc27da2a84fe
Instruction ID: efe568b96b8da316ecc258591934b433786a2eaedb3f9437ae6b57da39e25387
Opcode Fuzzy Hash: aee69d29c6933a92b090b79ced27cf1dfbbefc515c03a892a396cc27da2a84fe
Instruction Fuzzy Hash: A5E0C275E05208EFCB84DFA8D980AACBBF5EF49310F10C1AA9C08A3340D6369A51DF84

Function 06F5A768 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee69d29c6933a92b090b79ced27cf1dfbbefc515c03a892a396cc27da2a84fe
Instruction ID: 94227cfefdf8be877ae72afa200f66950c33daf5ab005a84115955063b4d8dca
Opcode Fuzzy Hash: aee69d29c6933a92b090b79ced27cf1dfbbefc515c03a892a396cc27da2a84fe
Instruction Fuzzy Hash: 30E0C975E05208EFCB84DFA8D580A9CBBF4EB49310F11C1E99C19A3344D6319A51DF80

Function 03269FA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df53b7c55cc1d4775dcba9624633183715b7e8dec523f57db49d7f79ae807fd3
Instruction ID: 6a53bf5607c25e373ec476e71a1a113478d439557043f9717cd6b2b4b6ad07ee
Opcode Fuzzy Hash: df53b7c55cc1d4775dcba9624633183715b7e8dec523f57db49d7f79ae807fd3
Instruction Fuzzy Hash: 6FE0DF3096D309EFCB20DFA4904876CBAED9B0B210F0040ACD40EA3245CBB12AC4C35A

Function 06F5A3F8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ad592a80a338629ed8caee10342f2ea45763bedc731e2a5fb733b233110f38
Instruction ID: ce855b05854fecc4f33ceb2f49c0e9d4768fd0e5f99d7fb4f27cf36005c2d470
Opcode Fuzzy Hash: a3ad592a80a338629ed8caee10342f2ea45763bedc731e2a5fb733b233110f38
Instruction Fuzzy Hash: DCE0E574E05208EFCB84DFE8D5846ACBBF4EB49200F10C1B9981893350DA319E12CF80

Function 06F5F760 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ad592a80a338629ed8caee10342f2ea45763bedc731e2a5fb733b233110f38
Instruction ID: 03c7a0034486cec833b4bbb58f592d08dd1ef7927a92ff52d903dec72c3d271e
Opcode Fuzzy Hash: a3ad592a80a338629ed8caee10342f2ea45763bedc731e2a5fb733b233110f38
Instruction Fuzzy Hash: 35E0E574E16208EFCB84DFA8D5806ACBBF4EB49304F10C0E99C5893340D6319E02CF80

Function 0326FB70 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187ff809c41eda072213bc885f05ac854828d73505e8bb6ece9ece78424f3b43
Instruction ID: 339fdeb91176443179072938074f0b8e5372654db1c132d9c368e6a19afecfc7
Opcode Fuzzy Hash: 187ff809c41eda072213bc885f05ac854828d73505e8bb6ece9ece78424f3b43
Instruction Fuzzy Hash: EEE08674919208FFCB04DF94E550A6DFBB8AF8E310F14C0AED85457341C6319A81DB94

Function 06F58BF0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6002efda969ae8a1f9674f71a51b95b333c654278c1ea48e1a15be91bddf20e6
Instruction ID: c0f9d106d28cd3108f17dedf6c345184ca34d432ccc8f87065950f168c6f2f56
Opcode Fuzzy Hash: 6002efda969ae8a1f9674f71a51b95b333c654278c1ea48e1a15be91bddf20e6
Instruction Fuzzy Hash: 53E01234E0A208EFCB44DBA8D5846ACBBB4AB89200F1082EADC6853341C7319E02DB80

Function 06F5B630 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3ff097aa19be8aae4dc358048a17a391327673a07d24e91225bc5d3b90bb15
Instruction ID: 6b55490924c0d573e417c3128173b43f165878cd2ecf3d1f0ac60830bb777b99
Opcode Fuzzy Hash: 8f3ff097aa19be8aae4dc358048a17a391327673a07d24e91225bc5d3b90bb15
Instruction Fuzzy Hash: B1E0C271806308DFCB40EFB09500B9E77F8DF46210F0005E9950593110EE724E44D792

Function 06F5BE20 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79279d10aaf91a69a5b97fd1b9c5bff307498c7d7a151b6583a670c6e83d5ad8
Instruction ID: 12d026076f1a40c1781c9cfe41b79b39e3c9a4b4c2d4e929871cce360dbf0ab2
Opcode Fuzzy Hash: 79279d10aaf91a69a5b97fd1b9c5bff307498c7d7a151b6583a670c6e83d5ad8
Instruction Fuzzy Hash: B9E0EC74D19308DFCB84DFA8D5556ACBBB4AB09211F2044E9D948A3340EA305A44CB91

Function 06F5E5C0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419cb9b6f6f0656a869917315d01bbb8774535237cb95693ad8bd348365b364b
Instruction ID: 35a032d65a8ff27b43ab80dec996eaa3d3863588980d7b284e51ce0144166eab
Opcode Fuzzy Hash: 419cb9b6f6f0656a869917315d01bbb8774535237cb95693ad8bd348365b364b
Instruction Fuzzy Hash: D9E08C74D09208DFCB04DB98D68096CBBB4AB46300F1081AC8C0863341DA319F02CB80

Function 06F41780 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf50e7e32d1d09cac5103e0c1b55694236d777655aaa14966275e703906739b
Instruction ID: 6755f16458dcde6d0089939d12405990946173b927b25b27a390d7bca540ef6e
Opcode Fuzzy Hash: 1bf50e7e32d1d09cac5103e0c1b55694236d777655aaa14966275e703906739b
Instruction Fuzzy Hash: 0DE06D74D081298FD794DF04DE98AAAB77AFBA8300F0080A4A10DA3344DB345D818F80

Function 0326E220 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b30d6d14155e96f440c4d03553cadec54bace24f2f4320cc2269de3085c1d97
Instruction ID: aa2c1ee9650b6de466311374357cbf76906d00a3475fdb1e785b9c8b28e028c2
Opcode Fuzzy Hash: 0b30d6d14155e96f440c4d03553cadec54bace24f2f4320cc2269de3085c1d97
Instruction Fuzzy Hash: A8E0C271415308EFCF00EFB4D508B8EBBF8DF4A220F0000ADE10593140EE315A449B92

Function 032608C1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789cdbf3fd0b97c929ca2e532ad45251910f5a5e881b880c5df025b5865d4751
Instruction ID: 14aebdfce9a04a6e1e383020546fc48c2e57a464ada59fdc8a85961acff5a377
Opcode Fuzzy Hash: 789cdbf3fd0b97c929ca2e532ad45251910f5a5e881b880c5df025b5865d4751
Instruction Fuzzy Hash: DBE08C7542D290DFDB12CF2494882587BA8FF0A720B89E0E6C44297296D2B89CC49783

Function 0326142D Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6874171edf456b2e03e102d41db26a36d47c5f92289423de136b0d2836a2f87c
Instruction ID: decfe36c779f862128c3a4eede30af48864f06bbd5cb13da089f24ca5c2ba228
Opcode Fuzzy Hash: 6874171edf456b2e03e102d41db26a36d47c5f92289423de136b0d2836a2f87c
Instruction Fuzzy Hash: 2CD0A731B19111EBEB64EB14D8052ACB29EFF40B50F80D9ACC84357105C730BCCA9786

Function 06F5E960 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1851088844.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f40000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d191f30e04918bc6a38439e7ed02a26d591cf12d3150b45a3b2d00655b0852e
Instruction ID: 9462e1518b29872b12ec160e20d3e2398092b5c8412dc69029586db63e7fbf16
Opcode Fuzzy Hash: 0d191f30e04918bc6a38439e7ed02a26d591cf12d3150b45a3b2d00655b0852e
Instruction Fuzzy Hash: BCC02B710AF3048FDBD41340614C33833DC8707251F422468EB0D0092E0A6049ACC285

Function 032608A1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1912908d7d653d46fe93000f66053032907dcf037bf9b4547c7edc7dd43d076b
Instruction ID: d47da12c559b6fae41bc7a5c91d9c65df8a7ba08c85416b254ed3ab9a9fca748
Opcode Fuzzy Hash: 1912908d7d653d46fe93000f66053032907dcf037bf9b4547c7edc7dd43d076b
Instruction Fuzzy Hash: A2C08C3004C3889FCB1303716C045D07FF89D4342038890D3E448CA007D2A914D083A2

Function 0326E048 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e34483b9dc698cf81d643c96ae7ad54a95cc0850b678d4bf24b249fd6c1938
Instruction ID: 09a6747663cefd12a85feafbfd9c1c2e9eebc705baff4013e50eecaa6d8df9d9
Opcode Fuzzy Hash: 84e34483b9dc698cf81d643c96ae7ad54a95cc0850b678d4bf24b249fd6c1938
Instruction Fuzzy Hash: 34C08C7007D6088BD7547BA0AB0E7287BA86F02212F880028F21C11050CFB44098C73A

Function 032608B0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1831480948.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3260000_svcost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02636c4b1af74245742a610a65bdbf91e6c12532baabbf0eb109b72766c7e33e
Instruction ID: 7805a00fefbc44adb39ad96ac525fe2891421a6b5804fcef2bcd4cf847040ac0
Opcode Fuzzy Hash: 02636c4b1af74245742a610a65bdbf91e6c12532baabbf0eb109b72766c7e33e
Instruction Fuzzy Hash: A090023114470CCF465027957409595779CD5445367805055A50D415095AA674904695

Analysis Process: InstallUtil.exePID: 5216, Parent PID: 4084COMMON

Executed Functions

Function 00E797E8 Relevance: .9, Instructions: 894COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8842e2ab12581d357abd2d250841b51f66687e82714b243ff7704363dc4e3e
Instruction ID: 5cec4066ed62b9f1e4f6ccd8319c687e1cf0e0c55d5cd2fce18733e60d755e9a
Opcode Fuzzy Hash: eb8842e2ab12581d357abd2d250841b51f66687e82714b243ff7704363dc4e3e
Instruction Fuzzy Hash: EE82A271600209CFDB15CF68C984AAEBBF2FF88304F15D569E449AB2A2D735ED41CB51

Function 065E11A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b555ff08857f171e5bf7226c54c06499bcde25e746254cb33f33af86e7c610fe
Instruction ID: b8e93f814a12904df59febbdce70c847a0d08fe4ca15d60761177bce9131f18a
Opcode Fuzzy Hash: b555ff08857f171e5bf7226c54c06499bcde25e746254cb33f33af86e7c610fe
Instruction Fuzzy Hash: CA826E74E01228CFEB64DF69C994BDDBBB2BB89300F1481EA944DA7265DB315E81CF44

Function 00E7F007 Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f216a3cb70cbfbcb8f84765a58fa9bf7075dd54148da7c928c0babcec3c4b9
Instruction ID: 0d31546e5e3da1e2d72e87e61414e20810d40adc38a4486315cd54f053c2ec70
Opcode Fuzzy Hash: 32f216a3cb70cbfbcb8f84765a58fa9bf7075dd54148da7c928c0babcec3c4b9
Instruction Fuzzy Hash: 4D72CE74E01228CFDB64DF69C984BD9BBB2BB49304F1491EAD40DAB255EB309E81CF50

Function 00E76730 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748afc6457389f20ce209aee40e52aff932e2129c9aed31e448f10f098abea82
Instruction ID: 1dcf1385361790ee3688b4831d5c4f6e56585e1dbaec5036f71107004af10a13
Opcode Fuzzy Hash: 748afc6457389f20ce209aee40e52aff932e2129c9aed31e448f10f098abea82
Instruction Fuzzy Hash: 7C024A70A00609DFDB15CF68C988AAEBBB2FF89308F15D06AE449BB261D735DD41CB50

Function 00E7B328 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26dc4011675febf391871b584a42d026380128228c96f7719ca0858fccc6953b
Instruction ID: 14a41981e27814107f5834ad28e03a8ca56820f55b53219450604044e1136397
Opcode Fuzzy Hash: 26dc4011675febf391871b584a42d026380128228c96f7719ca0858fccc6953b
Instruction Fuzzy Hash: 1AE1D875A00618CFDB14DFA9C984B9DBBB1BF89314F15D0A9E819AB262E730AD41CF50

Function 065E8608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ede434ae633f8a2824604dca88332e3c8316607bde4fc75648581449a6a28d
Instruction ID: c9929d934a82f2b9b9fdde7eb29348da1415ef9eebe6d97ab25232e1ddcf0f70
Opcode Fuzzy Hash: 94ede434ae633f8a2824604dca88332e3c8316607bde4fc75648581449a6a28d
Instruction Fuzzy Hash: 2EE1E174E01218CFEB64DFA5C944B9DBBB2BF88304F2081AAD409AB394DB355E85CF14

Function 065E0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126e2a7722317cc1d842887b3bf4bdd061ca60327d361a73116ae3642a938800
Instruction ID: 2ecae231f86de4678ff4dcfd6b7bd0da8f3b88868283d4a81c3bf1d0136b3ddc
Opcode Fuzzy Hash: 126e2a7722317cc1d842887b3bf4bdd061ca60327d361a73116ae3642a938800
Instruction Fuzzy Hash: ACC1B074E00218CFDB58DFA5C954B9DBBB2BF89304F2081A9D409AB395DB359E81CF54

Function 065ED670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b07e699bd1a56e19932eda0c7f0191e5fac4cd352d634f10d6569820534f6b4
Instruction ID: 52c1c50da31e4ca135de67543dba5225f0102f95c4908e259aaa413d335cc31a
Opcode Fuzzy Hash: 7b07e699bd1a56e19932eda0c7f0191e5fac4cd352d634f10d6569820534f6b4
Instruction Fuzzy Hash: 96A19175E012288FEB68CF6AC944B9DBBF2BF89300F14D1AAD40DA7255DB705A85CF50

Function 065EB6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69781f76b95e5f4c9bd29e30cd276b178e6032f1605881569f5fc1048be2c39f
Instruction ID: fb41faa99f8e3e7ff9aa8ecb60b6986068f2de16ad7a8dc57c4c92594d50c2db
Opcode Fuzzy Hash: 69781f76b95e5f4c9bd29e30cd276b178e6032f1605881569f5fc1048be2c39f
Instruction Fuzzy Hash: 4DA18F75E01228CFEB68CF6AC944B9DBBF2BF89301F14C0AAD409A7255DB345A85CF51

Function 065EC388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9615683a5f3ee45c4085550d61082a80564a5e3d6541e67d25d36825d71a06f
Instruction ID: e12b164ba0572306b72711032630f49c87ec46d1b2d16e140a5d92fd8daade50
Opcode Fuzzy Hash: b9615683a5f3ee45c4085550d61082a80564a5e3d6541e67d25d36825d71a06f
Instruction Fuzzy Hash: B0A19475E01218CFEB68CF6AC944B9DBAF2BF89300F14C0AAD409A7255DB349A85CF50

Function 065EA408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8804a4064d2ecc688102063aef91cee60aedaf92a0f1ff357a3d182c1c791a51
Instruction ID: 30bc1aa36aa91f7fe835557f3075c3a4206edc894748c5164c686e49173dee82
Opcode Fuzzy Hash: 8804a4064d2ecc688102063aef91cee60aedaf92a0f1ff357a3d182c1c791a51
Instruction Fuzzy Hash: 63A18175E01628CFEB68CF6AC944B9DBBF2BB89300F14C0AAD40DA7255DB345A85CF51

Function 065EBD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792837dad4c649fe1e22099d1203e51b3f9d46beb2af3c38e0dbc34138e50318
Instruction ID: 745664584d36f79f01a49bd76656231863797b04146b16f86989bd1b5ac4d0ed
Opcode Fuzzy Hash: 792837dad4c649fe1e22099d1203e51b3f9d46beb2af3c38e0dbc34138e50318
Instruction Fuzzy Hash: 42A1A175E01228CFEB68CF6AC944B9DBBF2BF89301F14C0AAD409A7255DB345A85CF50

Function 065EC9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc302a8f92019fd21a467aae89d6e121ea1671c1e725879df720b205d54b5ac0
Instruction ID: ba6e89f709348774cbb5937a4fbe7d4f4c0dfbd1af1f44ea6db7bfffd10bcd47
Opcode Fuzzy Hash: dc302a8f92019fd21a467aae89d6e121ea1671c1e725879df720b205d54b5ac0
Instruction Fuzzy Hash: E2A19275E012288FEB68CF6AC944B9DBAF2BF89300F14C1AAD40DA7255DB345A85CF54

Function 065EAA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389650fb9229a06b5f7932be80e4b7f475948eac0ed9ad735d92038d8dba6907
Instruction ID: f39a210bb2358cf6525cfbd06df819c74d4a3aaf2b65f22e41c571392fd4d829
Opcode Fuzzy Hash: 389650fb9229a06b5f7932be80e4b7f475948eac0ed9ad735d92038d8dba6907
Instruction Fuzzy Hash: 3FA19175E016288FEB68CF6AC944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF50

Function 065ED028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4717ea65238c8baa2a096d041a9a8d837157d5d029ac16c74fd7027828d23f
Instruction ID: d2556b33a6069e5489fdeffa92fe65913eb7cb47c587edcbb0903971dad26ee2
Opcode Fuzzy Hash: 6e4717ea65238c8baa2a096d041a9a8d837157d5d029ac16c74fd7027828d23f
Instruction Fuzzy Hash: 00A18175E01628CFEB68CF6AC944B9DBAF2BF89300F14C1AAD40CA7255DB345A85CF51

Function 065EB0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47604a784d2e0e5197d29128b1765cd70f7bb97e74887473d9254a11e4e5ad29
Instruction ID: 38ccd8000d1172aed72965ad63c207c47ac298afd30b94222b2b6ce73e7851cd
Opcode Fuzzy Hash: 47604a784d2e0e5197d29128b1765cd70f7bb97e74887473d9254a11e4e5ad29
Instruction Fuzzy Hash: F2A1A075E012288FEB68CF6AC944B9DBBF2BF89301F14C0AAD408B7255DB305A85CF54

Function 00E7C470 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfae3a9c94c7ffa7b0f9bcdb1393d655e54a818144f5bb032701dae546382fe3
Instruction ID: 6d5d523affa97180725365222c892f50124a5e26955d7cdcbd0f4196a15ba1ad
Opcode Fuzzy Hash: dfae3a9c94c7ffa7b0f9bcdb1393d655e54a818144f5bb032701dae546382fe3
Instruction Fuzzy Hash: D591D275E00208DFDB14DFAAD984A9DBBF2BF89314F24D069E419BB265DB30A941DF10

Function 00E7C752 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b5101dc66e1de3ac7b37dfb7eab7b37181ad7ea682b79c2bee070c8f1d17c5
Instruction ID: d4872186d9a86e1a439a62d3d824d40da38c9e15a0b05ad38eb2f6bb6d8603af
Opcode Fuzzy Hash: a9b5101dc66e1de3ac7b37dfb7eab7b37181ad7ea682b79c2bee070c8f1d17c5
Instruction Fuzzy Hash: 7F81B274E00218DFDB58DFAAD884A9DBBF2BF88304F24D069E409BB265DB309941CF10

Function 00E7BBD2 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7530b8321f3051875e8528eba9d414280a02e4655f522401d195b493fb436d
Instruction ID: 1c98746d3f52963b0bd3be9accb9f4f06c40bbbb4a02b6cdbe5789b933f4a96d
Opcode Fuzzy Hash: 7b7530b8321f3051875e8528eba9d414280a02e4655f522401d195b493fb436d
Instruction Fuzzy Hash: 9D91AF74E00218DFDB18DFAAD984B9DBBF2BF89304F14D069E509AB265DB309941CF10

Function 00E7C190 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed129661017300692419de3dd02353d2f9348af878ee53737066f97f829edca
Instruction ID: 40b91e71dd99adcb363c46a8208e1ac716fac5afb1e7a7b7d8b5609566af1892
Opcode Fuzzy Hash: eed129661017300692419de3dd02353d2f9348af878ee53737066f97f829edca
Instruction Fuzzy Hash: 5481B274E00218DFDB14DFAAD984A9DBBF2BF89304F24D069E809BB265DB309941CF54

Function 00E7BEB0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e768a5acf4e5c714ac2939e85762477d290ebe70dfd08369f8b8d262026e484
Instruction ID: a28af5748235a05cf7b567f8ec206a6ac86fe73bc748f96252b9fa5a7d1d7e67
Opcode Fuzzy Hash: 4e768a5acf4e5c714ac2939e85762477d290ebe70dfd08369f8b8d262026e484
Instruction Fuzzy Hash: 8791B074E00218CFDB14DFAAD984A9DBBF2BF88314F24D069E409AB365DB309981CF51

Function 00E74AD9 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e59c60a9a0998a653fc0d918338fa63099fe8a5f744cbea2eec73ab2332ebd
Instruction ID: 217db1cddd8abff982485497d61d39b6db688c4cfc8f98b7640bf61fdb5ae75e
Opcode Fuzzy Hash: a2e59c60a9a0998a653fc0d918338fa63099fe8a5f744cbea2eec73ab2332ebd
Instruction Fuzzy Hash: C081A1B4E01218CFEB14DFAAD984A9DBBF2BF88304F14D069E419BB265DB309941DF10

Function 00E7CA32 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e2bf97a112936e713583481aa2fcc12ac5c992e7a1752db985e1277fba921d
Instruction ID: 028f4b410a0be4cd2ede82c782ba14d6d480a97945f93f44295deeb842a38b2b
Opcode Fuzzy Hash: e1e2bf97a112936e713583481aa2fcc12ac5c992e7a1752db985e1277fba921d
Instruction Fuzzy Hash: B181A174E00218CFDB14DFAAD984A9DBBF2BF88300F24D069E819BB265DB309941DF55

Function 065E8C51 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763f92ee55152a011008f6469d4c2b314ce0494312ecabc7dd8c3149741a3a0f
Instruction ID: 7f75054199f157234e8190aa6169acf6711df6c2bc1f251b5fd7efca365e1a6b
Opcode Fuzzy Hash: 763f92ee55152a011008f6469d4c2b314ce0494312ecabc7dd8c3149741a3a0f
Instruction Fuzzy Hash: 1C81BF74E00218CFEF58DFAAD954B9DBBB2BF89300F24816AD419BB264DB355945CF40

Function 065E1191 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5a072cfde369f593759ab09e0ac31c5ffab8ba3a1ece45987937720137ee9d
Instruction ID: 490418b42974b65eb76052e64a6a610b33b585b022e48e6eba00791919332ae0
Opcode Fuzzy Hash: 4d5a072cfde369f593759ab09e0ac31c5ffab8ba3a1ece45987937720137ee9d
Instruction Fuzzy Hash: 1D81B174E012289FEBA4DF65D991BDDBBB2BB89300F1080EAD84DA7254DB315E81CF44

Function 065ED018 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0c4cb7171f2a5c7e98ec62cde87aab68529b2529299f3b6fb88fb95cbe65b6
Instruction ID: 19f5fe0d706c136df3c5ef2181401194b761beca657dd572aba6420f6f4aa10a
Opcode Fuzzy Hash: 6c0c4cb7171f2a5c7e98ec62cde87aab68529b2529299f3b6fb88fb95cbe65b6
Instruction Fuzzy Hash: E1718571D016188FEB68CF6AC945B9EFAF2BF89300F14C1AAD40DA7255DB344A85CF50

Function 065EAA48 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710a38e6cfba90bfff762ccc9024d0142f5becd08aaa1cf03baa7527bea23fcc
Instruction ID: 0bbdc1ab97932c06f8687ce43c230d013fa6a5e0ed4ae2ef964bf4b6b0a57123
Opcode Fuzzy Hash: 710a38e6cfba90bfff762ccc9024d0142f5becd08aaa1cf03baa7527bea23fcc
Instruction Fuzzy Hash: 47717475E006188FEB68CF6AC944B99BAF2BF89300F14C0AAD40DA7255DB344A85CF51

Function 065EB090 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f67d8180e95ea81ef6a6f5d4d4fe5866c8a909653577184d01bdf81d1e6c7b
Instruction ID: bf70384c0f70a9e0e04a8b30fcd5733ef5a35b09a20d4e197533711137f73541
Opcode Fuzzy Hash: 89f67d8180e95ea81ef6a6f5d4d4fe5866c8a909653577184d01bdf81d1e6c7b
Instruction Fuzzy Hash: 10717571E016288FEB68CF6AC94479DBAF2BF89300F14C1AAD40DA7255DB345A85CF51

Function 065E0006 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869463a9ef3f186623c96df52894d721ac2ade70eda2fba5be3b3a4a698443af
Instruction ID: de1ea80a987b304cb016816db7886b568074bb2e1bfa0d00210b17cab13aea62
Opcode Fuzzy Hash: 869463a9ef3f186623c96df52894d721ac2ade70eda2fba5be3b3a4a698443af
Instruction Fuzzy Hash: B8414871D052488FDB59DFBAD9446DEBBF2AF8A300F14C06AC408AB2A5EB344946CF54

Function 065EC9C8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3301967ccdf509e2644bef9f4510d28cbda964f6d91d783bfcb50472f6b89e02
Instruction ID: f622cc429750a3ffe459e202f109bca39149fe3a6de648fd53a3a73a83afa683
Opcode Fuzzy Hash: 3301967ccdf509e2644bef9f4510d28cbda964f6d91d783bfcb50472f6b89e02
Instruction Fuzzy Hash: ED4178B1E016188BEB58CF6BD9457D9FAF3BFC9300F04C1AAC50CA6264DB744A858F51

Function 065E85FC Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57c299f90d997b588febc556fe57de3bb4682775d5fa59dac073e40be960b80
Instruction ID: d870a49d894f26d46a40656686f6fe19a9f114dfe6c17d9700b90acdf69c9937
Opcode Fuzzy Hash: d57c299f90d997b588febc556fe57de3bb4682775d5fa59dac073e40be960b80
Instruction Fuzzy Hash: 5941E2B1E006088FEB58DFAAC95479EBBF2BF89300F14D16AC418BB290DB355946CF54

Function 065ED662 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3acb069581c5fe2b28af0f3a223d39f44ff9a891cc4c4c76e41f5dff8b1ef34d
Instruction ID: 0535e44896f569c3cb1da6c97a56fcbda369485d24d3d6de24baa523d0d5ab58
Opcode Fuzzy Hash: 3acb069581c5fe2b28af0f3a223d39f44ff9a891cc4c4c76e41f5dff8b1ef34d
Instruction Fuzzy Hash: E94159B1E016189BEB58CF6BD94578AFAF3BFC9300F14C1AAD50CA6254EB740A858F51

Function 065EA3F8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bcbcbbee5ee123eeb803d7d7b09217727e7c50b5a95e876a5846ac6dc57353c
Instruction ID: 6779166d7d007b5c0f774b3c8cfa0d7897178e3ea761db32613b76da37543b1b
Opcode Fuzzy Hash: 3bcbcbbee5ee123eeb803d7d7b09217727e7c50b5a95e876a5846ac6dc57353c
Instruction Fuzzy Hash: 684145B5E016188BEB58CF6BC94578AFAF3BFC8300F14C1AAC50CA7264DB740A858F51

Function 065EC378 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e52d6561d1f8c82ddd15bbe61dd9945f171ca8c8045b93170609856a35cda6
Instruction ID: 6ae8a7d1c8ee487ef13e30eebaeef79cdaa2289d96d735d93fb6c58180e41387
Opcode Fuzzy Hash: 35e52d6561d1f8c82ddd15bbe61dd9945f171ca8c8045b93170609856a35cda6
Instruction Fuzzy Hash: 8F4167B1E016189FEB58CF6BD94579AFAF3BFC9304F04C0AAD50CA6264DB744A858F50

Function 065EBD28 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6526887977e15b81e717c1bf832cfb1033904e84af17572399870475423afa78
Instruction ID: fc6f5c95ea8474e28cef18c79df304ba976b8077af82bc3b345d7c66eb5307de
Opcode Fuzzy Hash: 6526887977e15b81e717c1bf832cfb1033904e84af17572399870475423afa78
Instruction Fuzzy Hash: 8E4139B1E016189FEB58CF6BD94578AFAF3BFC9300F14C1AAD50CA6264DB740A858F51

Function 065EB6D9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d45615870fa2e5b4a52377205946dfb4ddba2454df5f4412bafb35228cd22cb
Instruction ID: 820540eb80850b433977cd760276525c631b527805dc60ffc37e9dde96c8b8d0
Opcode Fuzzy Hash: 6d45615870fa2e5b4a52377205946dfb4ddba2454df5f4412bafb35228cd22cb
Instruction Fuzzy Hash: C34145B1E016188BEB58CF6BD94578AFAF3BFC9304F14C1AAD50CA6264DB740A85CF51

Function 00E75C08 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

hE, xrefs: 00E75E5E

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID: hE
API String ID: 0-3080292677
Opcode ID: 760dac4694a14925f55aa93110d6d18dfe799487eb7743b565681c66015d730c
Instruction ID: f1dee28599946ef243bfaa9c0fe09bd945a455efbace3aed7566afcbbc795d81
Opcode Fuzzy Hash: 760dac4694a14925f55aa93110d6d18dfe799487eb7743b565681c66015d730c
Instruction Fuzzy Hash: D6819F36A00A05CFDB14CF69C888AAAB7B2FF89304B24D169D509FB365DB71ED41CB51

Function 00E74DC8 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

hE, xrefs: 00E74DD9, 00E74DF6, 00E74E13, 00E74EA9

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID: hE
API String ID: 0-3080292677
Opcode ID: aa4b76efce4678f903a19a612857b1c21897e9d6771bbfc8a6586accc90b8cf0
Instruction ID: 9d4a7f7c044dc108ce1c238655f1a1aa73e395e9f60b50c3ec7f67f2846f2a46
Opcode Fuzzy Hash: aa4b76efce4678f903a19a612857b1c21897e9d6771bbfc8a6586accc90b8cf0
Instruction Fuzzy Hash: BE31B27170020ADFCF11AF64D854AAF3BA6FF48314F109424F9599B294CB39DD61DBA1

Function 00E776D0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

hE, xrefs: 00E776EA

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID: hE
API String ID: 0-3080292677
Opcode ID: 0b8a3e372a01a3181dcd0d49ba62ff7d45dcac0c612e0daadb769ed8f79771ee
Instruction ID: 861099487c5e06eeee7c5e248f568cff1db7fcfc53f8311a168e28efaa7da310
Opcode Fuzzy Hash: 0b8a3e372a01a3181dcd0d49ba62ff7d45dcac0c612e0daadb769ed8f79771ee
Instruction Fuzzy Hash: 6D21F73430C3008BDB1957398C54A7A7A979FC871AB18907BD589DB795EE2ACC41A381

Function 00E776E0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

hE, xrefs: 00E776EA

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID: hE
API String ID: 0-3080292677
Opcode ID: 9ae69e71b17c9ff2e0cc7060b97b26718928e263db5dc704eec00d58685469a1
Instruction ID: 557a513a574a270355e9db7e6fa01d27415cc7cf3f8b1988af27abe3c9f02c9e
Opcode Fuzzy Hash: 9ae69e71b17c9ff2e0cc7060b97b26718928e263db5dc704eec00d58685469a1
Instruction Fuzzy Hash: BE21C8343083058BEB2856359854A7F759B9FC471AF24D076E58ADF798EE2ACC41A380

Function 00E75A60 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

hE, xrefs: 00E75AFA, 00E75B17

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID: hE
API String ID: 0-3080292677
Opcode ID: 12304ce566f641878f30321d73db0992ed338de0ed38f2f631a7b1c009a71ebe
Instruction ID: 943da3583adcde3c65cc7deb72bdd5f59e42d6d51fe03a5c7a6d584203dfd827
Opcode Fuzzy Hash: 12304ce566f641878f30321d73db0992ed338de0ed38f2f631a7b1c009a71ebe
Instruction Fuzzy Hash: 6521CF36301A12CFC7269B24C8A492B77A2FB8975571482A9E84AEB354CF75DC02C7C0

Function 00E75A70 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

hE, xrefs: 00E75AFA

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID: hE
API String ID: 0-3080292677
Opcode ID: 984c4c5450902b30bfba107bcddd40f0b60541ebb9b15bc9b14cffa55b3bf353
Instruction ID: 89c57f7a9b713bc6033afce3152d95b9313d094889f7849a2d36a254c93bbb8c
Opcode Fuzzy Hash: 984c4c5450902b30bfba107bcddd40f0b60541ebb9b15bc9b14cffa55b3bf353
Instruction Fuzzy Hash: 1511E532301A12CFC7259A29C89492F77A6FFC87557148278E80ADB350DF65DC0287C0

Function 00E71F61 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

T, xrefs: 00E71F6C

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-286829874
Opcode ID: 3962a563c14a267d75314dc32517efffb1740135af3e535cf2f9f5cc94a985db
Instruction ID: 1b12e20afb99c7861fdc9596d46cb43892ed5f138aff1fc1c79899e01b9a2124
Opcode Fuzzy Hash: 3962a563c14a267d75314dc32517efffb1740135af3e535cf2f9f5cc94a985db
Instruction Fuzzy Hash: 1A21EFB5C042098FCB01EFA9D8455EEBFF1FF0A301F10916AD849B7224EB351A46CBA1

Function 00E7DEB0 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

2, xrefs: 00E7DEFC

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-1279140107
Opcode ID: 420369362c3bfe1fa2b9f382be23c7f72b51b3756b799b05b89f746fe13a7f85
Instruction ID: 4aa59c9d3b7add60fe84004de65b38827147196b7dabb8f06b40c0aa30d16241
Opcode Fuzzy Hash: 420369362c3bfe1fa2b9f382be23c7f72b51b3756b799b05b89f746fe13a7f85
Instruction Fuzzy Hash: 1CF03A70E11225CFCB84EF78C84469E77F4EF0861072144A9D409EB320EB31DD008BD0

Function 00E777F0 Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9200dec4d382ed04461dabbee252dc4da42287fc15277533d7a9dec196b9ea60
Instruction ID: ec392ec8fd3bff1499f400a0e7ee7cb1b0a93cab390924b321ba9fac101bbc38
Opcode Fuzzy Hash: 9200dec4d382ed04461dabbee252dc4da42287fc15277533d7a9dec196b9ea60
Instruction Fuzzy Hash: 48521B74A002188FEB14DBA4C964B9EBBB6FF88700F1080A9D50A7B3A5CF355E85DF55

Function 00E787E9 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41bf40ab44e9b215327b402031e5382df4caf815b367ea2073176121b8681993
Instruction ID: 776aee11d23b58c5e8c616ebfbc1bcf9fb9b86fddc6fd2b65b6dbe9c5e023976
Opcode Fuzzy Hash: 41bf40ab44e9b215327b402031e5382df4caf815b367ea2073176121b8681993
Instruction Fuzzy Hash: 47F1E770384201CFDB299B38CA5C7797796EFA5704F1890AAE10AEF3A1EE25CC41D752

Function 00E76E58 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6936619ef84a0fb95bdf2948aacea9a501c025ba74a95df70433a1243fe59830
Instruction ID: 5d9ddb29e4a0cb05bfb2226e5c27333b4c15c3f48ce655ea5362ba7edbc3d2ee
Opcode Fuzzy Hash: 6936619ef84a0fb95bdf2948aacea9a501c025ba74a95df70433a1243fe59830
Instruction Fuzzy Hash: 1A127E30A04249DFCB14CF68D884A9EBBF2FF88318F159599E859EB261D730ED41CB50

Function 00E7A818 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafcd8bc23195bdf39376833f142946e5debc8d1229e4de7c68ada3179e35fe9
Instruction ID: b07440dfb90adb121cb33e58531d5e03069ec4191814597b4d53f531e9b5c334
Opcode Fuzzy Hash: cafcd8bc23195bdf39376833f142946e5debc8d1229e4de7c68ada3179e35fe9
Instruction Fuzzy Hash: 45F11A75A00215CFCB15CF68D984A9EBBF2FF88314B1AC069E519AB361CB35EC41CB61

Function 00E70C8F Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f39f679c3ca7a5cdbbb4929a73d613567a11db1812133e7d2208ccbc5962cd1
Instruction ID: d6be6355c2dcbf51c1e30a43e6a351493b700cd5eab1ab14fffa7da3fa614caf
Opcode Fuzzy Hash: 0f39f679c3ca7a5cdbbb4929a73d613567a11db1812133e7d2208ccbc5962cd1
Instruction Fuzzy Hash: E522EB78900219CFCB54EF65ED84A9DBBB2FF88704F1085AAE849AB758DB305E45CF44

Function 00E70CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da6561b28fdfbad81438b94b9a82babd61a25a8f84e58982c06b89cc1ce652f
Instruction ID: 6d9d3904b5475e3d7d9d021e306cae7c45fd3dfc2b337cf45b143f9c9bda584a
Opcode Fuzzy Hash: 3da6561b28fdfbad81438b94b9a82babd61a25a8f84e58982c06b89cc1ce652f
Instruction Fuzzy Hash: 6022DB78900219CFCB54EF65ED84A9DBBB2FF88704F1085AAE849AB758DB305E45CF44

Function 00E756A8 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ac4bf08d81c4d24b2781789c1830f788a28264aef2744b06e4bf841d2c91cd
Instruction ID: 3a1b16c2d5b2d45620edc085ec47de5f23b134a107fa5ce32e53a2e2fe4d1bbb
Opcode Fuzzy Hash: a8ac4bf08d81c4d24b2781789c1830f788a28264aef2744b06e4bf841d2c91cd
Instruction Fuzzy Hash: FFB1EF32704605CFDB299F78C848B6A7BE2BBC8314F14952AE44ADB391DBB5CC41D791

Function 065E23E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50781400349d704ca4ca68415400c4bad8948d80dce798dd7766f3d9b1b5c92e
Instruction ID: d1af87dc5f4d10e5af4453cd22deea204f8395eb674de4066bec1d45a828d98f
Opcode Fuzzy Hash: 50781400349d704ca4ca68415400c4bad8948d80dce798dd7766f3d9b1b5c92e
Instruction Fuzzy Hash: 8381A131B00105CFDB48EF78D954A6E77FABF88600B1585AAE506DB3A9EB31DD01CB90

Function 065E9510 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3307afb858659eb8189bbf7ec645ec681c19ecbe1771c5f02ac7a119c1f868c
Instruction ID: 3e4c18e7c9946ccdf5a694a807606219c29567698186f977050b38dff8f1aa88
Opcode Fuzzy Hash: a3307afb858659eb8189bbf7ec645ec681c19ecbe1771c5f02ac7a119c1f868c
Instruction Fuzzy Hash: B3717A31F002199BDB49DFB5C8546AEBBB6AFC9700F54842AE406BB380DF749D46CB91

Function 00E77438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a926deba4a59fcb614401dca7dff8d188a1858562034b0d887630f1419b700d8
Instruction ID: 66eff0afd78a23e2fc318e7a4872a3717da5e119b0cee446d76d22697894b157
Opcode Fuzzy Hash: a926deba4a59fcb614401dca7dff8d188a1858562034b0d887630f1419b700d8
Instruction Fuzzy Hash: B1714F34704605CFCB24DF68C484AAE7BE5AF49304F1590A9E88AEB371DB75DC41CB90

Function 00E7CEC7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b4bdf38c061086e9dffe8555fcf47b661f7da3c4b8bf4d5deb82e8c4149fd6
Instruction ID: a89b504d3fd3fbc2bebb0bbff7fa97e123f1b3fbfe0875a5d63c607f19c101d0
Opcode Fuzzy Hash: 71b4bdf38c061086e9dffe8555fcf47b661f7da3c4b8bf4d5deb82e8c4149fd6
Instruction Fuzzy Hash: A351D8310217038FC3282FA1A6AC17B7B65FB5F367700AC56A08ED5029DF7A548ACF21

Function 00E7CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e008d1db0f44b3e8f6caf1a51e3d793bbad15e0eee1b802d267aae8acbfd714b
Instruction ID: c804bdaadd98510955c7b9e8f636de24bb87d9e399cd702e7018e655ce775eef
Opcode Fuzzy Hash: e008d1db0f44b3e8f6caf1a51e3d793bbad15e0eee1b802d267aae8acbfd714b
Instruction Fuzzy Hash: 3B51B3310217078FD3283BA1A6AC17B7B65FB5F367740AC16A19ED1029CF7A548ACF21

Function 00E7E2D9 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec75187fb2ef9ae3cd12c06e6f0aa7a3736d87e2bd7901ba1b781c97121a6802
Instruction ID: e7b6f5cf674ae4b291daaed8a5e66c43cb97ba168698e20f699b0b0e2f789e70
Opcode Fuzzy Hash: ec75187fb2ef9ae3cd12c06e6f0aa7a3736d87e2bd7901ba1b781c97121a6802
Instruction Fuzzy Hash: FD61F074E01218DFDB14DFA5D954AAEBBB2FF88304F608529D809AB3A4DB355A45CF40

Function 00E7CD10 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bab0f48215c987a0f451adcf24b4f1d88a8f25deff2170240108f88dd0278fc
Instruction ID: ea0a740b8465ca42090e0e8d04fdb78545900220e9b19bdbccf1d63683e24ef2
Opcode Fuzzy Hash: 4bab0f48215c987a0f451adcf24b4f1d88a8f25deff2170240108f88dd0278fc
Instruction Fuzzy Hash: 3B519474E01208DFDB54DFAAD58499DBBF2BF89300F209169E419AB365DB30A945CF50

Function 065EDCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f258e4232475737f71deabd7fdccb650ee7f976a0663164269257652c8f59c1d
Instruction ID: 2193de44c61ca07b2ed6d927e75977918dc7d58120670abefe9d7cb52cef3617
Opcode Fuzzy Hash: f258e4232475737f71deabd7fdccb650ee7f976a0663164269257652c8f59c1d
Instruction Fuzzy Hash: 12417B3690171ACFDB44AFA1D55C7EEBBB1FB8A316F045829D11573290CBB90A88CF50

Function 00E73908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2d3f05f0a75868e6c99f0e06d827bc38bd152d1e5d59a654927872969badb6
Instruction ID: 116433be8911107f67c009871068f7c76d700958f152742109998005ef82dabf
Opcode Fuzzy Hash: 1d2d3f05f0a75868e6c99f0e06d827bc38bd152d1e5d59a654927872969badb6
Instruction Fuzzy Hash: ED51B675E01208CFCB48DFA9D59499DBBF2FF89304B209469E805BB324DB359905DF44

Function 00E79A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e8d38c9ffe924905f7a22e7a6c93c7e086c0e5cf06ed3df7af179e99ce5b20
Instruction ID: 105df0320bbab930daa0b57258861bf9de5821a52a9439d0a7b3a95a960b9e72
Opcode Fuzzy Hash: f8e8d38c9ffe924905f7a22e7a6c93c7e086c0e5cf06ed3df7af179e99ce5b20
Instruction Fuzzy Hash: C651B131A04249DFCF12CFA4D844A9EBBB2EF89314F14D155E819AB2A2D335ED54DB60

Function 00E7A650 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a07773890a438c8cdd7f6a2ca286f997c461388e37b411b382b1ad39e8dac9
Instruction ID: 9bc8fd76d87ce9d0c402f6e6e5db9c269260d6b0782ba848428e65d69af70db3
Opcode Fuzzy Hash: 33a07773890a438c8cdd7f6a2ca286f997c461388e37b411b382b1ad39e8dac9
Instruction Fuzzy Hash: FD41CF367002049FCB189B74D9547AE7BF6BBCD310F288069E51AE7391CE359C02DBA1

Function 065E9500 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293204dc6d6b731d985455d6927e9d33ef177b2ee9d2e7a4d583dc08c291ca95
Instruction ID: e65395fe87f7224c1d77730d71c2193ebc8000895dd8152dbbf65187bc8864d8
Opcode Fuzzy Hash: 293204dc6d6b731d985455d6927e9d33ef177b2ee9d2e7a4d583dc08c291ca95
Instruction Fuzzy Hash: 0F412E71E0021ADBDF58DFA5C890ADEF7F5BF88710F15812AE415B7280EB71A945CB90

Function 065E9A49 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9206452b13657d7df5cd3f5e947367b42935333ff42b2fb2cf2753e7327648a
Instruction ID: df6f7dee98b58596cfbd75549dc8f1e4279a9a361e6cbb4f268ba776fc1f7e31
Opcode Fuzzy Hash: c9206452b13657d7df5cd3f5e947367b42935333ff42b2fb2cf2753e7327648a
Instruction Fuzzy Hash: 8441F1B9E00208CFCB54DFA5D584BEDBBF2BF49304F24802AD415A7294DB395946CF50

Function 00E7E134 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da139352f5510a2995f645914e23482692cc714cf69b56ca9daf46c6d1571a19
Instruction ID: 390c1d44f578e0ac72d8f9b77a6366e2ddcab8c969a873c9d93dc99b4a9570ed
Opcode Fuzzy Hash: da139352f5510a2995f645914e23482692cc714cf69b56ca9daf46c6d1571a19
Instruction Fuzzy Hash: 61411274905208CFCB14EFA8D885AEDB7B2BB49304F60E1A9D409BB351C7B19842CB64

Function 00E7D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc37686475dff120d5c3dff57f94925f508f61863a5b92e27529b40ac0e33533
Instruction ID: 7611b31c33d6bbe55fd5ad33bd029c82188cbc3725f5ef049dfaf9a238aaaf2a
Opcode Fuzzy Hash: fc37686475dff120d5c3dff57f94925f508f61863a5b92e27529b40ac0e33533
Instruction Fuzzy Hash: F4410474908208CFDB18DFA8E9846EDBBB1FF89305F60E12AD419BB244D7359842CF25

Function 00E73428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb47afb45efac344515873486196e6929b18b3a926074504209bbb0a029cc3e
Instruction ID: 961b8bb91008006b53a203a994ef4e9b92ea42674a76d38b4d52918b8615963a
Opcode Fuzzy Hash: deb47afb45efac344515873486196e6929b18b3a926074504209bbb0a029cc3e
Instruction Fuzzy Hash: 73310971B003248BEF9D8A7659942BE65DABBC4714F149039E81AE7380EF74CE0577A1

Function 00E7D7EB Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77eea6ea04662f33e8ac859a099e9cb8b1543b7cf57dc1ccc175249c25be6d38
Instruction ID: 564ff32a38c7bf36b17c44558a66a3a118d51d2a33ba67568b173520c6d791d1
Opcode Fuzzy Hash: 77eea6ea04662f33e8ac859a099e9cb8b1543b7cf57dc1ccc175249c25be6d38
Instruction Fuzzy Hash: E7412374D08208CFDB18EFA8E9846EDBBB1FF49305F20E11AD409BB255D7359841CB25

Function 065E9A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18eb80255777d154a655805e52735fba80e0a35af4e15eb2e9ce162c40be3182
Instruction ID: 5f227bbe45e8e0bf2a19850ba27c8b65645390dcc7926d1445ddda4d5c9f15b2
Opcode Fuzzy Hash: 18eb80255777d154a655805e52735fba80e0a35af4e15eb2e9ce162c40be3182
Instruction Fuzzy Hash: 7541E1B4E00208CFDF54DFA5D5846EDBBF2BF88304F20802AD415A7294DB345A46CF50

Function 00E7E0D4 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e6582cef376376f94d90c8e450acd6f6f71b3ca92fc2bf4b2a04e75b737b30
Instruction ID: e7246b85bb637cf0208dd0c4bad8ca56b28ea6b0aa1dd24ad78b9e3daad231d5
Opcode Fuzzy Hash: 61e6582cef376376f94d90c8e450acd6f6f71b3ca92fc2bf4b2a04e75b737b30
Instruction Fuzzy Hash: 86410070E05208CFDB14EFA8D884AEDB7B2BF49304F60E1A9E408BB351C7B59881CB54

Function 00E7D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4311db7f5555ece731990a29e57a67b6be10209151037878b7ecf5399eea0679
Instruction ID: 8886ac682e4edcee0e437609cde52d63475691ce25d388dca0befc710d8d17ef
Opcode Fuzzy Hash: 4311db7f5555ece731990a29e57a67b6be10209151037878b7ecf5399eea0679
Instruction Fuzzy Hash: 5541CE74D08208CFDB18DFA8E9846EDBBB1FF49305F20A16AD419BB255D7359841CB64

Function 00E7D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8a69d401478893c549809229d43d5ac9f747e4dcb235291cb91353f5f4eb42
Instruction ID: e0dccd6a383fc12ac62f04f003c7731b2a544d3fde5dd1d14489fd22ad373948
Opcode Fuzzy Hash: 4a8a69d401478893c549809229d43d5ac9f747e4dcb235291cb91353f5f4eb42
Instruction Fuzzy Hash: 4741F571E04208CFDB18EFA9D8446DEBBB2BF89305F24E12AD418B7255DB759841CF68

Function 00E7DF88 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b797c91e054f925fe28049a8a826b8815c406371c2debab896482e77bb32154a
Instruction ID: 7cc3e133cda6075ea972e19e238bb44f6102533dfddc5e0618a18a4a7686e1a9
Opcode Fuzzy Hash: b797c91e054f925fe28049a8a826b8815c406371c2debab896482e77bb32154a
Instruction Fuzzy Hash: F231F574E052088BDB18EFA9D444AEEB7F2BF89300F24E169D408BB355DBB19841CF58

Function 00E7A809 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328355c51c005780067f7eb14ad6291b3513fec8b75b4e61a649d69c6d57bb6b
Instruction ID: e5176ccefc2fe408c8ef8b655bd2c232bc966cc6ba6421ab2e2a2ce313b08841
Opcode Fuzzy Hash: 328355c51c005780067f7eb14ad6291b3513fec8b75b4e61a649d69c6d57bb6b
Instruction Fuzzy Hash: C1319271A005058FCB04CF68D884AAFB7F2BFC9310B19C169E519AB3A5CB359C12CBA1

Function 00E72060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d296f9bdbacbff6245bcaf9e41224657666bd44c6ad3084ecdabfd5744823c
Instruction ID: 74de20c4b1dbc172a83e8527a954b9d9c62d1eb7b573fcc5ebfca91609765083
Opcode Fuzzy Hash: 74d296f9bdbacbff6245bcaf9e41224657666bd44c6ad3084ecdabfd5744823c
Instruction Fuzzy Hash: 2E218E35A00115DFCB14EF24D8409AE77B6EB99364F50C45DE91A9B240DB32EE42CB91

Function 00E2D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928175479.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c29de0a3b39693b15c52f7dc136032eeb7e3801116684c53ebb486c43aee353
Instruction ID: b73770d4d33dcc078a1b9b9c0fdecf0c8b70040e973c7c49d4887257bfb9187d
Opcode Fuzzy Hash: 7c29de0a3b39693b15c52f7dc136032eeb7e3801116684c53ebb486c43aee353
Instruction Fuzzy Hash: 5121F271508304AFDB14DF20EDC4F26BBA6FB84318F24C569EA495B262C736D856CA62

Function 00E7215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30fb2ac87794624d6c0e681b6193c5b674d5f65e13ce5d0e59a6795b2015db22
Instruction ID: 4591305937f5f729aed100cb9eb65bb7b64bb79f3169cd77078f175bbf2a29cb
Opcode Fuzzy Hash: 30fb2ac87794624d6c0e681b6193c5b674d5f65e13ce5d0e59a6795b2015db22
Instruction Fuzzy Hash: 70113B31E45359DFCB019BB8AC005DEB770FF8A320B25879BD666BB091EA311916C791

Function 065E96F0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f51f1bae1bef40784c0b86d767b27ae2cf4c1d94f9bf61350412525907dfdc1
Instruction ID: 67a2909fbee55318796eea3c66a6eb7aa704c2f94fbbc499e1eb970caf1beee2
Opcode Fuzzy Hash: 9f51f1bae1bef40784c0b86d767b27ae2cf4c1d94f9bf61350412525907dfdc1
Instruction Fuzzy Hash: 38115B367083505FCB469FB45C1429E3FA7EFC9210754481AE409DB382CF388D5187A2

Function 065EE0C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284684997f2041cc511fd095dbe1b95254bcb2b238036a5f009a227efc48110d
Instruction ID: 68bceb811cde230274132c59f035d37dc2f6ea39eeda774af9558b343c237562
Opcode Fuzzy Hash: 284684997f2041cc511fd095dbe1b95254bcb2b238036a5f009a227efc48110d
Instruction Fuzzy Hash: 8E114E317053408FDB08077A9C146BBBBABAFC9210B148477E546C73D6DD398C468370

Function 00E7E201 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afc9ef02c93114d8a17f60a067f65918f108ed712493960ac7e35fc5ae74869
Instruction ID: 1bf0dcaf074614de451e36e681e33ae32130b57b08903c6e26da8065df0ccda9
Opcode Fuzzy Hash: 3afc9ef02c93114d8a17f60a067f65918f108ed712493960ac7e35fc5ae74869
Instruction Fuzzy Hash: 2921B475D00209DFDB44EFB9DA4078EBBF1FB85304F14C5AAC018AB365EB305A168B81

Function 065E9350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f722613f7bb7ed9cd7238490a196b568dbd99e18a5a3112f4206fe821fa1ebbe
Instruction ID: 33b62742e1fd6b7cffddf8591422b7f2dbb747b77d6923c8d130d5ad2e630179
Opcode Fuzzy Hash: f722613f7bb7ed9cd7238490a196b568dbd99e18a5a3112f4206fe821fa1ebbe
Instruction Fuzzy Hash: C81123B68003499FDB10CF9AC844BEEBBF5EF48320F14841AE918A7250D379A954DFA5

Function 065E8EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9224391fdd3f87cb0ce210be4615c3fc99c1c9ddfe680b29a1b1474efcac547
Instruction ID: a29f3c0f6961261a23ab5c0b10799c760e2a2434ac23d251c16f42ee6cccb9a3
Opcode Fuzzy Hash: e9224391fdd3f87cb0ce210be4615c3fc99c1c9ddfe680b29a1b1474efcac547
Instruction Fuzzy Hash: E011FE74F40149CFEF58DBE8D850B9EBBB6BB48311F409065E918AB355EB3099428B54

Function 065E9999 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42598202bca06aad29743f220e4fcca8d7ed26224145dcc5de880f60fd7a496c
Instruction ID: 14db1ec485198a7859afe48dfc3f1ee42678f1b56aea7f1323011eba17276d3e
Opcode Fuzzy Hash: 42598202bca06aad29743f220e4fcca8d7ed26224145dcc5de880f60fd7a496c
Instruction Fuzzy Hash: 6F1123B68003499FDB10CF9AC845BDEBFF4EF48320F14841AE528A7250C339A554DFA5

Function 00E7E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a948df5bc29928664a6ad4c3a7d50461c41d66fdf76fe6778b6ddfcf394450
Instruction ID: 2d3280fcebe0a8d7b11ca120c548bb88d61076cb56e795d42f646647b30c2e77
Opcode Fuzzy Hash: 60a948df5bc29928664a6ad4c3a7d50461c41d66fdf76fe6778b6ddfcf394450
Instruction Fuzzy Hash: 69116074D00209DFDB44EFB9D94079EBBF1FB85304F10D5AAD058AB365EB305A068B85

Function 00E71F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e46cd8bcc4b9f79d1d109c9e5fec57da74530a7fdf4d3717298854f825c11d
Instruction ID: 66f618b43613671cb6c89194dfde466f80c15d4138ceea006ec55e66cc12d08d
Opcode Fuzzy Hash: 20e46cd8bcc4b9f79d1d109c9e5fec57da74530a7fdf4d3717298854f825c11d
Instruction Fuzzy Hash: 4221FFB5D042098FCB10EFA9D8445EEBFB5BF4A304F1091AAD845BB264EB315A45CBA1

Function 00E2D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928175479.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: 755bdc82bd0d083f96a260c908a5a5920edb7f726fe96b6b7be08bd66d0c255a
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: 23119075508244DFCB15CF10D9C4B16BBA2FB44318F28C6A9D9494B666C33AD85ACF51

Function 00E75607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c47c41a32e1d9b75a45f30430b029a248e402659382812e82762a0729662001
Instruction ID: fa941917cc5ae7495a6915ff181f2cf24c2b10ac78dbd3ca3a633a2c85e05b24
Opcode Fuzzy Hash: 7c47c41a32e1d9b75a45f30430b029a248e402659382812e82762a0729662001
Instruction Fuzzy Hash: 1101F572B04114AFDB129EA498106FF3BE7EFC9351B18806AF909D7294DAB58C02C7A1

Function 065E2670 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7041edf5b8ac25f71962261eb7df2597d829a293eaba7b4f3d61bd7e5e9f32b6
Instruction ID: 865592eaa7d222627e2b3e8ac8e1663a0ff71952dfafb05b72651ebd4d743c1c
Opcode Fuzzy Hash: 7041edf5b8ac25f71962261eb7df2597d829a293eaba7b4f3d61bd7e5e9f32b6
Instruction Fuzzy Hash: 6901AD76A002118FCB94EF78D908A5E3BF5FF88611B110169E405DB318EB32C905CFA1

Function 065E25E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340fe3ccc1207ae7eda20436735a609f3138dc909774edee2e29bf6c8d336bbe
Instruction ID: ab8dd68de761da82ed0d74d7a9c0782e1b1a3b64697f509d43c1851feb82ccac
Opcode Fuzzy Hash: 340fe3ccc1207ae7eda20436735a609f3138dc909774edee2e29bf6c8d336bbe
Instruction Fuzzy Hash: 8B01B671E00319DFDF98EFB9C8046EEB7F5BF88200F10866AD519E7254EB359A018B94

Function 065E9760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3938709182.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36856c61a5542f1b8c333de4de4b464dabfa95a1fe64b203f5681313c8ae4da6
Instruction ID: 8635fcd1d0ee1d27fd2ee50548b8d8a8c1423b77a8282f6d8d5526b8c530f7f1
Opcode Fuzzy Hash: 36856c61a5542f1b8c333de4de4b464dabfa95a1fe64b203f5681313c8ae4da6
Instruction Fuzzy Hash: B9F089373041196FCF455EA9AC419EF7BABEBCC250B404429FA09D7351DF324D1197A5

Function 00E7D11A Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5dcdd9edd42652cfb5f8a31756e4da5e0dd852304a024f8e5ea0862581e047e
Instruction ID: d3173d9df07cba26a16973dff13fcfb5629fc3ddfe3c5296633a2a10f0e5da0c
Opcode Fuzzy Hash: a5dcdd9edd42652cfb5f8a31756e4da5e0dd852304a024f8e5ea0862581e047e
Instruction Fuzzy Hash: 52F00C72165702CFD7206BB0E9AC43BBB61EB4F3277056D42E09ED1418CB3A5086CB21

Function 00E7D449 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4237e1b745e0771c26f8179f6d02a498c05a9f9237a9dd825bea97f29b27bff
Instruction ID: bf593eeddfd76c36962a126610995ec9841bec503174b04b53069ad12d8da093
Opcode Fuzzy Hash: b4237e1b745e0771c26f8179f6d02a498c05a9f9237a9dd825bea97f29b27bff
Instruction Fuzzy Hash: 3EF0A772944605DBD704DA65DC0A6D973B4DB8B315F00B068D124F7160DB79A1059A94

Function 00E7DF08 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26bfefad58f53ce2b2a394b7ed69c0bc9e49d3c0225d4df1e4a8f9b4f360c22c
Instruction ID: 842e8b174d6703c4f80b216d7c66274e7a0c402c2db2a0ed25cba0794b97a168
Opcode Fuzzy Hash: 26bfefad58f53ce2b2a394b7ed69c0bc9e49d3c0225d4df1e4a8f9b4f360c22c
Instruction Fuzzy Hash: A4F0E572A08208DFCB08CF66DC096E9B3B4EF8B305F046468D015B30B1C7759619DA95

Function 00E7D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e00d0565ef7f382e64b1da922c7fe9d8e3dec1388bc7dd8f473381bc6689902
Instruction ID: 30965a1965f1e2e606678df36822f6e3c46cb43e689c3ef6663f963f86ff2253
Opcode Fuzzy Hash: 0e00d0565ef7f382e64b1da922c7fe9d8e3dec1388bc7dd8f473381bc6689902
Instruction Fuzzy Hash: 3CE0DF93C0C150CBE7109BA2AC160B9BB70DED3321744B0CB80DDAB125E224E60AAB12

Function 00E72010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b0ca9edee9aece5bdb8a95e6703c569c0779791a16967d1c50370343bcaa93
Instruction ID: 409eae828d5f5f3488f033fa3f1c58edeb1ef939c93487775f62c42d11f7a81d
Opcode Fuzzy Hash: 67b0ca9edee9aece5bdb8a95e6703c569c0779791a16967d1c50370343bcaa93
Instruction Fuzzy Hash: 18E0D873D313568BCB0297B0DC000DEBB70EEA3226714419BD124B7151E7B5165EC7A1

Function 00E72020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0fc7d8013dc790f537a3d880f4d349c55babb58d592557cb288748e5f8ee9f5
Instruction ID: def143b6059df658e2089b5dc3948d17b27f13cf8b47f3e2ae2ef0d4750922b5
Opcode Fuzzy Hash: f0fc7d8013dc790f537a3d880f4d349c55babb58d592557cb288748e5f8ee9f5
Instruction Fuzzy Hash: 1FD05B31D2022B97CB00E7A5DC044DFF738EED5261B504666D51537140FB713659C6E1

Function 00E78258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 3e4d4734e296de41d6d4bfe732fa317f6a1e1e68c3033cfef1dfedefc18dff93
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 3CC0123328C1282AA624108E7C48AA3AB8CC2E17B9A254137FA5CA3200A8429C8011A8

Function 00E7A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43d1c7ad2b7653d6e95eaf0d6504fab2b7fa29dd76a1a3c5c408c118ef4f850
Instruction ID: d2ae070e28bf9a6a942be1292cf52b63c39f569ab1faf6ad5c302a997fa1b241
Opcode Fuzzy Hash: d43d1c7ad2b7653d6e95eaf0d6504fab2b7fa29dd76a1a3c5c408c118ef4f850
Instruction Fuzzy Hash: E0D0677AB11108EFCF149F98EC409DDB7B6FB9C221B448516EA15A3264C6319961DB50

Function 00E75EA8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24e5014f8cf576e7168efe898d29511624bb1e54c89cb3067fceabd0a7bfcf8
Instruction ID: 9e8bb27426d0d78a919a67df68c08cc81bb162caaf14593d1eeaed31071a96e0
Opcode Fuzzy Hash: d24e5014f8cf576e7168efe898d29511624bb1e54c89cb3067fceabd0a7bfcf8
Instruction Fuzzy Hash: 9AD02E78A043414BDB12F330EB064543B223AC1208B444985A8540B95FEF7D0948C7A2

Function 00E75EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3928512742.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e70000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309991d6eff0a90cc77e989c766b53d01bf77eb41ef9b5113213b7d5837f3e2c
Instruction ID: 2f7c13b8b212426797af5e7be20e3b8d47fcf32d48bb9474175e251b190238bf
Opcode Fuzzy Hash: 309991d6eff0a90cc77e989c766b53d01bf77eb41ef9b5113213b7d5837f3e2c
Instruction Fuzzy Hash: 25C0803460030D47DB01F775FB46D56339E76C0A18F405650B5190B51FDF782948C7D5

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0001.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

C:\Users\user\AppData\Roaming\svcost.exe

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
0001.exe

Function 0234529A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
nativeCOMMON

Function 023452A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
nativeCOMMON

Function 02347D38 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86
nativethreadCOMMON

Function 02347D40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82
nativethreadCOMMON

Function 02341D98 Relevance: 1.9, Strings: 1, Instructions: 614
COMMON

Function 02341D88 Relevance: 1.4, Strings: 1, Instructions: 166
COMMON

Function 02345EAC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 265
processCOMMON

Function 02345EB8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 261
processCOMMON

Function 023468F0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 452
threadCOMMON

Function 02347610 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119
injectionCOMMON

Function 02347618 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116
injectionCOMMON

Function 023472B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
memoryCOMMON

Function 023472C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
memoryCOMMON

Function 02346BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94
threadCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre